Malware Removal Methodology for Professionals

[alkemyst]

Do any of you interface to your clients remotely, to do all this?

you can't do it all remotely.

 

[Modelworks]

Do any of you interface to your clients remotely, to do all this?

Rarely. The reason is I don't like to have the host system running the OS that is infected if I don't have to. That only gives more time for the malware to damage the system. If you have to run the system then I recommend unplugging the network cable from the system to keep online malware from downloading more junk. Most of the stuff is online related though there are some that are very nasty that are not online.

One that is very bad encyrpts all word, office documents and renames them. When the user opens what he thought was the original document instead they will be greeted with a message of "Please send $50 to xxxx@jerk.com if you want your data back"

 

[JohnnyMCE]

i only help family now and recently took in a computer for a cousin that would loop on bootup to a blue screen.

1. pulled the drive out of the machine, plugged it into another desktop and couldn't even check properties on the partitions. I ran chkdsk on both partitions on the machine and then placed it back in the original desktop. I was now able to at least boot into safe mode.

2. My next steps were to disable everything in their startup in msconfig, remove garbage spyware and av programs from add/remove programs.

3. Next i downloaded, installed and ran AVG, Ad-aware and Malwarebytes. (surprisingly adware caught some stuff malwarebytes didn't).

4. This cleaned all the junk off the machine. Next i booted normally then i ran disk cleanup, ran windows updates and then ran a defrag.

This took about 24-48 hours in my spare time to do.

In the past I have worked with some machines that I have to run AVG, Ad-aware and malwarebytes from a separate machine because the garbage was so embedded in the machine but typically it is not that bad. As for price I would suggest anywhere in the $50-$100 range. Family gets a discount or free (depending on how good a BBQ they throw).

 

[rasczak]

Thanks for a terrific write up schadenfroh. modelworks, thanks for the additional thoughts. this will be very useful.

 

[speedy2]

Great write up. I do computer repair as a side job. Mostly virus removal. I do house calls. And that gets me quite a bit of business. I live in a small town with even smaller rural areas all around. The fact that I go to their house is the main reason I get business. I'm always looking to improve my methods. I have had a few call backs where stuff pops up. Very annoying. I also need to be charging more!! I have been doing a flat rate for virus removal and it's $65!! One of you said something about $60/hour. Wow, I need to at least be getting a little more than my flat rate I guess!

 

[demkd]

2. What questions do you ask the customer before going to work on their PC?

Nothing, It's useless.

3. What tools do you take along (both software and hardware tools)?

Universal Virus Sniffer (for 0-day trojans/rootkits) and Dr.Web CureIt!, Kaspersky Removal Tool for file infectors cases.
If possible I do it remotely, except rootkit checking.

4. In what order, form turning the system on to job finished, do you do what you do?

Cleaning temps, checking and removing trojans, rootkit detection, system cleanup after viruses and tuning (Disable autoruns, Disable System Restore and so on) Usually It takes about 20 mins.

5. Do you leave any software on the customer's computer to prevent future malware attacks? If so, what?

Avira Antivir Free version + Comodo Personal Firewall + ERUNT (replaces useless SystemRestore)

6. What [if any] advice do you leave the customer with, on how to keep their system clean?

Nothing, It's useless, they won't listen anyway.

 

[devotion]

Nice thread. Anyone have tips on getting started and advertising? I post on craigslist and nobody responds around here.

 

[jjmIII]

Nice thread. Anyone have tips on getting started and advertising? I post on craigslist and nobody responds around here.

Get some cheap business cards, and stick them to every peg-board in town (grocery, etc.). Also a small sign in your yard (Think: PC repair, any pc fixed for $50) if possible.

If you do a good job, word of mouth is your friend!

 

[us3rnotfound]

Great write up. I do computer repair as a side job. Mostly virus removal. I do house calls. And that gets me quite a bit of business. I live in a small town with even smaller rural areas all around. The fact that I go to their house is the main reason I get business. I'm always looking to improve my methods. I have had a few call backs where stuff pops up. Very annoying. I also need to be charging more!! I have been doing a flat rate for virus removal and it's $65!! One of you said something about $60/hour. Wow, I need to at least be getting a little more than my flat rate I guess!

My problem with the hourly rate is the fact that completion time of cleanup depends about 99% on how old the machine is. Some people really do wish their old P4 2 GHz single core with 512 MB RAM will perform like new, and they just don't understand that it will not unless I install for them just Windows XP sans service packs, use IE6, and MS Office 2000. Of course that would not at all be practical.

So when a machine of that caliper gets a hoax antivirus program or something of that nature, I could literally sit at their house all day and watch status bars crawl, so I usually get there, see what I'm dealing with (usually you can tell within 5 seconds of just seeing the machine what you're dealing with), and I almost always tell them I'll take it home and clean it up, and charge a flat rate as well.

It's not my career or anything so I'm usually trying to help people first and get a little side cash second. Plus when it's at my home, I'm actually in front of the computer maybe 1 hour tops .

 

[speedy2]

My problem with the hourly rate is the fact that completion time of cleanup depends about 99% on how old the machine is. Some people really do wish their old P4 2 GHz single core with 512 MB RAM will perform like new, and they just don't understand that it will not unless I install for them just Windows XP sans service packs, use IE6, and MS Office 2000. Of course that would not at all be practical.

So when a machine of that caliper gets a hoax antivirus program or something of that nature, I could literally sit at their house all day and watch status bars crawl, so I usually get there, see what I'm dealing with (usually you can tell within 5 seconds of just seeing the machine what you're dealing with), and I almost always tell them I'll take it home and clean it up, and charge a flat rate as well.

It's not my career or anything so I'm usually trying to help people first and get a little side cash second. Plus when it's at my home, I'm actually in front of the computer maybe 1 hour tops .

That's what I do. Take it home/work and charge the flat rate. $65. Too low? Either way, I went to 2 houses today and took home $400. Virus jobs and some other stuff. But, good money even at $65, at least where I'm at. The best thing is word of mouth. Plus everyone in town knows my dad and I. They trust me. The guy today even told me he could've called the big name guy in town, but he trusted me because he knew me personally. That goes a long way around here.

 

[tcsenter]

My problem with the hourly rate is the fact that completion time of cleanup depends about 99% on how old the machine is.

Well if you are running things like a virus/malware scan, defrag, or disk check, you don't need to sit at the computer and watch the progress indicator for 90 minutes (on a slower computer). I start working on a different computer (or something else) then check back periodically. Even when installing the OS, you don't need to sit there and bill them for watching the progress indicator.

 

[speedy2]

Well if you are running things like a virus/malware scan, defrag, or disk check, you don't need to sit at the computer and watch the progress indicator for 90 minutes (on a slower computer). I start working on a different computer (or something else) then check back periodically. Even when installing the OS, you don't need to sit there and bill them for watching the progress indicator.

True, but doesn't apply when you're doing this job at their house. The people I have dealt with understand this, and actually don't mind paying. But, I do try to estimate how long it will take and give them a "ballpark" figure.

Another thing, when you do have it at your shop. Leaving isn't always a good idea either. Sometimes things freeze or stuff. Sometimes I forget to check the screen saver and power settings. VERY ANNOYING, when the computer goes into stand-by or screen saver mode. With an old PC, trying to come back from a screen saver while doing scans just about freezes it. First thing I do now is turn off screen savers, make sure the computer doesn't turn off the screen, go into standby, or turn off the HDD's ever.

 

[airdata]

That is pretty much were I am at as well. Although I charge more.

IMHO, once a system has malware, it really isn't worth the effort to try and remove. It doesn't take much more work to back up data and reinstall the OS.

Also, is it me or does everyone that gets in this situation have an ancient XP box with only 512MB of RAM. I see this all the time.

-KeithP

This is in a way sad, but true. Some stuff is persistent and it's really not worth the time.

I'm in this situation right now. I have a user's computer from home that she needs because she works from home in the evening and weekends. She had CA Internet security installed and it didn't stop the multiple root kits and trojan's from infesting her box.

I've used sunbelt : Vipre to remove everything it found, and did some general system cleanup w\ ccleaner... etc.

At this point, the scan finds nothing. But her internet explorer is hosed. It will not load any web pages. I checked her hosts file to see if it had been changed, I reset the browser, I did a repair installation of xp pro, I did sfc /scannow... Nothing.

So, at this point it's just not worth it for me to continue messing w\ her system instead of just re-installing windows all together which will take probably an hour to get everything up and running again.


EDIT : She had a remnant of the CA Antivirus that had currupted her winsock. Did a very easy winsock reset from CMD prompt and everything is looking good now!!!

 

[Ken90630]

Question for Airdata:

You said, "Did a very easy winsock reset from CMD prompt and everything is looking good now!!!"

Can you clue me in on how to do that? (In other words, what do you type in the CMD prompt to do the "reset"?). I run across the same prob with IE from time to time, and your fix would probably help me out.

TIA,

Ken

 

[tcsenter]

Another thing, when you do have it at your shop. Leaving isn't always a good idea either. Sometimes things freeze or stuff. Sometimes I forget to check the screen saver and power settings. VERY ANNOYING, when the computer goes into stand-by or screen saver mode.

Make yourself a checklist of things to do before you actually begin servicing the machine. And then a checklist of things to double-check post-service.