Malware Removal Methodology for Professionals

[TIGR]

Here's the scenario: you are an individual offering professional on-site malware removal services for computers running Windows. Adware, spyware, viruses, etc., you do it all, with some system cleanup on top. From when you get the call saying "I need you to come clean up my computer," to when you walk out the customer's door, how do you go about doing what you do?

Understanding that every computer and the malware with which it is infected is different:

1. What do you charge and what does it include?
2. What questions do you ask the customer before going to work on their PC?
3. What tools do you take along (both software and hardware tools)?
4. In what order, form turning the system on to job finished, do you do what you do?
5. Do you leave any software on the customer's computer to prevent future malware attacks? If so, what?
6. What [if any] advice do you leave the customer with, on how to keep their system clean?

I used to do malware removal as part of my business but for the past few years have focused entirely on building custom computers professionally. Now I'm looking to add malware removal [among other things] back into the services I offer and I welcome everyone's insights! I'm no neophyte to this and have my own methodology but maybe I (and others) will learn something new from this topic. I'll chime in later with my own tips!

Edit to add: Considering how widespread the malware problem is, I think this is an important conversation to start and I've posted it on several forums. I will add the best suggestions from all forums to this first post as time goes on, and intend to keep it up to date for the benefit of all.

 

[Schadenfroh]

I have cleaned many systems in my day, used to do it while working for the IT department at my old college. Now, I am rather casual about it, only doing it for friends and family. My undergraduate thesis was on detecting unknown viruses and I try to keep up with the latest news, although I am a bit out of touch.

I ask the person to backup any important files that they need to an external drive or (preferably) a DvD, which must be scanned on a secure system as well.

If a format / reinstall is out of the question, then I proceed as follows:

I make use of my flash drive that has a read-only switch to load certain tools like CCleaner, anti-malware tools, etc. With a Read-Only flash drive, it is very easy to keep the latest tools on there.

1. Disable system restore and clear all saved points
2. Using add/remove programs, uninstall any suspicious programs
3. Uninstall any existing anti-malware tools (they have failed, usually this is an old version of Mcafee or something bloated)
4. Remove temp files and cookies with CCleaner
5. Install AntiVir (the bootable rescue disk never seems to work) and update to the latest definitions using the flash drive. Configure it to full scan mode via the settings (ie scanning all files) and conduct a full scan in safe mode with networking, deleting whatever infections might be found
6. Do the same thing in step 5 with SuperAntiSpyware, A-Squared and maybe malwarebytes.
7. Remove A-Squared, SuperAntiSpyware, malwarebytes and Antivir
8. Run Hijackthis and analyze the result file with this page:
http://www.hijackthis.de/en
9. Install Microsoft Security Essentials and scan with it (Norton Security Suite if they are a Comcast Customer, the 2010 products are excellent and lean)
10. Enable DEP for all applications and programs
11. Setup a passworded admin account and a limited user account for day to day use
12. Update Adobe products and other out-of-date applications (transition them to OpenOffice if they are using an ancient version of Microsoft Office like Office 97), Microsoft Update
13. Update BIOS and Drivers (for completeness)
14. Refer them to mechBgon's page for network security and safe PC practices (ie router firewall + Windows Firewall):
http://www.mechbgon.com/build/router.html

 

[Lemon law]

Thank you Schradenfroh for linking in,
"8. Run Hijackthis and analyze the result file with this page:
http://www.hijackthis.de/en"

I knew about hijackthis, but that is a seriously cool tool.

 

[Metron]

Excellent overview Schadenfroh!

I would add to step 6: Install Spybot Search & Destroy 1.62 and run the "System Startup" tool from the Advanced Menu to disable/remove any unecessary (most everything with the exception of your antivirus and antispyware tools just installed) of the accumulated and pesky startups from the System Tray.

 

[chakraps]

:thumbsup: to Schadenfroh.

I was able to rid my old install of 3 different types of infections by following your step by step guide (WORM/Iksmas.htc, TR/Dropper.Gen, WORM/VBNA.isu).

 

[Modelworks]

1. What do you charge and what does it include?

I rarely do it for people outside of family anymore. The exception was my brother calling to tell me he just went to make a car payment at the dealership and the manager was beyond upset because their system was infected so bad they could no longer take payments. To make it worse they had never heard of doing a backup and had not done one in over 5 years with thousands of customers on the system.

I charged him $60 /hour and it took 7 hours.

2. What questions do you ask the customer before going to work on their PC?

I make a list of all programs they use on a daily basis, what data is most important to them. In this case it was the payment processing which was a program about 9 years old that was running in a dos box under xp. All the records were in a custom db format by a software company that no longer existed.

3. What tools do you take along (both software and hardware tools)?

USB drives (flash, HDD), parallel port laplink cable for those really old pc, floppy disk. Software I really like is a version of linux called deft.
http://www.deftlinux.net/about/packets-list/

Using that one deft boot cd I can do just about anything needed on a system.

4. In what order, form turning the system on to job finished, do you do what you do?

I let them show me what the problem is then turn everything off. I have them sign an agreement then I use a boot cd to boot the problem system and make an image of the data onto external drive then I start working on the original data with the other utils on the boot cd. I never really boot windows itself until I am sure I have most of the easy to remove stuff out of the way.

Once that is done I boot windows on their set up and start cleaning up whatever is left. This part is really different because so many things can change between systems and what is wrong . One thing that helps more than anything else you can do is to learn the windows boot process. All the utilities in the world can't beat what that knowledge will give you.

Learn what windows does step by step as it boots and you will be able to locate just about any malware that is on a system.

5. Do you leave any software on the customer's computer to prevent future malware attacks? If so, what?
6. What [if any] advice do you leave the customer with, on how to keep their system clean?

I'm going to be honest. Most of the people that I do this for are so far removed from computers that they haven't a clue what malware is. If you told them they could get malware from someone using an infected debit card on their Ccard processing machine they would believe it. Trying to inform people like this about how to protect their systems in an hour isn't going to work. They may claim to understand while you are there then a week later will be right back where they were. If it is a business I tell them they need to get a system administrator that can do that for them , if it is a home user I usually tell them to use MSE from MS or sandboxie to run the browser and to read EVERYTHING before they click on it. People get click happy

Now I'm looking to add malware removal [among other things] back into the services I offer and I welcome everyone's insights!

Good Luck ! Make sure you have something in writing signed by them before you ever touch their system and make it clear what you are responsible for and what you plan to do . I know a lot of people that do malware remova/data recovery and skip this part and it always ends badly with the customer saying he was promised something, or they shouldn't have lost a certain document a virus destroyed. Mine reads like this:

• Customer understands that this service is being provided without any promises or guarantees except for what is listed on this agreement.

• Customer understands that any data loss, damage to hardware, or damage to other connected systems are the sole responsibility of the customer.

• Customer understands that this process may involve the copying and potential offsite storage of intellectual property and agrees to not hold the service responsible for any damages that may result from actions such as the inadvertent release of intellectual property to unauthorized parties. Service will attempt to take all measures it deems appropriate to keep customer data private but will not be held liable if it occurs.

• Customer understands that if data that contains illegal content , examples include child pornography, are discovered during the servicing of the system that the proper authorities will be notified without the customers consent and said system can be turned over to authorities without customers consent. Service is not actively searching for such content, but if during the process we encounter such items we are required under law to notify the authorities.

• By signing below customer is accepting the above terms and has legal authority to make such contract:

 

[alkemyst]

Good points I also go into the registry/MSConfig and check under the Run and RunOnce entries and the startup directories under all profiles (as well as clean all temp directories in those profiles).

I have a job today actually...I usually require drop off and pickup. I keep the machine 2 days (drop off Monday morning, pickup Wednesday night). Anything faster is possible, but you pay to play.

The job I am doing today is for an ancient PC, older woman that is having some issues with email. She insisted she has a very important meeting with major influencial people coming so anything, but a 24 hour turn around time she'd go elsewhere. I told her $300, maybe $400.

She's going to stick to the $50-100 estimate and pick it up in a couple days.

 

[VirtualLarry]

Does anyone promise that the work is free if the problem isn't resolved? I'm just curious. I generally operate that way, but I recall once that a friend of mine had some bad malware installed, and I removed what I could with available tools, but it seemed like something stayed on the system, and he got re-infected the next day. So I reformatted.

So some zero-day malware doesn't have signatures yet. How do you handle that? I'm afraid that I'm not quite up to speed on how to remove, say, a zero-day rootkit manually. (Athough I am pretty adept at using HijackThis to manually remove malware, after I Google for objects unknown to me that show up.)

In that same line of thinking, how are you certain that you have removed everything that was on the system?

Also, recently, a friend was having PrevX 3.0 report that a certain driver was cloaked malware. But it was also listed as being the active sound driver in the system. Knowning that PrevX has a propensity for false positives, I uninstalled PrevX 3.0, after scanning with an updated Malwarebytes and not finding anything.

 

[alkemyst]

I don't make any promises. If I can't figure out something (and it hasn't happened yet) I wouldn't charge them.

I'd say the chance of a same day job for me is pretty rare and even if I did get one there are resources online that would be reporting the issues as well.

All anti-malware / av can report false positives...it's up to the tech to know if it's accurate.

I have repaired a lot of 'pro' work that got too heavy handed in what tools reported to them, esp in the registry.

The thing is with a bad virus I cannot guarantee anything other than I will try to restore their machine to the way it worked. I have them sign a release to this affect.

If they then want me to to a full-reinstall it's all new labor charges.

They can't take the gamble and then screw me on it.

 

[Modelworks]

Does anyone promise that the work is free if the problem isn't resolved?

The only time I guarantee something is when I do something like build a system. Not for malware or data recovery. It can take a lot of work just to find out that what they wanted back cannot be recovered. If you only get paid if you recover it then you spend a lot of time working for nothing.

So some zero-day malware doesn't have signatures yet. How do you handle that? I'm afraid that I'm not quite up to speed on how to remove, say, a zero-day rootkit manually.

This goes back to what I was saying about knowing the windows boot process. Like after the bios detects the drives and loads the boot manager what happens next . After the kernel loads what files does it load, etc. If you learn what windows should be doing at each step then you know when something isn't right. If you look at the text output for booting in safe mode you can see a sample of some of the things windows does when starting that are hidden by the windows wallpaper and logo. It doesn't matter if it is zero day because windows follows the same boot process on every system.

In that same line of thinking, how are you certain that you have removed everything that was on the system?

My goal is to never restore the system to perfect 100% pre-virus status unless it is something really minor. I go in , get them the data and files they need to do a clean install.

Also, recently, a friend was having PrevX 3.0 report that a certain driver was cloaked malware. But it was also listed as being the active sound driver in the system. Knowning that PrevX has a propensity for false positives, I uninstalled PrevX 3.0, after scanning with an updated Malwarebytes and not finding anything.

That goes back to learning the boot process. If you know how windows decides what driver to load and what conditions it requires to load them then you can weed out the malware drivers.

Simplified version of the boot process:
http://en.wikipedia.org/wiki/Windows_NT_startup_process

 

[alkemyst]

I have that PC now...here is an example of a typical user.

No AV update since 2006, XP Home SP1, 256MB RAM. IE6, way outdated adobe.

It's a mess.

 

[MadScientist]

Good thread and some good tips.

1. What do you charge and what does it include?
The answer to what to charge and other tips for repair techs can be found here: http://www.technibble.com/

2. What questions do you ask the customer before going to work on their PC?
Wiil the computer boot to the OS? If yes, what's it doing? What files do want backed up?

3. What tools do you take along (both software and hardware tools)?
4. In what order, from turning the system on to job finished, do you do what you do?
The answers to those questions can be found here in the Security Resource Thread's link to John's Malware Removal Guide. Just follow it. He's constantly updating it. The only other tool I use that he does not mention is rkill. It can be downloaded from bleepingcomputer.
http://forums.anandtech.com/showthread.php?t=98805

5. Do you leave any software on the customer's computer to prevent future malware attacks? If so, what?
As Modelworks has already mentioned it's amazing how many old computers have not had any active AV program on them for years. I install either Avira Antivir free version or Microsoft Security Essentials. I also install Ccleaner and Malwarebytes Anti-Malware and show them how to use them. Good luck.

6. What [if any] advice do you leave the customer with, on how to keep their system clean?
I place a bookmark in their browser to mechbgon's How (and why) to secure your Windows PC and go through each step with them. Good luck though trying to get them to use a non-administrator user account.
Scareware scams are the most common viruses I find on computers. People are click happy and click on them to try to get rid of them. I inform them that if one pops up hit CTRL ALT DEL to start Task Manager, go to the Applications tab, click on the Application, and click End Task. I even put this in writing on the invoice.
http://www.mechbgon.com/build/security2.html

 

[spikespiegal]

It is utterly astonishing that in this day and age, and everybody in this thread being aware you are competing with better educated and lower paid technicians over seas that we still aren't discussing the ultimate security measure; restricted accounts.

I take it the reason you guys aren't telling your clients after the fact to use a restricted account is because:

(1) You're not aware of the security differences between Win95 and NT/2000/XP/Vista/Win7

(2) You are aware, but want to make money coming back and fixing the mess.

(3) You've never worked in a large scale corporate environment where restricted accounts were in play to see the dramatic difference in support. Or, there's no way anybody would hire you to work in such an environment.

Every friend, relative co-worker and small business I've supported gets two bill rates. One for if they are running restricted accounts, and the other, which is astronomically higher, if they aren't running restricted accounts. If they want to let their teenagers download cracked software from bittorrent with no supervision and want me to clean up the mess they are going to pay dearly for it. I rarely ever hear from restricted account users, and if so, what ever baddy they got has just written junk to their local profile where it be easily nuked.

If you know how windows decides what driver to load and what conditions it requires to load them then you can weed out the malware drivers

I either encounter easily removed malware and spyware with at most peering at a 'hijack this' log, or really nasty garbage that's over-written critical .DLLs and system drivers that are like a root canal to remove. Since screwing with the later is like unraveling a knitted shirt and only get worse the deeper you go and start replacing files in I typically wipe the system.

First thing I do then after the fact is show the user how to use a restricted account. Also, half the software mentioned here would get me laughed at in an interview if it were involving security practices.

 

[alkemyst]

so you handle installing all the software for them when they need it?

 

[tcsenter]

First thing I do then after the fact is show the user how to use a restricted account. Also, half the software mentioned here would get me laughed at in an interview if it were involving security practices.

Laughed at in an interview...by those who manage or oversee your typical Geek Squad type IT support department? In many cases, laughed at during an interview is a sign of how incompetent and uninformed the 'interviewer' is, not the interviewee. Especially so today vs. 20 years ago, with the trend toward foreign call centers, the pressure to lower the pay scale for domestic help desk support technicians will typically buy you entry-level CompTIA techs who are worth every penny of their minimum wage.

 

[jjmIII]

I back up and re-install (must have code on case!) for $50. You have to bring the PC to my work though.
I do this on the side at my storage unit office. I only use word of mouth, but can hardly keep up!

Malwarebytes.org FTW.
I put AVG Free 9.0 on if they don't have AntiVirus already.

 

[KeithP]

I back up and re-install (must have code on case!) for $50. You have to bring the PC to my work though.
I do this on the side at my storage unit office. I only use word of mouth, but can hardly keep up!.

That is pretty much were I am at as well. Although I charge more.

IMHO, once a system has malware, it really isn't worth the effort to try and remove. It doesn't take much more work to back up data and reinstall the OS.

Also, is it me or does everyone that gets in this situation have an ancient XP box with only 512MB of RAM. I see this all the time.

-KeithP

 

[Lemon law]

I note that the thread title is, "Malware Removal Methodology for Professionals"

Does this exclude reasonable advanced security aware Amateurs?

And I note spikespiegal is largely correct in saying, "I either encounter easily removed malware and spyware with at most peering at a 'hijack this' log, or really nasty garbage that's over-written critical .DLLs and system drivers that are like a root canal to remove. Since screwing with the later is like unraveling a knitted shirt and only get worse the deeper you go and start replacing files in I typically wipe the system."

I totally agree with spike in saying, once the malware has overwritten enough dll's and drivers, its somewhat hopeless. But if wants to retain any old data in the subsequent total OS reinstall, the question is, how do you know the data you are reinstalling does not have have a pile of bad malware inside of that? Putting you back to square one. But I have major quibbles with spike's statement that otherwise, all malware is easily removable and that the registry only needs a cursory glance. Exactly not my experience when I bought a used XP pro computer off off ebay at an attractive price. And found the computer booted easily, but the prior computer security ignorant user included over 4000 pieces of malware at no extra charge. Adding a freeware AV and spybot and ad aware easily removed 95 % of the crap in a few hours. That and doing the windows updates, and adding more prevention based security programs stopped any reinfections, but getting rid of the last 5% of malware took weeks. But long after every after the fact scanners on the planet had pronounced the system clean, it took a hijack this professional logfile reader to clean out the last of the malware. But unless one is very knowledgeable and in the advanced professional class, reading a hijack log file is like reading Egyptian hieroglyphics. And that is why the analyze feature that Schadenfroh submitted is so useful, it identifies and translates into plain English what each entry in the logfile is. And even color codes it in terms of safety.

And maybe the way to look at the malware problem is to define it as a war. We are one side, the good guys trying to keep malware off our computers. Against the bad guys, the malware writers who try to get their malware onto as many computers as possible for fun and profit. And sadly, the average malware writers knows way more about computers than the average computer user.

But in trying to play the malware writers side of chess board to better understand them, the first thing to realize is that only a stupid for profit malware writer wants to write code that destroys the computer and makes it unbootable. And instead, by the infect as many computers as possible doctrine, they want to write something that is able to stay and be undetectable as possible.

While I have been fairly effective, knock on wood, at installing almost bulletproof computer defenses on my personal computers tat have stood the test of time for years, I am sometimes asked to help out friends with computers that have malware. As an amateur I almost always root out the problem but I am not fast at it. That hijackthis logfile analyzer will do wonders to help my speed.

 

[Lemon law]

Then there is the KeithP contention, "Also, is it me or does everyone that gets in this situation have an ancient XP box with only 512MB of RAM. I see this all the time."

I submit almost totally wrong, because its almost childs play to install a an effective computer security system on any XP computer running as little as 256 MB of ram. All adding more ram does is to allow your computer to get infected faster.

Granted that Vista and Win7 are a little better at security, but the last computer system I cleaned was a Win 7 system, and they had only had it a week before it became unnbootable. It was their first computer and they ran it without an AV. All I had to do was run system restore, and add a security system.

 

[Modelworks]

I either encounter easily removed malware and spyware with at most peering at a 'hijack this' log, or really nasty garbage that's over-written critical .DLLs and system drivers that are like a root canal to remove. Since screwing with the later is like unraveling a knitted shirt and only get worse the deeper you go and start replacing files in I typically wipe the system..

Rarely do I encounter things that show up in as a simple run command in the registry. Often it is things that run at ring0 or near it. Sometimes infected drivers, but that is rare. Wiping the system is not an option always. Once you know how everything works finding things that do not belong gets fairly easy. The things that complicate it are when the user has some software they depend on that isn't common. Things like programs written for a specific industry and not sold at retail. Those can be a problem because they may use the hardware in ways that a normal user would not. I encounter those a lot on systems used for embedded work where the system uses custom drivers and files to interface with external devices. Other things that really complicate it are when a user has truecrypt installed on the system forcing the booting of the target OS to access the volume.

Otherwise on the standard business install one very easy way to find overwritten drivers is scan for unsigned drivers. Also helps to keep a crc list of drivers you know are good and use a file compare to check.

 

[tcsenter]

I have USB2.0 enclosures for both 2.5" and 3.5" drives, in both IDE and SATA. I always remove the drive and scan/clean it offline, using two good antivirus/malware products.

 

[MadScientist]

Here's another weapon I found at technibble to add to your arsenal to uninstall programs in Safe Mode.
http://www.technibble.com/safemsi-exe-start-windows-installer-service-in-safe-mode/#more-5682

 

[Modelworks]

Another thing that is really easy that will cut down on re-infections. Disable vbscript.dll in windows/system32 and windows/wow64 . Set the properties to deny read&execute for all users. Most of the malware like bot networks use vbscript and most legitimate software doesn't use it anymore. I have been disabling it for about two years on systems now and never had a complaint of legitimate software not working.

 

[VirtualLarry]

Another thing that is really easy that will cut down on re-infections. Disable vbscript.dll in windows/system32 and windows/wow64 . Set the properties to deny read&execute for all users. Most of the malware like bot networks use vbscript and most legitimate software doesn't use it anymore. I have been disabling it for about two years on systems now and never had a complaint of legitimate software not working.

I do something similar. And in response to a prior post, when cleaning up a system, I pretty-much ALWAYS create an "Admin" and an "Internet" account, set the Internet account as a restricted user, and if they are running XP Pro, implement Software Restriction Policies according to MechBGon's guide, and I add a path rule that disables ".VBS" files from executing. Not quite the same as setting the file permissions on the DLL, but still fairly effective.

In my experience, once implemented properly, SRP is relatively bulletproof to drive-by malware. It may download onto a system and trigger an AV warning, but it will never execute on the system. That is, as long as the user isn't running as Admin.

This isn't perfect, though, because I come across programs (online poker clients, for example), that install into the Program Files directory, and expect to be able to write into that directory directly (eg. those programs were written for a Win98-style security model, not XP or newer). So I have to manually go into their system and set directory permissions on that sub-directory of Program Files, and allow Write access for All Users. (This does open up a hole into SRP, unfortunately, but it is highly unlikely that malware would be able to know that particular directory name off of Program Files to be able to write to and then execute.)

The alternative, is that the end-user ends up running as Admin 90% of the time, and then they install AIM to chat with their buddies, running as Admin again, subjecting them to AIM/browser viruses, etc.

 

[jokerspoon]

Do any of you interface to your clients remotely, to do all this?