My virus removal procedure sheet..

My procedure..(changes everyday)

Virus Infection this includes mal/scare/bloat/ware. yadda, yadda.

Step 1:

Customer signature on work order next to where it says: BenchTech and/or it workers/contractors are not responsible for loss of data due to unforeseen circumstances due to hardware failure, malicious software infection, or human error. By signing below you agree to be bound to these terms.

Step 1a:
Customer signature on work order next to where it says: BenchTech and/or it workers/contractors are not responsible for programs when backing up/recovering data.

Step 2:

Pull customer hard drive and backup data, slave drive on linux box or windows box

Linux - Grab files and folders common and uncommon (docs, photos, music, email, favorites)

Windows - AutoFab 4 (nothing else unless customer has a specific request)

Step 3:
Put drive back in clients machine, boot into safe mode.
- run rkill
- Combofix
- GMER
- Remover.exe (rootkit detection and removal from cmd)
- TDSSKiller

Reboot into Normal Mode
- MBAM
- SAS portable
- Combofix (yep twice)
- Remover.exe
- MSE v2 (Microsoft Security Essentials XP & 7 only)

If anything exists at this point I start the manual removal process, If the manual process has not been documented I check bleepingcomputer forums
 
sys-eng said:
Reformat and reload everything. :eek:
It is a simple fix for controlled computers such as in a corporate environment but that is about it. Most home users and even small businesses have no backups; many programs, games, and utilities installed from downloads but no copy on CD/DVD; and finally no list of their passwords and license key codes. Most of my customers would be outrageous if I did that to their computer. I probably nuke & pave one or two PC's a year. Places like Best Buy do it frequently because it is quick and they do not care about their customers' lost programs and e-mail accounts.
Click to expand...

oh thank you. i only use nuke and pave if windows file systems corrupt or missing that could not get fixed.

if they want to keep the programs, email accounts, favorites, etc while their computers are infected with viruses, malwares, etc. and you knew it cant be 100% cleaned by doing methods. should i let the customers know that viruses, malwares may come back if they don't want the nuke and pave?
 
Last edited:
Benchtech said:
Virus Infection this includes mal/scare/bloat/ware. yadda, yadda.

Step 1:

Customer signature on work order next to where it says: BenchTech and/or it workers/contractors are not responsible for loss of data due to unforeseen circumstances due to hardware failure, malicious software infection, or human error. By signing below you agree to be bound to these terms.

Step 1a:
Customer signature on work order next to where it says: BenchTech and/or it workers/contractors are not responsible for programs when backing up/recovering data.

Step 2:

Pull customer hard drive and backup data, slave drive on linux box or windows box

Linux - Grab files and folders common and uncommon (docs, photos, music, email, favorites)

Windows - AutoFab 4 (nothing else unless customer has a specific request)

Step 3:
Put drive back in clients machine, boot into safe mode.
- run rkill
- Combofix
- GMER
- Remover.exe (rootkit detection and removal from cmd)
- TDSSKiller

Reboot into Normal Mode
- MBAM
- SAS portable
- Combofix (yep twice)
- Remover.exe
- MSE v2 (Microsoft Security Essentials XP & 7 only)

If anything exists at this point I start the manual removal process, If the manual process has not been documented I check bleepingcomputer forums
Click to expand...

nice methods. thank you for the sharing. :) my experience with computer repair for 15 years and i am still learning something new. :)
 
Last edited:
pkmoazzam said:
oh thank you. i only use nuke and pave if windows file systems corrupt or missing that could not get fixed.?
Click to expand...

I can usually (98%+) repair Windows without reinstalling it.

if they want to keep the programs, email accounts, favorites, etc while their computers are infected with viruses, malware, etc. and you knew it cant be 100% cleaned by doing methods. should i let the customers know that viruses, malwares may come back if they don't want the nuke and pave?
Click to expand...

I suppose you can. I always work on it until I get it clean. That is probably my weakness as it sometimes means working 20 hours on a single PC. I just have a high quality standard. The exception is when the customer wants to keep something like Limewire on their system. Then I would not guarantee anything but I have never had a customer do that.
 
ittechsc said:
And what would you charge a client that you spent 20 hours on their PC removing the virus?
Click to expand...

The same you'd charge someone that only took 2 hours.

If you're a tech who's learning and wisely using your time, that 20 job will take you 15 hours next time (or even less) and you'll get more and more efficient as you take and learn from more jobs!

[+ I don't punish customers for having slow computers]

However, if you have to repair permissions, reinstall programs, fix file type handling, fix their email, User Account transferring, ect...
THEN I'd think you should call the customer BEFORE the price goes up and inform them of the additional work needed to repair the computer (if it'll raise the price).


---
Now, no technician should spend 20 hours on ANY infection. If that's happening, you're not being efficient or you're doing something wrong.
That's a waste of your time as well as their time.
---
 
1. Back up customer data if needed.
2. Boot to safe mode.
3. Delete all temp files.
4. Combofix
5. Scan with TDSS Killer
6. Quick scan with MBAM and SAS portable
7. Disable system restore
8. Rboot into normal mode.
9. Full scans with MBAM and SAS portable
10. Manually search for anything missed, including rootkits.
11. Run Autoruns to delete unwanted startup items and Hijackthis.
12. Enable system restore.
13. Install Avira and spywareblaster. (Update and run a full scan with Avira)
 
Last edited:
J-Bob said:
The same you'd charge someone that only took 2 hours.

If you're a tech who's learning and wisely using your time, that 20 job will take you 15 hours next time (or even less) and you'll get more and more efficient as you take and learn from more jobs!

[+ I don't punish customers for having slow computers]

However, if you have to repair permissions, reinstall programs, fix file type handling, fix their email, User Account transferring, ect...
THEN I'd think you should call the customer BEFORE the price goes up and inform them of the additional work needed to repair the computer (if it'll raise the price).


---
Now, no technician should spend 20 hours on ANY infection. If that's happening, you're not being efficient or you're doing something wrong.
That's a waste of your time as well as their time.
---
Click to expand...

I agree with all of this except for the last paragraph. Sometimes, the programmer of the malware just does something very well. I have had a few infections that no scanner picked up. Hi-Jack This detected nothing. The only way I managed to track down all the children is keep setting the BIOS clock forward until it tripped a time-bomb and rebirthed itself again. Fortunately, I have ran into that only twice. One of those was a laptop that the owner just had in China. I really suspect the Chinese government infected his PC to information as part of industrial espionage. :eek: I had never seen anything like it. It would have gone unnoticed except that it woke the PC up from sleep a few times and the owner wanted me to check it out.
 
J-Bob said:
Now, no technician should spend 20 hours on ANY infection. If that's happening, you're not being efficient or you're doing something wrong.
That's a waste of your time as well as their time.
Click to expand...


I agree with this. If the customer had their software a full reinstall with all programs put back in place, emails, bookmarks, data ect. could be done in just a few hours. (Depending on the amount of data and number of programs.)


I think if you are spending 20 hours + on a system something is wrong. I have ended up spending 3-4 hours trying to remove an infection only to have to N&P. Total time was still only about 6 hours. The drop off customer will never be charged for this, only for the job done.
 
gunslinger said:
1. Back up customer data if needed.
2. Boot to safe mode.
3. Delete all temp files.
4. Combofix
5. Scan with TDSS Killer
6. Quick scan with MBAM and SAS portable
7. Disable system restore
8. Rboot into normal mode.
9. Full scans with MBAM and SAS portable
10. Manually search for anything missed, including rootkits.
11. Run Autoruns to delete unwanted startup items and Hijackthis.
12. Enable system restore.
13. Install Avira and spywareblaster. (Update and run a full scan with Avira)
Click to expand...

Nice list, one fault I can see that might cause you a headache at some point in the future is deleting the temp files at stage 3.

Some fake anti-viruses move the start menu items into the %temp%\smtmp directory. Deleting the temp files so early can cause you to have to recover these from back ups.

This isn't a problem as long as you always make a copy of either the %temp%\smtmp in customer data backups or take a full image. Unfortunately your stage 1 doesn't really clarify whether this is the case.

Just something in bear in mind.
 
Beatus said:
Nice list, one fault I can see that might cause you a headache at some point in the future is deleting the temp files at stage 3.

Some fake anti-viruses move the start menu items into the %temp%\smtmp directory. Deleting the temp files so early can cause you to have to recover these from back ups.

This isn't a problem as long as you always make a copy of either the %temp%\smtmp in customer data backups or take a full image. Unfortunately your stage 1 doesn't really clarify whether this is the case.

Just something in bear in mind.
Click to expand...


Funny you should mention this. I almost always make an image of the drive to a 1TB backup drive. Last week I was removing an infection for a friend of mine and I'll admit it was a bit of a rush job. I only backed up what was in her Docs, Pics, Faves Ect. and not the temp files. Guess who had issues? :o


No more rush jobs!
 
A couple of thoughts to this topic: :D

1. I sometimes DO take many hours to work on a system, NOT billable, of course, to LEARN about what's in it, how it is affecting the system, and how to remove it. It's about KNOWLEDGE, and skill upgrades... We can never learn enough about malware and how it works and affects systems. I do it for ME, so I can be more effective next time. It's always a learning process. I also bought a book about malware and how it is created, so I can "know thine enemy to defeat it".

2. Zonealarm is a VERY good tool to have also. I had one system that the scanners and my manual efforts had thought was clean, then Zonealarm notified me that a program I did not recognize was asking for access to the Internet. I Googled the name, nothing, but THEN I Googled the IP address it was trying to reach, it was a malware server in Belize of all places :-) Killed that one manually. Saved my bacon that time :D

The malware removal business IS a war, sometimes it's hard to figure out who is winning...
 
Easy Does it

@ncient geek said:
Yes, absolutely. You are missing ALL of the more interesting malware and rootkits as well as several of the newer fake antivirus software crap. You definately got to read up.

None of the better stuff will show up in Process Explorer
Only the really crappy stuff will show in Autoruns
Malwarebytes has been a goner for a couple of months now (unfortunately). It was never REALLY good, but a helpful tool all the while.

Funny, I have been reading quite a lot of garbage about malware removal, especially manual removal, recently on Technibble. I hope this will change quickly. I get the creeps when I hear people talking about manual malware removal and the methods employed. I would immediately fire any one of my technicians if they went about malware removal in this manner. Read up people, and stop posting crap !! There are people here who are going to take you seriously and who are going to f... up their business.
Click to expand...

This post one makes me laugh a bit. What was posted is generally good information on a general removal. Yes it does exclude the new rouge security products you see out there. But that is why we are all here...to learn. You personally need to easy up....ever heard of constructive criticism??
 
You must log in or register to reply here.

Similar threads

Appletax
[TIP] Manually Resize Recovery Partition in Win 10 so Updates Do Not Fail
Replies
5
Views
511
Appletax
Appletax
Appletax
[SOLVED] Can't remove fake BSOD that might use mshta.exe
Replies
5
Views
263
NviGate Systems
NviGate Systems
Rigo
Flaky browsers especially on new tabs
2
Replies
26
Views
2K
GTP
GTP
YeOldeStonecat
script help...for WaveBrowser removal
Replies
1
Views
824
YeOldeStonecat
YeOldeStonecat
YeOldeStonecat
FLASH uninstall script
Replies
2
Views
877
Sky-Knight
Sky-Knight
Back
Top