PDA

View Full Version : standard operating procedure for virus/spyware removal jobs


silvano
10-15-2008, 04:57 PM
Im somewhat new to this, so Im trying to develop a good way to go through jobs and scans quickly and efficiently. So far, this is my S.O.P.

Turn off system restore. Install AVG, and malware bytes, anti-malware. Scan on system. Pull drive, run avira, avg, and antimalware on a different system set up for scanning. Plug drive back in, uninstall everything, leave avg free, if they have no AV. Run CCleaner portable, then hope everythings alright :D If its a rogue program, ill usually run rogue remover, and occassionally, ill have to clean up remnants in the startup or registry. I'd really like to find a better way to go about doing these types of jobs though. Any ideas, or comments? Thanks guys.

Jager
10-15-2008, 06:48 PM
You'll typically be better off running the external scan first if you plan to do one; that reduces the back and forth and also can help remove the bulk without having to worry about the local PC trying to prevent your clean-up process.

tartis
10-15-2008, 07:46 PM
I always do an external scan using UBCD with Spybot, SuperAntiSpyware, and AVG before booting into Windows and loading Anti SPyware/Malware software on an infected machine.

Arcadio
01-17-2009, 12:35 AM
I am interested in more replies to this thread, since I am learning to clean infections without formatting and reinstalling the OS.

geekhelp4u
01-17-2009, 02:49 PM
I always start with the Avira or Dr Web Cure it live cd and run the anti virus scan. I then pop in the UBCD4Win and run a quick virus scan and then run SUPERAntiSpyware and Spybot.

Next I start the machine in safemode and run ATF Cleaner and SUPERAntispyware Free - which I usually leave on the machine. I then install AVAST and the definitions and allow it to reboot and perform the boot time scan.

I then boot into Normal Mode and run:

CCleaner
COMODO Registry Cleaner
MBAM
RogueRemover

Next I run HiJack This

CHASEE
02-05-2009, 02:03 AM
I found these steps on another post here at technibble. i have been using it and seem to work very well. only thing to add is turn of system restore before number 1
1. Boot into Safe Mode w/ Networking
2. Run Combofix with /KillAll switch
3. Make sure to boot back into safe mode when CF reboots
4. Run SmitFraudFix, Options 5, 3, and 2.
5. Install & Run MalwareBytes' AntiMalware & RogueRemover
6. Run HiJackThis to remove those malware startup entries, etc.
7. Boot into normal mode
8. Install & Run SuperAntiSpyware & AVG
9. Run CleanUp!, CCleaner (I rarely run the registry portion), and JKDefrag.

stevenamills
02-05-2009, 02:13 PM
I then boot into Normal Mode and run:

........
RogueRemover



Chris,

What is this? I'm familiar with everything else and use it. There used to be a program by this name (or something similar) that was incorporated into Malwarebytes.

Thanks for the help.

atlanticjim
02-08-2009, 01:00 PM
Correct me if I am wrong.

As much as I like and use CCleaner, it only cleans the current user account. ATF Cleaner has the option to clean all accounts if you are logged on as an administrator. Am I right?

I have been using CCleaner for registry cleanup, what is your opinion on a better tool?

gunslinger
02-08-2009, 05:53 PM
1. Boot into Safe Mode w/ Networking ( disable system restore )
2. Run Combofix,SmitFraudFix and RogueRemover
3. Run Ccleaner and EasyCleaner
4. install and run MalwareBytes and SuperAntiSpyware full scan.
5. Run Hijackthis
6. Install AntiVir antivirus and do a full scan
7. Install Spywareblaster, update it and take a system snapshot.

stevenamills
02-08-2009, 05:57 PM
....... and take a system snapshot.

With ......?

usacvlr
02-08-2009, 08:21 PM
tune up utilties 2009 has an excellent reg cleaner and reg defragger in it. Glary utilities which is a less sophisticated knock off is also quite good.

gunslinger
02-09-2009, 02:15 AM
With ......?


Spywareblaster

http://i44.tinypic.com/32znnyb.jpg

MSgherzi
02-09-2009, 07:50 AM
1. Boot into UBCD4Win and run practically each of the spyware and virus removers.
2. Boot into safe mode minimally and run a few more scanners and reset system restore.
3. Boot normally and run CCleaner and some registry fixers.
4. Check their startup lists and services and disable anything useless.
5. Run and analyze their HijackThis logs.
6. Defrag their system usually using either DeFraggler or the built-in Windows defragmenter. I'd probably run disk checkup and clean out useless stuff before I call it.
7. Install Firefox, Spyware, Ad-aware, CCleaner, and I've always followed that up with AVG, though I'm looking for alternatives to AVG, as much as I love it.
8. I make sure most of everything automatically updates and scans and I set Firefox to empty it's data whenever the browser is closed.
9. Make sure Windows Firewall is on and does not have any useless exceptions.
10. Finally, educate the user! One of the most important parts.

I might also run some online scanners like TrendMicro or McAfee, it depends on how bad the system is. I always enable some sort of logs just in case any other errors happen and the client brings the computer back later on. I notice that some of this includes making a system run fast, not simply virus/spyware removal. I like to couple the two at times to show my clients how fast their machines can really run (if they can!). I could do more to make it run faster, but if that's not the primary job, then I leave it to that list above.

vontreigo
02-17-2009, 09:46 PM
the 1st thing i do is turn on the pc and see what infections pop up.
it may just be a simple infection. (av360)

I dump ALL temp files including restore points.

i run a process scanner to manually clean up reg entries

boot safe mode

all my tools I have as portables (or thinstalls) with current updates.

i run av and malware cleaners

assess the damage to system (f/r or not f/r)

if clean connect to net and update all windows software (win. IE. Office)

done.

2-3 hours (average)

Fireddog
03-05-2009, 02:51 AM
One tool that I love for Windows xp is called Killbox. First I boot into safemode.
I clear the restore points. I run Killbox first. Killbox clears all the cookies,temp files ,cache files from every single profile in the pc. I just wish someone made a version of it for Vista. After I run Killbox. I run Spywaredoctor, MBAM,Ccleaner. Drweb standalone scanner. I also go online in safe mode and run Trendmicro's House Cleaner as well. That is my last scan. Then I run hijack this to help tune up the machine. Reboot back into Normal and verify there are no start up errors. Then I make sure to patch the system and then I run ccleaner again to make sure the registry is clean. Then I turn on the restore point. Depending on the age of the machine It can be done in 2 hours. I do run Spybot as well before I do the normal mode boot.

But if I see that windows update is damaged or there are severe registry problems causing system instability after the first boot back into Normal mode. I will then offer an OS repair if its possible. And if they don't have much at all to worry about I will do a system reboot as a last resort.

Only about 5% of the malware jobs I get require that last resort.

Afford-A-Tech
03-05-2009, 05:42 AM
What do you guys do for onsite jobs?v The reason i ask, is I will have to go to a clients house tomorrow and more then likely i will need to remove some malware from the system.
This is my first on-site job in years. as most of my clients prefer to bring the computer to my shop. Also because of my flat rate fees. i dont want to waste valuable time, that otherwise doesnt need to be lost.

Fixedathome.com
03-05-2009, 09:55 AM
What do you guys do for onsite jobs?v The reason i ask, is I will have to go to a clients house tomorrow and more then likely i will need to remove some malware from the system.
This is my first on-site job in years. as most of my clients prefer to bring the computer to my shop. Also because of my flat rate fees. i dont want to waste valuable time, that otherwise doesnt need to be lost.

I usually evaluate the state of the system initially and if it looks like it is massively infected I advise an uplift. You can never judge how long some of the scans will take and I explain that I could be sat here watching scans run for 4-5hours whilst charging or I can take it back to the workshop and charge less. They are usually happier with this option.

If the PC only appears to have minor infections than:

ATF Cleaner
Combofix
Malwarebytes quick scan
AV scan with Avast or Avira
Hijackthis

This will usually take between 1 and 2 hours. If Combofix and Malwarebytes are finding loads of infections though I will advise the customer to rethink the uplift.

Methical
03-05-2009, 11:25 AM
I always run a cleaning tool first (like CCleaner) to get rid of all temp files, cookies etc. No point in wasting valuable time scanning them. As well as dumping system restore files.

You should give the customer the option whether they want to pay you hourly to do an on-site job; or pay a flat fee and take it back to base with you and clean it then.

I had a mate that had a laptop riddled with malware/viruses etc.. He took it to a shop, who were going to charge him $80 just to look @ it, and $40 every half hour after that. It took a long time just for AVG to finish its full system scan (about 7-8 hour if i remember rightly). All up the job was about 12 hours.

Imagine the hefty price he would of had to pay a professional for something simple..

Fireddog
03-05-2009, 12:32 PM
Well if your using AVg.. thats why. ITS the damn slowest friggin scanner out there and its detection rate isn't great to begin with. I would try Pc tools Free av for those runnning a 32bit os. But if they got Vista.. odds are the infection won't be as deep.

Afford-A-Tech
03-05-2009, 05:58 PM
Well if your using AVg.. thats why. ITS the damn slowest friggin scanner out there and its detection rate isn't great to begin with. I would try Pc tools Free av for those runnning a 32bit os. But if they got Vista.. odds are the infection won't be as deep.

I always hated pc tools av. My buddy used to be a firedog tech, he got hooked on it. I guess only because it was used in the firedog console.

What do you guys recommend for a portable av. or should i just stick to making a VMware Thinstall of avast, Nod32, and avira.

Afford-A-Tech
03-05-2009, 06:01 PM
I usually evaluate the state of the system initially and if it looks like it is massively infected I advise an uplift. You can never judge how long some of the scans will take and I explain that I could be sat here watching scans run for 4-5hours whilst charging or I can take it back to the workshop and charge less. They are usually happier with this option.

If the PC only appears to have minor infections than:

ATF Cleaner
Combofix
Malwarebytes quick scan
AV scan with Avast or Avira
Hijackthis

This will usually take between 1 and 2 hours. If Combofix and Malwarebytes are finding loads of infections though I will advise the customer to rethink the uplift.


Would you recommend to do this all while in safe mode. also what are your thoughts about use a PE Based Live Cd to do all of that. Although i do not like to rely on live cds all the time.

ASDCR
03-14-2009, 12:57 AM
eh

vundo/XPav2008 runs in safe mode too






so.. don't bother!

Fixedathome.com
03-14-2009, 01:33 AM
Would you recommend to do this all while in safe mode. also what are your thoughts about use a PE Based Live Cd to do all of that. Although i do not like to rely on live cds all the time.

I usually try normal mode if possible.
I will quite often run an Avira scan from a PE disk on a badly infected system and then go through the steps I mentioned above. This does add to the time though so probably not worth doing onsite.

Fixedathome.com
03-14-2009, 01:37 AM
eh

vundo/XPav2008 runs in safe mode too






so.. don't bother!

Don't bother trying to remove them?:confused:

iptech
03-14-2009, 02:24 AM
A reasonably confident/competent tech shouldn't be relying upon 3rd party scanning software to do the job, you should be able to see where and when the virus is operating and you should disable and eliminate as much of that virus before you run any scanning or cleanup software.

No customer is going to be happy paying you $50+ an hour to sit and watch a $20 piece of software running only for you to give up and opt for 'nuke and pave' because the virus still runs under Safe mode. :mad:

ASDCR
03-14-2009, 03:11 AM
"don't bother" going to safe mode



i've cleared viruses in normal mode - "safe" mode isn't a sanctuary anymore

the biggest baddest nastiest nasties snicker at safe mode






so don't bother

*shrug*

iptech
03-14-2009, 03:19 AM
"don't bother" going to safe mode



i've cleared viruses in normal mode - "safe" mode isn't a sanctuary anymore

the biggest baddest nastiest nasties snicker at safe mode






so don't bother

*shrug*
I'll stick to my methods and you stick to yours. But thanks for the indifferent response anyway. :rolleyes: