Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 06-27-2008, 05:52 PM
cdz25 cdz25 is offline
 
Join Date: Nov 2007
Posts: 9
cdz25 is an unknown quantity at this point
Default Virus removal procedures(client machines)

I am curious as to how you handle request from clients who have viruses. I find that it normally takes hours to remove them. In starting my business I want to get my price list and standard operating procedures correct. I want to advise clients that virus removal is a long and process and I would like to only do removals in-house because of this reason. Any suggestions?
Reply With Quote
  #2  
Old 06-27-2008, 08:10 PM
Phishie's Avatar
Phishie Phishie is offline
 
Join Date: May 2008
Location: Indio, CA
Posts: 173
Phishie is an unknown quantity at this point
Default

Don't worry about getting too technical with your explanations. Don't throw in a lot of extra lingo because you don't want to confuse them. My normal rate is $70/hour on-site but for a virus removal, I charge a flat fee of $100 and tell the customer that virus removal is a long process and I will only do it in my shop (at home). I made a form in Word called component intake which includes my business name and address and fields for customer data and computer data. Fill out two of those so your customer has something to insure them that you are not a crook.

If they insist on having it done in home, well then let them know it can take hours and hours and if they are fine with that they can pay you your normal hourly rate to do it in their home.
__________________
Palm Springs Computer Repair
Reply With Quote
  #3  
Old 07-04-2008, 04:47 AM
Wheelie's Avatar
Wheelie Wheelie is offline
 
Join Date: May 2008
Posts: 555
Wheelie is on a distinguished road
Default

I remember in the early days of my business how long it took me to remove viruses - about a 4 month learning curve to get proficient. Now I can do it in about an hour or so. And, yes, right now you need to take them back to your shop to do the work at a flat fee so you are not learning on their dime. It's also embarassing to look like a fool when a virus is kicking your a$$ when you try to do it in front of your customer.

Here are some partial Cliffs Notes:
Virus removal is simply a process of finding and eliminating the "offending" files and registry calls (unless it's a rootkit). If you remove the wrong file(s) you will cripple and corrupt Windows (don't ask me how I know). So be careful about which files you delete. You need to learn to spot bad files quickly and you will by more jobs you do. You'll also learn about the companies that are propogating this crapware.

Different visuses hide in different places and you want to learn how to find them and remove them in stages. First boot in safe mode, go to Windows startup (msconfig) and eliminate them there. Then empty the temp folders under each user profile in docs & settings. Empty out all the IE temp internet file folders under each user as well. Empty the temp folder in c:\windows\temp. Sort the system32 folder by date and go to the most recent dates and learn to distingiush between legitamate files and virsuses and remove or rename them. If you cannot remove or rename a bad file (now your hot) you make a note of the file name, boot to the windows XP cd (or Knoppix), and browse to the system32 folder in DOS (choose R for repair) and rename or delete the file there.

Reboot then run Hijackthis and delete any crap there (fantastic & important tool). If something keeps popping back into Hijackthis then you have a reinfector and you have to find and eliminate that. It usually means going into the registry to the Winlogon area and deleting it there.

Reboot and go to Add or Remove Programs and look for suspicious entries and remove them. Remove any instances of Norton or McAfee ... they are completely ineffective - I work on PC's every week that are heavily infected and Norton or McAfee are running and have no clue they're infected. Not only that you'll double the speed of the PC by removing them.

Install AVG, NOD32, Trend or other top ranked av app. Install and/or update Spybot and Ad-Aware (awesome tools). They will remove any files you missed during the manual removal and it will also clean out the registry (very important).

After I install these tools and update them to the latest definitions I usually start Spybot running on my way out the door of the customer's and tell them to run each one to completion sequentially and let them remove anything they find. I tell them this will take almost an hour for each of the 3 to run and it has to be done today. I only do this after I know the virus is gone and there is no evindence of it (popups, hijacked browers, etc).

Disclaimer: there is a helluva lot more technique, skill, and knowledge to successfully remove and eliminate this junk that I did not post but this is a good start. If you do not know what you are doing the good old school of hard knocks will fininsh teaching you so back up important files before you start if you have any doubt. I cannot over emphasize the importance of knowing which files and registry entries are legit and which ones are not. Screw up there and it's a windows reload.

BTW - You can back up data and reload windows in about 3 or 4 hours ... so being able to remove viruses in an hour is a good skill. But sometimes when a PC is heavily infected the OS is toast anyway so knowing when a cleaning will work and when one won't work is good skillz too.
__________________
"I clicked on the blue thingy in the little window and now it won't show the screen ... can you fix it?"
"Absolutely. Is today at 3 o'clock good?"
Reply With Quote
  #4  
Old 07-07-2008, 01:37 PM
Blues's Avatar
Blues Blues is offline
 
Join Date: Jun 2006
Location: Tennessee, US
Posts: 1,606
Blues is on a distinguished road
Default

I currently lost all my equipment for doing virus removals so right now I am in a difficult spot for that. I don't have the adapters anymore to hook up the clients drive as a USB drive I can scan. This makes the job easier and faster then trying to use the clients infected machine for the job. I can and will preform the removal onsite but I generaly ask to take the machine as it is a long process.
Reply With Quote
  #5  
Old 07-07-2008, 10:09 PM
Wheelie's Avatar
Wheelie Wheelie is offline
 
Join Date: May 2008
Posts: 555
Wheelie is on a distinguished road
Default

Quote:
Originally Posted by Blues View Post
I currently lost all my equipment for doing virus removals so right now I am in a difficult spot for that. I don't have the adapters anymore to hook up the clients drive as a USB drive I can scan. This makes the job easier and faster then trying to use the clients infected machine for the job. I can and will preform the removal on-site but I generally ask to take the machine as it is a long process.
They're $17

http://www.newegg.com/Product/Produc...82E16822999161
__________________
"I clicked on the blue thingy in the little window and now it won't show the screen ... can you fix it?"
"Absolutely. Is today at 3 o'clock good?"
Reply With Quote
  #6  
Old 07-08-2008, 06:44 PM
Blues's Avatar
Blues Blues is offline
 
Join Date: Jun 2006
Location: Tennessee, US
Posts: 1,606
Blues is on a distinguished road
Default

Quote:
Originally Posted by Wheelie View Post
I lost that equipment like 3 months ago but haven't needed it for the few jobs I have had over the time. I work full time in an office where I don't need it at all. I will get one just haven't needed to yet so it is just a matter of not needing it as I have had little work outside my full time job.
Reply With Quote
  #7  
Old 07-11-2008, 08:47 AM
nonchalant's Avatar
nonchalant nonchalant is offline
 
Join Date: Oct 2007
Location: Oz
Posts: 611
nonchalant is on a distinguished road
Default

I never attempt virus removal on-site anymore.

If the customer seems a bit adverse to me taking it away I explain the best way to remove viruses is by accessing their HDD as a second drive at home. If they still seem a bit against me taking it away I tell them I can do it on-site but it will take at least twice as long & cost twice as much. I dont usually have any objections after that.
Reply With Quote
  #8  
Old 07-11-2008, 12:39 PM
NWPhotog NWPhotog is offline
 
Join Date: Oct 2007
Posts: 617
NWPhotog is an unknown quantity at this point
Default

What do you guys do to remove rootkits? (By the methods mentioned you wouldn't even see the root kit.) What about infections that return after so many reboots or days? The methods mentioned will leave about 20-50% of the machines still infected. Only a matter of time until the garbage returns.
Reply With Quote
  #9  
Old 07-11-2008, 01:18 PM
Blues's Avatar
Blues Blues is offline
 
Join Date: Jun 2006
Location: Tennessee, US
Posts: 1,606
Blues is on a distinguished road
Default

@nonchalant: I inform them of the increased time and costs involved in on-site virus repair but I have had one person request I do it on-site. If they are willing to pay me I am willing to work so long as they have it all up front.

@NWPhotog: I generally boot thier machine get the behaviors and try to see if I can know what I am dealing with. I then hook it up as a USB drive to clean it and defrage it after that I plug it back in boot it up look for traces. I may depending on how bad things seemed then look for rootkits and other issues.
Reply With Quote
  #10  
Old 07-11-2008, 03:11 PM
Wheelie's Avatar
Wheelie Wheelie is offline
 
Join Date: May 2008
Posts: 555
Wheelie is on a distinguished road
Default

Quote:
Originally Posted by NWPhotog View Post
What do you guys do to remove rootkits? (By the methods mentioned you wouldn't even see the root kit.) What about infections that return after so many reboots or days? The methods mentioned will leave about 20-50% of the machines still infected. Only a matter of time until the garbage returns.
From Wikipedia (on rootkit detection): The best, and most reliable, method for rootkit detection is to shut down the computer suspected of infection, and then check its secondary storage by booting from an alternative medium ... A non-running rootkit cannot actively hide its presence, and most established antivirus programs will identify rootkits armed via standard OS calls (which are often tampered with by the rootkit) and lower level queries, which ought to remain reliable. If there is a difference, the presence of a rootkit infection should be assumed .... Running rootkits attempt to protect themselves by monitoring running processes and suspending their activity until the scanning has finished; this is more difficult if the rootkit is not allowed to run ...

From Wikipedia (on rootkit removal): "Many hold this to be forbiddingly impractical. Even if the nature and composition of a rootkit is known, the time and effort of a system administrator with the necessary skills or experience would be better spent re-installing the operating system from scratch ...

My action:
While rootkits are often fun to dink around with to see if you can find them I rarely do this any more (esp. on my business client's computers!) I now always recommend backing up data and reloading the OS in cases where rootkits are discovered (which BTW is what Microsoft recommends on their web site!). The only real way to detect a rootkit (as list above) is to connect the drive up to a non-infected OS and scan it. Just be aware if it is an "unknown rootkit" your AV software will not catch it. In these situations you have a PC with virus-like behaviors but nothing is detected. In those situations I have declared it an "unknown rootkit" or simply a "corrupt OS" and reloaded Windows.
__________________
"I clicked on the blue thingy in the little window and now it won't show the screen ... can you fix it?"
"Absolutely. Is today at 3 o'clock good?"
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:09 PM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.