Virus Removal

[AlliedComputer]

Hi All,

Recently came across this site and really like it. I run a small IT shop in Northeast Ohio and thought I'd chime in to get some opinions from you folks.

Reading the Bare Minimum... thread got me thinking about my methods of virus removal. Lately, when I run into a serious virus infection on a machine, I backup, wipe, and reinstall.

The way I look at it is that I could spend hours running scans and hunting down obscure registry keys, only to end up having to wipe the system. Or worse yet, spend all that time, think the problem is resolved, then find out it's not.

Without wiping how can you guys GUARANTEE the virus is completely removed? I look forward to your comments!

[Menaice]

The reason i find the most, and i believe that it separates the techs who want to sharpen there skills, take the long road. Don't be that guy who works on something for 20 minutes can't figure it out so its just "easy" to wipe and start over. Spend more time trying to remove the infections. This in turn will sharpen your overall skills and before you know it you will be like "hey i did this 2 days ago" and you will know how to repeat the process. Hope this is some food for thought

[ChrisQC]

We tend to find that most of the virus infected pc's that come in to our shop have an obvious infection that shows itself, this is normally the only way the customer knows they are infected.

These viri nearly always re-show themselves on reboot if not removed correctly,plus after removal we always run another scan with 2 different AV programs just to make sure.

[bluenoise]

I agree with Menaice, take the time to figure out the problem just so you have that extra nugget of knowledge to take with you. If time is an issue, let the customer know how hard you are working for them. If it takes an extra day longer or you have to end up reinstalling windows, throw in an "optimization/tune-up" (update windows + some tweaks) to show value for their dollar. Don't do anything for free, as you would have done the updates + tweaks anyways, just simply telling the customer what you are doing for them goes a very long way.

In terms of answering your question...
In safe mode:
Smitfraudfix, combofix, hijack this, superantispyware, malwarebytes.
boot normal: hijack this run Avg / Avira

this takes about 4-5 hours ( shop only): If this does not get rid of it, wipe + reinstall.

[l337]

get some knowledge of the operating systems and how programs and typical viruses run. if u can go through the registry keys or use a program like Autoruns you can essentially have a look at every program driver service task etc the computer runs. if you can eliminate the virus from starting then its as good as gone. the next step is to remove the left of files whether they be .exe's in system32 or some sort of bho and simple scans like spybot and adaware or malware bytes can take care of that. then to be totally sure the machine is clean run an online scan such as Nod32 or one of the many others.

[AlliedComputer]

Great info guys. So your saying that using the methods you've described you're able to guarantee complete removal? And you've never had been faked-out where you thought there was complete removal, but something popped up later?

Also, what kind of success rate do you have where, after all that work, you don't have to wipe the machine?

I would like to use these methods more often, but my thinking has always been -- how can I 100% guarantee complete removal when I'm relying on 3rd party software that may or may not be up to date? What if some trojan silently downloaded a currently undetectable keylogger that steals my customers CC number? Or, maybe, I 'm completely paranoid and off-base here?

[Fireddog]

My malware process for xp starts like this.

I boot into Safemode. I disable restore points.
I run ATf Cleaner. It cleans out all the temp files.
I then start by running hijack this. I scan the log file and look for anything I can recognize that shouldn't be there.
I then install malware bytes and let it update and run a full scan. As its scanning I also run the latest aimfix ,combofix .
I install and update spyware doctor from pctools and let it scan. I also run dr web standalone scanner. AFter thats all complete and I am getting o found. I go ahead run ccleaner and tune-up the registry. Then I boot into normal mode and run a scan again with Spyware doctor and Malware bytes. IF both come back clean.. I go ahead and save a new restore point. One of the first signs I know I cleaned it correctly.. upon the first boot.. into normal 2 things will show up. Adobe flash will update and.. all of a sudden windows update will show there are updates available to install.

IF the client has agreed to purchase NIS 2009. I update that guy and let it run a scan as well.

My malware success rate with that process is 100%.


Average time doing a repair is depending on ram and processor and level of infection can be 2-4 hours.


As far as doing the ... "guaranteed fix" IF a client only has 1 Virus... why would I use a nuke when a surgical strike is only needed? Plus if you are onsite at a business.... and they are paying you well.. Are you going to tell them that the only way you can fix a machine is to wipe their credit card machine that was connected to the internet? When all they have is a variant of winantivirus 2009?

[nonchalant]

I agree. In the early days I use to have a fair amount of success with cleanups, but as viruses and spyware have become more virilant & difficult to remove I more often than not end up formatting. Spending 3-5 hours or so trying a cleanup only to then have to format & reinstall anyway (another 2 hours) doesnt make economic sense. And I can hardly charge a customer for 7 hours of my time when I know I could have everything backed up and the PC back up to speed in 2-3 hours.

What I do is connect the virus infected HDD up to a spare PC at home. I then scan with an AV and anti-spyware program. I then come back a couple of hours later (so this hasnt really taken up much of my personal time), reconnect the HDD to the customers PC and check the state of the OS. If Im not happy with it I then backup, format, and reinstall.

As you say, the advantage of this also is I know the systems clean. Anyone doing a cleanup can never be 100% sure they have removed everything as nothing has a 100% detection rate. And there would be nothing worse than to return a PC only to get a call a few days later to say they have another infection not to mention what it would do for your reputation and repeat business. The other advantage with this approach is PC's I repair often havent had a reinstall of the OS for some time, and I believe a format & reinstall should be done every 1-2 years depending on usage, to remove all the junk and bring the PC back up to speed. I then install a good AV, antispyware, and the windows service packs.

I think you will find a lot of people on these forums that insist a cleanup is the way to go service business customers. And in these instances I tend to spend a bit more time trying a cleanup rather than going for a format just because they tend to have more critical data on their PC's and reinstalling all their business programs can be a pain. But then I charge these customers more and they tend to be happy to pay more if it means they get the PC back w/o any lose of data or having to reinstall 3rd party software. For home users however I tend to lean more towards a format.

Finally, antispyware and AV programs remove malware. They do not repair any damage the infections may have caused to the OS. And some of these are only apparent in some cases several days later when the 'repaired' PC bluescreens on the customer.

[Fireddog]

I have 5 scenarious I go by when offering a system wipe.

1 System will not allow me to get into safe mode.
2 Pc can't save a restore point after I have successfully cleaned it out.
3 Windows update will not allow downloads to occur.
4 Using a boot disc still can't repair it.
5 CLIENT ASKS FOR IT OUT THE GATE.


IF all I did was system wipes all day.. I would never learn to repair NOn-virus related system problems.

[AlliedComputer]

Quote:

Originally Posted by nonchalant

And there would be nothing worse than to return a PC only to get a call a few days later to say they have another infection not to mention what it would do for your reputation and repeat business.

Exactly. My other worry is getting a call a few days later...not knowing the customer actually caused an infection again himself. How can you say "sorry pal, gotta pay" when, in the back of your mind, your not 100% sure it was gone in the first place.

Specialty software with no reinstall disk, I could understand the need. But those cases are few, and far between.