On-Site (service call) Virus Removal Procedures?

M

mikel33

New Member
Reaction score
0
**Note: I titled this thread incorrectly. I should have titled it: "Field Call Virus Removal Speed/Thoroughness/Tools"

Hi,

It takes us a few days to complete our virus removal process, because of how thorough we are, and the general difficulty of some viruses. Our service calls mainly deal with networking issues because we don't feel we could clean a computer in just an hour or two and call it complete and thorough.

I guess with all of my experience, I can't justify a quick scan and say the job is "done"..

Is it a chopped down service to clear the "main symptoms" of the infection?

What methods do you guys take to remove malware in the field and how long does it take?

Do I need to lessen my standard if I want to remove viruses in the field?

Thanks!
 
Last edited:
This is a good question and simply put, I don't do virus removal's on-site for the reasons you've mentioned. I explain this on the phone to customers and some (especially businesses) ask me to come on out and take a look at it. I explain I'll be glad to and if it appears minor I'll give it a go at their place but if I have to take it back to my office, I'll have to charge them a service call fee. If they'd like to bring it in, it would obviously be cheaper if I can't fix it onsite. That way there are no surprises. I have been able to remove a few very minor infections onsite but like you mentioned, I don't feel like I've been near as thorough as I would be in my office.

I like to run a full scan of both MBAM and SAS after I'm completely done, just to make sure they both come back 100% clean, even if I'm ran them previously. We all know that those two programs can take a LONG time to run on some computers. I just have to skip that step if I'm onsite.

So all in all, for my method, I can't really do a good job onsite most of the time and that's why I try to not even attempt it.
 
A lot of the malicious software I've been removing lately have been fake AV programs. These have been fairly easy to remove and fix any broken file associations in the registry. After that I run a full system scan on MBAM and explain to the customer what to do if it shows any infected objects. On my invoice I explain that malicious software is a nasty cat and mouse game and that I don't provide any warranty on reinfection. They understand that I don't want to be onsite for hours and hours at a time running up the bill while things are scanning.
 
I will no longer do on-site virus removals. It is far too likely to miss rootkits/bootkits/etc and I tell them that. "While I can get the obvious bad guy in good time, the only way I can be sure he hasn't invited other villains in to your system involves some long scans." I've seen plenty of fake AVs that, once scanned, had rootkits on them. Enough of them to not trust one scan to double-check it and certainly not enough to trust that one scanner monitored by the customer.

To do a quick manual removal and to leave while a single scan is running.... is looking for trouble and is, to not mince words, negligent. RichmondTech, that practice will bite you hard some day. You're telling them there's no warranty but you're not doing the full job in the first place.
 
I used to do virus removals on site but decided against it after a while. I feel like I can do a more thorough job in the workshop, plus I can work on other things while some scans are running. Most of my customers are happy with this and understand that virus removal does take some time.
 
Rarely do I do an onsite virus removal in full. Sometimes with the fake ones I do the removal onsite and set the scans going to make sure it is clean. I get paid then remote in later in the day for any last minute tweaking and check the finish logs etc. That keeps the cost low for the client saving onsite time and also saves me a return visit.
 
eHousecalls.ca said:
To do a quick manual removal and to leave while a single scan is running.... is looking for trouble and is, to not mince words, negligent. RichmondTech, that practice will bite you hard some day. You're telling them there's no warranty but you're not doing the full job in the first place.
Click to expand...

I respect what you're saying. As a tech that currently does onsite only, I don't have the option to bring it into a shop. While not perfect, I feel I'm making lemonade out of lemons.

Of course once you detect something malicious on the machine, are any of us really doing a complete job by not doing a nuke and pave? Some baddie has already gotten past the client's AV software. Who's to say MBAM or SAS is missing something too? It's a really tricky topic and that's why I tell my clients how crazy it can be while working with them.
 
RichmondTech said:
I respect what you're saying. As a tech that currently does onsite only, I don't have the option to bring it into a shop. While not perfect, I feel I'm making lemonade out of lemons.

Of course once you detect something malicious on the machine, are any of us really doing a complete job by not doing a nuke and pave? Some baddie has already gotten past the client's AV software. Who's to say MBAM or SAS is missing something too? It's a really tricky topic and that's why I tell my clients how crazy it can be while working with them.
Click to expand...


I do wonder - this thing of time - how much skill-level is a factor.

For example, anyone who's seen the Mark Russinovic videos, would know there's a huge range of ability in terms of manual removal. Perhaps if you're really good at this, and can identify/remove quickly, then its do-able?

Im no manual-removal ninja, and so maybe Im a bit slow at this stuff. I do prefer not to N&P but I know of a number of local places that don't do removals (Im talking about shops) - they insist on doing N&P's. But lets not enter into that debate here. In regard to the expediency thing: if it was a toss up between a removal and a N&P just purely on the basis of time, the N&P would be far quicker for me to do.

For me, a minimum is at least 2 full scans and SFC, not to mention resetting IE to defaults, checking proxies, hosts file, dns, etc, and also running a few programs, visiting a few websites after the whole shebang just to make sure everythings working as it should. No way I could achieve this at a home or business without charging 4-5 hours for labour. Just not do-able.

OP, don't you do any offsite work? Are you saying you never remove a machine from premises so you can take it home and work on it there?
 
Last edited:
It would help if state what you're currently doing. From you saying that it takes 'a few days' to complete a virus removal, I'm guessing you're running full scans using multiple scanners. There are a couple of things I can think of to help with this:

  • Script your scanners - create a script using batch, vbs, autoit, or whatever to automate your scanning process so you don't have to be there
  • Learn to remove malware manually - this can save you massive amounts of time. If you can clean the virus and then do a couple of quick scans to remove things like leftover registry keys then this is a great way to speed things up. I'd recommend doing this to the best of your ability.
  • Lower your standard on when to nuke & pave - you can't win 'em all, and sometimes it's not logical to spend huge amounts of time & effort weighing on how much the service costs.

When I perform virus removals I generally use this procedure [steps may have to be performed in Safe Mode if the installation is a bit corrupt]:
  • Use ESET SysInspector, Process Explorer and Autoruns to perform manual cleanup (this removes/disables most viruses)
  • Use GMER & TDSSkiller to detect & remove rootkits (these little buggers can hide from my manual removal)
  • Run my 'Network Repair Script' (a script I made to repair internet connections)
  • Run CCleaner to remove temporary files. Uninstall junkware toolbars and other crapware; do NOT registry scan (speed up scanners, gain disk space; do not registry scan because of risks attached)
  • Reset Internet Explorer (disable bad toolbars, reset settings, etc)
  • Install MalwareBytes' Anti-Malware and quick scan (removes infected registry keys, redundant files the infection may have used. Uninstall afterward (it doesn't scan automatically and the client will never do it, so what's the point))
  • Quick offline scan using Microsoft System Sweeper (offline so better detection, faster scanning, etc)
  • Install Microsoft Security Essentials (aim to prevent reinfection)
  • Reboot and perform Quality Assurance checks:
    1. Ensure bootup & login without errors
    2. Check Desktop Wallpaper is suitable
    3. Check browser home page is suitable
    4. Check for browser redirections
    5. Check for excess/malicious browser toolbars
    6. Check for invalid shortcuts on the desktop and start menu
    7. Ensure the Windows Firewall is enabled
    8. Ensure basic security software is installed
    9. Update Java & Flash
  • If symptoms are gone, flush System Restore

Performing my virus removals like this is pretty quick, and the only things I do differently when this would be at my workshop is do full scans instead of quick, and install Windows security updates as well. It's unethical to scan some customers hard disks fully on-site when they have hundreds of GB's of videos, music and pictures.
 
Last edited:
I don't like cleaning on site either.
But there are some exceptions I have to deal with.
I have a lawyer that insists that I cannot remove the PC from the premises.
He pays the full hourly on-site rate and doesn't blink an eye.
We are going to get an imaging solution setup eventually so that the next time it happens Recovery will be quick.

I also have a doctor's office that I can't remove the PC's from site because of their Corporate Policy about HIPAA compliance.
 
So all this brings up the question. How do remote techs resolve Malware and Virus issues just witha remote session? Seems to me like much would get missed.
 
I like cleaning them onsite, especially for businesses who rarely want their PC to vanish. I'd rather spend 90mins on site than drive there and back twice plus have to remove it back at base.

My process depends on what condition the PC is in. If it's locked up by rogueware then I'll usually use rkill or safemode or offline reg editing to stop the processes and to regain control, and then I do a system restore if at all possible. This can cleanly solve a decent proportion of infections so it's a very good place to start. I may need to alter settings to allow SR to run.

Since I need to know if a rootkit is involved ASAP, I run TDSSKiller. If that doesn't find anything I run rootkit unhooker and/or kernel detective. I've yet to come across a rootkit that doesn't have hooks or other signs that these semi-manual tools don't show. If it has a rootkit that tdsskiller missed then I'll try other anti-RK tools like Hitman, Gmer and VBA32. Combofix is a bit of a last resort onsite because it can take ages to finish. I may need to manually unhook items to get antimalware apps to see the infected files. If automated antimalware tools cannot find a rootkit that I know is there then I'll try to identify the infected file by using things like SFC (offline and online) and sigverif to find and replace the infected driver. If at any point it appears I've found and removed the RK I recheck with RKU / KD to confirm the hooks are gone.

For checking for an infected MBR, other than tdsskiller I use the Kaspersky boot disk which can be set to check only for bootkits or you can include common items to produce a very quick scan. I've not found tools like mbr.exe and MBRcheck to be at all reliable.

If there are no signs of a rootkit then I mostly rely on tools like MBAM and Hitman to find the common stuff and double check with Autoruns to see if all malicious startups and tasks etc have gone and that there are no suspicious unsigned entries. I have no manual vs automatic snobbery because I'm just interested in getting it done ASAP, plus the manual stuff is pathetically easy and hardly worth boasting about.

Once it appears to be clean and no hooks are found I update and run their own AV since it looks bad if it finds some remnant and the client thinks I missed stuff.
 
I agree with iisjman07. For residential customers we only do it in the shop, we pick them up or have them drop it off. I find the home users will go far too long without addressing problems and by the time it gets in our hands it's a real mess. Then you've got the home users that try to fix it themselves and create a bunch more problems. Commercial clients are a bit more tricky, they can't be down for long and usually don't want the computer gone for any amount of time. I clone a lot of client's HDD's especialy those that have all of the databases, user folders etc on the server. Just swap out the HDD and take and clean the infected one. Rinse and repeat. That's also useful for when Windows dies etc. On the full / quick scan side, I've never seen a full scan catch something a quick didn't maybe we are lucky here :). I would deff recommend MSE. As of late we've found MSE has caught a lot of stuff MBAM didn't even see. I find even when MSE misses them in a scan, shortly after it finds it and alerts you. The TSDD killer is very effective and runs quick enough that on site I always run it at some point.
 
I have to ask... what is meant by "manually" removing malware? Without running some kind of scan... how do you go about identifying it? Is there a place I can go to learn about this?

Thanks!
 
BigpappaJ said:
I have to ask... what is meant by "manually" removing malware? Without running some kind of scan... how do you go about identifying it? Is there a place I can go to learn about this?

Thanks!
Click to expand...

It's an ancient art, dating back to the days of the Gates-Ballmer clan, where malware was rounded up manually and eliminated using the secret techniques found in the "Great Book of Windows". :)
 
MobileTechie said:
I like cleaning them onsite, especially for businesses who rarely want their PC to vanish. I'd rather spend 90mins on site than drive there and back twice plus have to remove it back at base.

My process depends on what condition the PC is in. If it's locked up by rogueware then I'll usually use rkill or safemode or offline reg editing to stop the processes and to regain control, and then I do a system restore if at all possible. This can cleanly solve a decent proportion of infections so it's a very good place to start. I may need to alter settings to allow SR to run.

Since I need to know if a rootkit is involved ASAP, I run TDSSKiller. If that doesn't find anything I run rootkit unhooker and/or kernel detective. I've yet to come across a rootkit that doesn't have hooks or other signs that these semi-manual tools don't show. If it has a rootkit that tdsskiller missed then I'll try other anti-RK tools like Hitman, Gmer and VBA32. Combofix is a bit of a last resort onsite because it can take ages to finish. I may need to manually unhook items to get antimalware apps to see the infected files. If automated antimalware tools cannot find a rootkit that I know is there then I'll try to identify the infected file by using things like SFC (offline and online) and sigverif to find and replace the infected driver. If at any point it appears I've found and removed the RK I recheck with RKU / KD to confirm the hooks are gone.

For checking for an infected MBR, other than tdsskiller I use the Kaspersky boot disk which can be set to check only for bootkits or you can include common items to produce a very quick scan. I've not found tools like mbr.exe and MBRcheck to be at all reliable.

If there are no signs of a rootkit then I mostly rely on tools like MBAM and Hitman to find the common stuff and double check with Autoruns to see if all malicious startups and tasks etc have gone and that there are no suspicious unsigned entries. I have no manual vs automatic snobbery because I'm just interested in getting it done ASAP, plus the manual stuff is pathetically easy and hardly worth boasting about.

Once it appears to be clean and no hooks are found I update and run their own AV since it looks bad if it finds some remnant and the client thinks I missed stuff.
Click to expand...

We are an on-site only business and this is pretty much how we do it too. Many of our customers are 20-30 miles away and I'd MUCH prefer to fix things on-site instead of having to make two trips.

90 minutes is usually our break point, if we can't fix things by then, we'll take the PC back to the shop.

Removing the average rogue security infection usually takes about 30 minutes (removed "XP Antivirus 2012" yesterday in 15 mins, which was sweet).
 
Vicenarian said:
It's an ancient art, dating back to the days of the Gates-Ballmer clan, where malware was rounded up manually and eliminated using the secret techniques found in the "Great Book of Windows". :)
Click to expand...

Yes it's a very mysterious art, cloaked in darkness suitable only for the most 1337 haxors ...or you could just try checking the Run key for files with funny names :D
 
You must log in or register to reply here.

Similar threads

HCHTech
Alerts!
Replies
10
Views
2K
Sky-Knight
Sky-Knight
HCHTech
Lenovo TIO Power Supply issues
Replies
0
Views
472
HCHTech
HCHTech
HCHTech
How do Cradlepoint 5G backup devices work? (Comcast Business installs)
Replies
16
Views
2K
HCHTech
HCHTech
HCHTech
Update your hardware, you know, once every 10 years or so whether it needs it or not
Replies
0
Views
254
HCHTech
HCHTech
YeOldeStonecat
Gaming rig...help with client computer with vid card issues.
2
Replies
25
Views
4K
Rosco
Rosco
Back
Top