On-Site (service call) Virus Removal Procedures?

MobileTechie said:
...or you could just try checking the Run key for files with funny names :D
Click to expand...
PappaJ, sometimes it's that simple. Some of the dumber fake AVs are nothing more than a single file with a Run entry. Once you've been doing this for a while, you get familiar with all the common entries and start to notice the irregular ones. If nothing looks odd, you start looking at their paths (e.g. a svchost.exe that's in the profile folder). This manual inspection only takes a minute to spot the out-of-place files or irregular paths (hint: use Process Explorer and Autoruns, not Task Manager and MSconfig).

Once those are done, you check proxies, etc. for remnants. If there's any more traces (redirects, etc) then you know there's something trickier.
After that, you're wise to run a few scans to check your work.
 
eHousecalls.ca said:
PappaJ, sometimes it's that simple. Some of the dumber fake AVs are nothing more than a single file with a Run entry. Once you've been doing this for a while, you get familiar with all the common entries and start to notice the irregular ones. If nothing looks odd, you start looking at their paths (e.g. a svchost.exe that's in the profile folder). This manual inspection only takes a minute to spot the out-of-place files or irregular paths (hint: use Process Explorer and Autoruns, not Task Manager and MSconfig).

Once those are done, you check proxies, etc. for remnants. If there's any more traces (redirects, etc) then you know there's something trickier.
After that, you're wise to run a few scans to check your work.
Click to expand...

Thanks for the info... I use process explorer a lot in my current job, never messed with autoruns though. If you run scans afterwards to check your work... why not just runs the scans first? To be thorough the scans need to be run anyways... so why not just do the scans in the first place?
 
BigpappaJ said:
Thanks for the info... I use process explorer a lot in my current job, never messed with autoruns though. If you run scans afterwards to check your work... why not just runs the scans first? To be thorough the scans need to be run anyways... so why not just do the scans in the first place?
Click to expand...

I always run all the scans first then go behind the scans and clean up anything left. Speeds things up quite a bit and makes far more sense.
 
It would be cool if someone came up with a "manual registry removal guide".. with all of the common places.
 
glricht said:
Removing the average rogue security infection usually takes about 30 minutes (removed "XP Antivirus 2012" yesterday in 15 mins, which was sweet).
Click to expand...

I don't want to step on anyone's toes, but I have to ask the question:

So a customer rings you with a "virus infection"

-lets say, its "XP Antivirus 2012" as per your scenario above.

So your process is to go onsite, remove "XP Antivirus 2012", and then that's it, you're good to bill them and go?
 
16k_zx81 said:
I don't want to step on anyone's toes, but I have to ask the question:

So a customer rings you with a "virus infection"

-lets say, its "XP Antivirus 2012" as per your scenario above.

So your process is to go onsite, remove "XP Antivirus 2012", and then that's it, you're good to bill them and go?
Click to expand...

I was going to ask basically the same question. IMO if they are infected with something like "XP Antivirus 2012" they most likely have many more less obvious infections. To just remove one of many infections is kind of half assing it I think.
 
16k_zx81 said:
I don't want to step on anyone's toes, but I have to ask the question:

So a customer rings you with a "virus infection"

-lets say, its "XP Antivirus 2012" as per your scenario above.

So your process is to go onsite, remove "XP Antivirus 2012", and then that's it, you're good to bill them and go?
Click to expand...

Not at all. Didn't mean to imply that. The time mentioned was strictly for the identification/removal of that one specific item (e.g. killing the process, removing the file and the start-up item, etc.) which is the main reason the customer called in the first place. By no means is that the end of the work effort!

Once the above is done, add'l checking is then performed, e.g. RK, Hitman Pro, fixing any damage done by the infection ... all the normal things we all do. When I'm comfortable the PC is clean, I'll then check/update other s/w, such as Adobe Rdr, Flash, Java, their security s/w, etc.
 
BigpappaJ said:
why not just runs the scans first? To be thorough the scans need to be run anyways... so why not just do the scans in the first place?
Click to expand...
I do the quick manual removal first to get the worst bits out of my way ... AND ... simply, to keep my skills up. I'd rather keep up my ability to spot as much as I can and maintain my knowledge of what software is normal on a system.

Edit: If it comes down to spending a few minutes before scans versus not needing to do manual removal after scans, I'd still rather do them.
 
glricht said:
Not at all. Didn't mean to imply that. The time mentioned was strictly for the identification/removal of that one specific item (e.g. killing the process, removing the file and the start-up item, etc.) which is the main reason the customer called in the first place. By no means is that the end of the work effort!

Once the above is done, add'l checking is then performed, e.g. RK, Hitman Pro, fixing any damage done by the infection ... all the normal things we all do. When I'm comfortable the PC is clean, I'll then check/update other s/w, such as Adobe Rdr, Flash, Java, their security s/w, etc.
Click to expand...

I agree. You run scans which will pick up other viruses, look at hooks which reveal rootkits and look at autoruns/PE/regedit which again will flag infections.

Also I disagree with the statement that they are likely to have lots more infections. I rarely find this to be case be that onsite or back in the workshop. Most people call with a virus and that is all they have other than a little inconsequential spyware and that supposed Trojan that MBAM claims to find on almost any PC it's run on.
 
On about 1/4-1/3 of all fake AV calls, I find something else that the customer didn't know was there. Might be a rootkit or trojan, but something.

That's also one of the things I tell people when I say that I really should do an AV removal on the workbench, "While it's still in the minority, it's too likely that there is something else on the system. A system that has one infection is just as likely to have two. Some infections are dead obvious but others are very tricky and I would rather spend some extra time on it to be sure it's clean than to spend a short time on it and possibly miss a second infection."
 
You must log in or register to reply here.

Similar threads

HCHTech
Alerts!
Replies
10
Views
2K
Sky-Knight
Sky-Knight
HCHTech
Lenovo TIO Power Supply issues
Replies
0
Views
472
HCHTech
HCHTech
HCHTech
How do Cradlepoint 5G backup devices work? (Comcast Business installs)
Replies
16
Views
2K
HCHTech
HCHTech
HCHTech
Update your hardware, you know, once every 10 years or so whether it needs it or not
Replies
0
Views
254
HCHTech
HCHTech
YeOldeStonecat
Gaming rig...help with client computer with vid card issues.
2
Replies
25
Views
4K
Rosco
Rosco
Back
Top