Virus removals and if you have to do remote support

callthatgirl

callthatgirl

Well-Known Member
Vendor
Reaction score
2,958
Location
Fort Myers, FL
Guys, new tip we found out recently, haven't seen a thread on it and thought I would share. Sometimes our clients (or friends/family members) are too far away and we have to try remote support for these.

Recently all the viruses have seen to have stepped up and destructed the computers worse than ever. For just a short while, we had the clients bring in the computers to our shops....but as a remote support gal, that wasn't a good solution for me lol. I had to figure out a way to at least try to save it.

What the virus are doing to the computers:

All programs are gone
No data is showing
Nothing works
No internet, but the clients can't see the browsers anyway
Safe mode/Fail

We have tried all the usual trickery = fail

What does work though....is the search function and system restore are still working. So I have the client boot into safe mode, look for the search function and find system restore. I have them restore to the date before the virus hit and have them run the wizard. With fingers crossed, each one so far has booted up normally, destruction was gone, virus still there though. You have to remote in asap to remove it. Waiting days only makes it worse we have found.

If their internet does not work after sys restore, you can have the client run in cmd prompt sfc /scannow and that returns the network. You might have to try regular netsh winsock reset too or any other repairs you know of.

Of course, if that fails and clients have a flash drive and a 2nd computer, you can remote into the good machine and download your software/tools and have them move them over and have the client manually run them. Or what I have done too is have the client share the c:/ on the bad machine and move them over via the home network. Worse case there, but I have had it work in one case.

So far, no call backs. We also help the client with better AV protection and guarantee our removals. We will see, but so far so good.
 
Just got one on the bench this morning Lisa. Same thing no data or programs everything set to hidden. Keyboard shortcuts worked so I plugged in my external drive and ran Winkey + E and then ran Rkill. Everything else was quite straight forward after that. So I'm thinking for you to email to the client Rkill or get them to download and kill the processes. After that internet appears ok.
 
Ran into something similar to what you are all seeing.

What Im doing now is I have finally installed windoze7 on a older computer and have hooked up a external eSata drive breadbox. I just remove the whole drive and scan it. Then I reinstall and use unhide and some quick scripts for registry repair.

I did have one that had some type of rookkit or something that nothing I have would identify. I used avast, malwarebytes and nothing. Would not let me install them on the infected drive either. In file manager it would not show any files on the drive. I had to nuke and pave.

Interesting new viruses showing up this year...
 
callthatgirl said:
...Of course, if that fails and clients have a flash drive and a 2nd computer, you can remote into the good machine and download your software/tools and have them move them over and have the client manually run them. Or what I have done too is have the client share the c:/ on the bad machine and move them over via the home network. Worse case there, but I have had it work in one case....
Click to expand...

Wow. This must have been a client in which in-shop or on-site wasn't possible. Perhaps it's just my area, but my clients are...shall we say inept? Walking them through getting into safemode, and then typing "rstrui" is the MOST I could hope to do. Working with them to do all of that? Wow, they must really like you. :)
 
Wow, they must really like you.

Yes, I hope they do (I try to make it fun for the clients) and many are too far away to get serviced in our shops. You would not believe how many really get into it though, they being a part of the technical work. It's kinda fun for them because they are doing things they would never get to see.

We are patient too, so that's on our side. :D
 
System restore doesn't work enough of the time for me to rely on it for anything. Usually a slaved scan gets safe mode working.

And most of the computers I've seen with the symptoms you described sfc won't fix the internet, or any winsock or internet repair. Usually involves copying sys files and importing registry entries from a good machine.

I certainly wouldn't want to do these new rogues via remote. They are enough of a headache in shop. It sounds like it would take a while(especially trying to explain all those steps to an average user) and the client would be doing the majority of the work. I mean I've had to remote in because I couldn't get a client to follow steps to connect to wireless.
 
Well, it's just an idea that works if you do remote support. It's up to others to try it or not. I have had success with it and it doesn't take that long. And if it doesn't work, then it comes in the shop.

@martyn, will keep your idea in mind

@coffee, they are supposed to get worse to the point of no boot. :eek:
 
I always use system restore as pretty much my first step on rogueware infections whether remote or in person. A very good proportion of the time it either completely cures it or partially cures it.

What I'd be interested in hearing Lisa, since you're very experienced in remote removal, is what you're doing about bootkits that require the MBR cleaned or replaced? I've found running tdsskiller or other tools that fix the bootkit renders a % of machines unbootable. What do you do then?
 
MobileTechie said:
I always use system restore as pretty much my first step on rogueware infections whether remote or in person. A very good proportion of the time it either completely cures it or partially cures it.

What I'd be interested in hearing Lisa, since you're very experienced in remote removal, is what you're doing about bootkits that require the MBR cleaned or replaced? I've found running tdsskiller or other tools that fix the bootkit renders a % of machines unbootable. What do you do then?
Click to expand...

This is something that I have wondered about myself. I even started a thread about it but nobody responded lol. Programs like Combofix, or even SAS in some cases can render a computer unbootable. This is not acceptable for remote support. I usually run SFC /scannow prior to the first post-disinfection restart, but that wouldn't address the MBR issue. Nor does it address the TCP/IP issue cause by some malware.
 
My team and i have been dealing with this nightmare since Dec. We have had over 350 infections and i know there is more in the organization. We are now having the VPN issue. Most of them are thinking it is cisco but i am thinking the VPN is just a symptom and the clients are still infected, or re-infected. Tomorrow alone, well really 3 hours, i have 4 issues to address and all because of rouge. I have seen this thing do so many various things. Everything from the hidden files, to actually watching them as they were "eatten" poor guy looked like a deer in the headlights. he was trying to shove files into folders and i just calmly said, ummm..i think i would unplug it. Had another girlls facebook profile default as her wallpaper and would not leave. she was quite embaresses.

i think it all the infections link back to the massive SQL injection that was first reported in Sept, i believe. Since then over a million common sites (not the baddies) are infected and when the user goes there they are infected. Before the "outbreak" one of our exc's called and he was like, i was only on a pet kennel site. i talked to him couple weeks ago and let him know "how" the pet site infected him. he just was in disbelief when it happened.

Lucky for me now, i do not even try it remote. they call and say they have these symptoms, i tell them they need to ship it to me and i will clean the data that is of high importance and then i re-image. it was just to time consuming, especially when that is just a added task since 2012 hit, we had to do them maybe once or twice a month before this.
 
callthatgirl said:
We are patient too, so that's on our side. :D
Click to expand...


This is the bit that makes your business model successful.

I may be projecting but I don't think the majority of the folks on this board could work the way you do because of the level of customer interaction involved while working remotely. I know I couldn't.

Tech proficiency is great, but Customer Service skills will make or break a business.
 
If their internet does not work after sys restore, you can have the client run in cmd prompt sfc /scannow and that returns the network. You might have to try regular netsh winsock reset too or any other repairs you know of.

I'm guessing if this is the case on an xp machine we hope they have the OS cd ;-)
 
You must log in or register to reply here.

Similar threads

D
How are you folks handling Scam Popups
Replies
10
Views
1K
Markverhyden
Markverhyden
HCHTech
Gear View Basic and Windows 11
Replies
2
Views
408
HCHTech
HCHTech
Phillip Manning
What do people use for office PC cases?
Replies
14
Views
1K
Sky-Knight
Sky-Knight
HCHTech
Alerts!
Replies
10
Views
516
Sky-Knight
Sky-Knight
E
[SOLVED] Macbook Remote management by Amazon
Replies
7
Views
661
frase
frase
Back
Top