Malware Removal Methodology for Professionals

[TIGR]

Here's the scenario: you are an individual offering professional on-site malware removal services for computers running Windows. Adware, spyware, viruses, etc., you do it all, with some system cleanup on top. From when you get the call saying "I need you to come clean up my computer," to when you walk out the customer's door, how do you go about doing what you do?

Understanding that every computer and the malware with which it is infected is different:

1. What do you charge and what does it include?
2. What questions do you ask the customer before going to work on their PC?
3. What tools do you take along (both software and hardware tools)?
4. In what order, form turning the system on to job finished, do you do what you do?
5. Do you leave any software on the customer's computer to prevent future malware attacks? If so, what?
6. What [if any] advice do you leave the customer with, on how to keep their system clean?

I used to do malware removal as part of my business but for the past few years have focused entirely on building custom computers professionally. Now I'm looking to add malware removal [among other things] back into the services I offer and I welcome everyone's insights! I'm no neophyte to this and have my own methodology but maybe I (and others) will learn something new from this topic. I'll chime in later with my own tips!

Edit to add: Considering how widespread the malware problem is, I think this is an important conversation to start and I've posted it on several forums. I will add the best suggestions from all forums to this first post as time goes on, and intend to keep it up to date for the benefit of all.

 

[YeOldeStonecat]

I focus on SMB Network consulting...so the main point of my business is small business networks....where I can command more of an hourly premium (125/hour). I don't advertise for "home stuff"...because doing stuff for home PC users cannot command as much money. And as most of us know....home user stuff can actually consume a lot more of your time. Lots of oddball peripherals, non standardized setups, data in lots of oddball programs, and of course..if it ever comes to "rebuild" time...they can never find all of their software, licensing, that old copy of MS office that they..uhm..."borrowed" or something.

Now...as most of us know, much of the work done in cleaning up malware is just running many scans. And experienced IT people run scans with many different products...to get more of a shotgun effect and ensure returning a better cleaned computer. Each of these scans can run for a substantial period of time, since you're working on an infested machine, you're going to do to the in depth/thorough scans..which can take hours each on some systems. I usually run scans with at least 4 different products, sometimes more. Say each product takes at least an hour per scan.....I don't want to sit at someone elses home spanking myself while watching progress bars for 1/2 of the waking day or evening. Plus...if I'm working onsite, since that's forced time on my part..away from my home, away from my family...I'm going to charge for that time. Even if I discount my rate to that of a teenager nose picking geek squad wannabe at 50 or 60 bucks an hour..that's still a hefty price tag for the end user.

So I do my best to take the persons rig with me...that way I can scan their rig on my spare time, while I'm multi-tasking and doing other more important more productive things with my main clients or with my family. I can kick off a scan with a product..and walk away for a few hours doing other things. Come back to it..remove what that product found, and then kick off another scan with another product and walk away for a few hours. Once all my tools are done and I'm satisfied that the rig is clean and performing well...I can then return it to the client. My actual total time invested hovering over and working on this rig is actually quite minimal when I use this approach.Instead of spending 4-6 hours at someone elses home....I actually spent probably literally an hour total time doing it at my home or at my office. Also I tell them, I'm more likely to totally rid the bugs if I take it back to our special tools.

At home, and at my office...we have "bench rigs" which are used solely for this purpose..to clean the hard drive of infested machines. It's basically an old P4 tower PC with a few gigs of RAM, a stripped down locked down install of XP Pro, I have lots of different malware/AV products installed on these rigs. We have the side panels off...and SATA and IDE cables hanging out. I remove the hard drive from the clients rig...plug it into a bench rig as a slaved hard drive..boot up..and run scans with all the tools installed on the bench rig. This way the scans are done "outside of the host OS"..which is far..far...far more effective in cleaning and removing buggers than running a scan from inside of the host OS. It's better than even using a boot CD with tools. If it's an important rig with potentially important data that has no backup, we'll either clone the drive, or make a backup copy of the data first. Once the cleaning is done from this method, the drive is put back into the clients PC..booted up..and tools are installed and more scans are run...this way they can now get the registry.

The steps that I'll usually do...head on over to the "networking and SECURITY forum"..there's been a stickied thread up there titled "how to guide ..malware..."...the steps and tools that we spent a lot of time gathering for that thread are all listed there. So the "list" that you're talking about has been over in that proper forum for quite a while now.

Once the rig appears clean, I do all updates to the software...OS, office suites, java, flash, PDFs, I uninstall stuff I don't like to see (tons of 3rd party toolbars, other potential "bad" stuff), I make a judgement on their current antivirus..and try to replace it with a better one if I deem so. For home users, I really like MSE..it's proven itself quite good in detection and removal, and most importantly..it's very very simple for home users, and no expiration for them to miss next year. I'll also install MalwareBytes for them, and show them how to update it and run occasional scans. I'll also do a defrag, while the case is open blow out the cobwebs, clean up the computer case with a damp towel, make things nice.

When I return the PC onsite...I'll give them the quick little speech on "rogues/fake alerts"..how they happen ,etc. And I'll often log into their router and setup OpenDNS for an added layer of security.

How much do I charge? Find what the market can bear. I can't charge my usual 125/hour for sitting down spanking myself for 6 hours doing menial dumbwork while watching progress bars.....but if I'm forced to work onsite..I let them know the bill will be much higher, so they usually allow me to take their PC back with me to clean at my own leisure. 99.9% of end users usually don't mind a 2-3 day return period for just their home rigs. If if's friends or if it's staff of my business clients..I drop my rate a bit..depending on how much effort it actually took I'll usually charge just an hours time...so 125 or so. If it took quite a bit of effort..I'll usually go towards 250. Heck..Geek squad often charges upwards of 300 bucks..and they don't do a good job, as I've gone and fixed up PCs that GeekSquad supposedly fixed...but obviously didn't because the bugs returned quickly or were still there.

My post probably didn't flow smoothy..been up and down making breakfast..but the gist of it should all be here.

 

[-(Xyphox)-]

I focus on SMB Network consulting...so the main point of my business is small business networks....where I can command more of an hourly premium (125/hour). I don't advertise for "home stuff"...because doing stuff for home PC users cannot command as much money. And as most of us know....home user stuff can actually consume a lot more of your time. Lots of oddball peripherals, non standardized setups, data in lots of oddball programs, and of course..if it ever comes to "rebuild" time...they can never find all of their software, licensing, that old copy of MS office that they..uhm..."borrowed" or something.

Now...as most of us know, much of the work done in cleaning up malware is just running many scans. And experienced IT people run scans with many different products...to get more of a shotgun effect and ensure returning a better cleaned computer. Each of these scans can run for a substantial period of time, since you're working on an infested machine, you're going to do to the in depth/thorough scans..which can take hours each on some systems. I usually run scans with at least 4 different products, sometimes more. Say each product takes at least an hour per scan.....I don't want to sit at someone elses home spanking myself while watching progress bars for 1/2 of the waking day or evening. Plus...if I'm working onsite, since that's forced time on my part..away from my home, away from my family...I'm going to charge for that time. Even if I discount my rate to that of a teenager nose picking geek squad wannabe at 50 or 60 bucks an hour..that's still a hefty price tag for the end user.

So I do my best to take the persons rig with me...that way I can scan their rig on my spare time, while I'm multi-tasking and doing other more important more productive things with my main clients or with my family. I can kick off a scan with a product..and walk away for a few hours doing other things. Come back to it..remove what that product found, and then kick off another scan with another product and walk away for a few hours. Once all my tools are done and I'm satisfied that the rig is clean and performing well...I can then return it to the client. My actual total time invested hovering over and working on this rig is actually quite minimal when I use this approach.Instead of spending 4-6 hours at someone elses home....I actually spent probably literally an hour total time doing it at my home or at my office. Also I tell them, I'm more likely to totally rid the bugs if I take it back to our special tools.

At home, and at my office...we have "bench rigs" which are used solely for this purpose..to clean the hard drive of infested machines. It's basically an old P4 tower PC with a few gigs of RAM, a stripped down locked down install of XP Pro, I have lots of different malware/AV products installed on these rigs. We have the side panels off...and SATA and IDE cables hanging out. I remove the hard drive from the clients rig...plug it into a bench rig as a slaved hard drive..boot up..and run scans with all the tools installed on the bench rig. This way the scans are done "outside of the host OS"..which is far..far...far more effective in cleaning and removing buggers than running a scan from inside of the host OS. It's better than even using a boot CD with tools. If it's an important rig with potentially important data that has no backup, we'll either clone the drive, or make a backup copy of the data first. Once the cleaning is done from this method, the drive is put back into the clients PC..booted up..and tools are installed and more scans are run...this way they can now get the registry.

The steps that I'll usually do...head on over to the "networking and SECURITY forum"..there's been a stickied thread up there titled "how to guide ..malware..."...the steps and tools that we spent a lot of time gathering for that thread are all listed there. So the "list" that you're talking about has been over in that proper forum for quite a while now.

Once the rig appears clean, I do all updates to the software...OS, office suites, java, flash, PDFs, I uninstall stuff I don't like to see (tons of 3rd party toolbars, other potential "bad" stuff), I make a judgement on their current antivirus..and try to replace it with a better one if I deem so. For home users, I really like MSE..it's proven itself quite good in detection and removal, and most importantly..it's very very simple for home users, and no expiration for them to miss next year. I'll also install MalwareBytes for them, and show them how to update it and run occasional scans. I'll also do a defrag, while the case is open blow out the cobwebs, clean up the computer case with a damp towel, make things nice.

When I return the PC onsite...I'll give them the quick little speech on "rogues/fake alerts"..how they happen ,etc. And I'll often log into their router and setup OpenDNS for an added layer of security.

How much do I charge? Find what the market can bear. I can't charge my usual 125/hour for sitting down spanking myself for 6 hours doing menial dumbwork while watching progress bars.....but if I'm forced to work onsite..I let them know the bill will be much higher, so they usually allow me to take their PC back with me to clean at my own leisure. 99.9% of end users usually don't mind a 2-3 day return period for just their home rigs. If if's friends or if it's staff of my business clients..I drop my rate a bit..depending on how much effort it actually took I'll usually charge just an hours time...so 125 or so. If it took quite a bit of effort..I'll usually go towards 250. Heck..Geek squad often charges upwards of 300 bucks..and they don't do a good job, as I've gone and fixed up PCs that GeekSquad supposedly fixed...but obviously didn't because the bugs returned quickly or were still there.

My post probably didn't flow smoothy..been up and down making breakfast..but the gist of it should all be here.

Wow Great post.. I do everything you do when it comes to cleaning a Computer. You can tell i live in a smaller area though. When it comes to a home user, I usually charge 45 an hr, and cleanups are usually 90-135. This is cheaper then most, being there is no best buy for 50 miles. Just have local pc stores that hire 16 year old's and think they know how to work or fix a pc.... Most of the time when i get a client's computer from one of the local stores that paid for a "cleanup" The computer is fresh formatted with nothing on it. All they did was reinstall the OS without any updates, programs, ect...

 

[bigdogchris]

I don't do malware cleaning on site because it usually takes several hours and I don't want some person hanging over my shoulder for that long.

 

[Lateralus]

+1 to everything YeOldeStonecat said in his post. Home stuff can definitely be more of a PITA than SMB and you usually don't get to charge nearly as much for it. I also greatly prefer working on PCs from within my home for the same reasons, and I pretty much stopped charging for PC cleanups by the hour since I couldn't in good faith charge for time their rig was just sitting there scanning while I was surfing [H]ardForum. I strive to maintain competitive rates and usually cut the person a deal to ensure repeat business, and like Xyphox I also live in a smaller area and most people would scoff at paying me $75+/hr. when most of the local shops (not Staples/Best Buy) probably charge less than that (I'm not 100% certain; I haven't called all of them to ask their rates). I also cannot charge $250 for a cleanup when they can just go out and buy a new PC for $400...my cleanups are usually anywhere from $50-$75, with particularly troublesome ones occasionally being more. I realize that I'm screwing myself and giving them a hell of a deal, but I'd rather do a great job for the lowest cost and have them come back/refer others than quote them a lot more and see that shocked look on their face before they decide to let their husband's brother-in-law's nephew have a crack at it next time. Of course they realize later that the family "PC genius" in high school or his first year of college who thinks he knows everything didn't actually do that great of a job, but some people would actually rather deal with a piss poor cleanup that isn't very thorough than fork over $100+ for someone to do it right.

 

[MrGuvernment]

noted.

 

[ZzBloopzZ]

I charge $70/hour for on-site, with a $50 minimum. If they live over 30 minute drive away, it's $70 minimum. $60/hour if they drop it off to my place/near me. I just mentored my close friend to do the same thing, except hes in a different area and I forced him to charge $85/hour... and hes getting tons of business. We live in the DC area, so this is a competitive rate. Geeksquad would charge $400-500 for a full in-home service call... I know because I use to work there. For data recovery, I do that at my house and charge $500-600. If I can't recover the data then it's $100 minimum. I am pretty strict with my rates, unless I can do a trade service with someone, ie: my accountant, mechanic and lawyer don't charge me a dime. I fix all their crap for free for crazy cheap. This is my personal opinion... but I have not noticed any benefits from giving discounts in terms of more returned business. I am a people person... everyone loves me so I get lots of returned business. I don't charge friends/family and only give discounts if I screwed up, had a long deep conversation thus wasting time. If they are really poor, or struggling I'll give heavy discounts/free service... but I believe in the whole karma thing. Some people will try to bargain with you, just be strict with your rate. Tell them you are the best in the area. I personally don't have time to waste with 'cheap' people, and I will nicely tell them off if they keep insisting on a cheaper rate. 99% of the time they will comply with you rate. Only exception is training and businesses. Since they give you more money in the long run... I am more negotiable. IE: I have one business I do $50/hour and I've helped them ALOT.

When a new client calls me, I first build some rapport with them. Then I try to determine the issue, age of computer, OS and what they use it for. Then I make a judgment if it's worth my time. If it's too old, I will be honest and tell them to get a new one and give advice on what to look for, good brands, where to buy etc. I really believe in full disclosure/honesty even if it may cost me not making money right away from that client. IMO they will value you for your honesty, and it's like a seed... they will call you next time they have an issue. Another thing, if they do decide to get a new PC... then suggest you transfer the data/apps from old pc to the new one, install new printer etc. I make quite a bit off this. If they still insist on repairing ancient PC (some people just don't want new stuff, they want to hang on to their old junk for as long as possible) I will setup an appointment and get their address. I always call 1-2 hours before leaving for the service call in case they forget/emergency etc.

For tools, I picked up a nice toolbag from Sears. It has disc's for all the popular OS's like a Windows 7 all-in-one... with all editions and x64/x86. Same for Vista, XP, Office etc. Just make sure to use THEIR serials... it's perfectly legal. Many teams customers lose/toss their stuff. Then I have latest versions of DBAN, MemTest86+, Hitachi DFT (Best HDD diag tool), CloneDrive and some other useful apps. I'm getting lazy now... there is just too much stuff to list but if you really want to know I'll tell you next time.

StoneCat is on point with the rest. However, if the computer is too infected I suggest a full reformat. As I don't want to waste hours trying to remove malware, and find out it just can't be done and then having to reformat anyway. This is based on my judgement. With years of experience, I can generally tell what's worth formatting and what's not. Generally I just reformat, since the PC has tons of old unnecessary software/junk with outdated drivers and all that bloatware that new computers come with. I can generally do a back-up, reformat and reinstall all drivers, apps etc. in 2-3 hours. If they have tons of peripherals, anal about their software config then 4-5 hours. If it is a home user, and I get past 4 hours, I do tend to discount heavily or not charge past 4-5 hours. It really depends how nice they are, how easy the work is, my mood etc. I already have all the common apps on my flash drive, and latest OS's with latest service packs/updates slipstreamed. This saves lots of time. If you decide to remove malware I use ComboFix, SmitFraudFix (in safe mode), HiJackThis, Malware-Bytes, SuperAntiSpyware and MSE/Avira.

I will also use CCleaner to remove unnecessary start ups, uninstall bloatware, delete temp files pretty much for all PC's. I have this reverse vacuum that blows air for air beds. It was like $20 and works GREAT for dedusting computers outside. Just make sure it has a long pipe so that it doesn't damage senesitive electronics from the vacuum motor. I've already used the one I have on at least a thousand computers with no problems.

Also, let customers know about phishing, lots of emails lately with hijacked accounts of people being mugged in London etc. Never to give password to anyone... you know the usual. Generally, when the computer is installing windows I will start downloading the latest drivers on my laptop... this way I am done quicker. However, if you are just sitting their waiting for the anti-malware scans... just let them know what is going on. Take this time to educate them about how to prevent future malware spreads. Ask if they have any other general quesitons. Maybe do some cable managment, sometimes I'll end up configuring/playing with their home theater setups that are not properly configured. If all else fails, just talk to them. Everyone enjoys a good convo... I've made some AMAZING connections/contacts/friends. Sometimes they'll even give you their old hardware that they were just going to toss. I normally fix them up and give them to poor families I know... don't get me wrong I have sold a few on Craigslist. There are still people/businesses that only want Windows XP machines.

Hopefully I answered all your questions. Good luck!

As I said earlier, just be firm on your price... because people will try to take advantage of you. Biggest mistake I made. When I first started out I use to give crazy discounts, until a point came where some clients expected those "old" discount prices all the time. Just make sure when they ask for the final bill, if you give them discounts verbally tell them how much of a discount you just gave them. Also, respect their privacy/be ethical... don't snoop their personal documents, pictures etc.

If you have any questions... please feel free to ask.