Sections:Help

 

Virus Removal Guidelines



Overview

 

  • Not all viruses are easily removed

  • Sometimes a machine is infect to the point where a reinstall is necessary

  • A good timeline tool is if it takes more than 1.5 hrs. or 2hrs with scanning it is time to escalate activity to plan "b"

  • Plan "b" – a wipe and reinstall or a new computer (cost factors of going any further unless specifically told are not value added to a client)

     

Recommended tool sets for all techs: 

 

  1. Malwarebytes

  2. Combofix (only works with xp and below)

  3. Registry mechanic  

  4. Highjackthis

  5. Dial a fix

  6. Kaspersky recovery AV (Linux boot disc.) or some sort of AV that can be run prior to boot of OS

  7. rkill

 

Rules of Engagement:

 

  1. Know your enemy (try to find out exactly what "viruses/program" is reeking havoc)

  2. Safe mode boots are your friend. (Most viruses were installed using a specific user account, so when in doubt boot in safe mode as an administrator, usually it will let you install your tool sets to fight the virus.

  3. The task manager and startup menus are your friends (when something looks off in a startup menu or in task-manager processes it usually is. Disable the services, stop the programs what have you.

  4. The internet and BB are your Best Defense against defeating the enemy. ( look to the internet because chances are someone, somewhere, got the same thing and found the answer to fix it)

  5. Take your time, read everything, do not randomly delete files, you could end up hurting more than you want.

  6. Call a friend, ask another tech, be patient. Worst scenario is going in gun ho and destroying the OS, then you are on plan "b" if you like it or not.

  7. After you believe you have destroyed the threat check, check and check again. What is worse than a virus is a returning virus, it now has hid, and grown and is harder to defeat.

  8. Reassurance to the client is all we can do, there is no guarantee that it is gone 100% or the Antiviruses they have will protect them 100% because it won’t. Acknowledge that stuff happens, things get downloaded and it is not the fault of the client, help them understand how to protect and prevent from future occurrences. "When questioning any download, acceptance of an install or just plain unknown, call us, we can provide the proper explanations of what is going on."

 

Removing viruses

 

Below is an example of a Hijacking Virus and how to remove it (Thanks to Bleepingcomputer.com)

What this programs does: AV Security Suite is a scareware and ransomware program from the same family as Antivirus Soft and AntiSpyware Soft. This program is considered malware because it does not allow you access to various programs, hijacks Internet Explorer using a proxy server, and displays fake scan results in order to convince you that your computer is infected. This malware is typically installed via other malware that are installed via vulnerabilities in Adobe Reader, Internet Explorer, and from Trojans that pretend to be online video codecs. Once installed AV Security Suite will be configured to start automatically when your computer starts. Once started it will scan your computer and state that there are numerous infections, but will not let you remove any of them until you purchase the program. All of these scan results are fake and are only being shown to trick you into purchasing the program, which you should obviously not do.  

 

 

 When AV Security Suite is installed it will also block you from running normal tasks in order to make it harder to remove the program from your computer. First, it configures Windows to use a proxy server that points back to the AV Security Suite program. This proxy server will not allow you to visit sites that contain security software that will help you remove the program. When browsing the web you will instead see a warning stating that the site is dangerous. The text of this warning is:    

This website has been reported as unsafeWe recommend that you do not continue to this website. This website has been reported to Microsoft for containing threats to your computer that might reveal personal or financial information.

 

 

 

 

 

You can Read the full instructions at Remove the AV Security Suite from BleepingComputer.