Nice little surprise job

RJM62

RJM62

Touchdown! Greaser!
Joined
Jun 15, 2007
Messages
13,157
Location
Upstate New York
Display Name
Display name:
Geek on the Hill
Had a lady call with a rootkit (Personal Security rogue AV and company) earlier today. She'd had it for more than a week, so it was pretty deep into the system.

She's a nice lady (I've done work for her in the past), so I agreed to go today. She's only about 15 minutes away, anyway.

Turned out to be a surprisingly easy removal: I ran ComboFix and MBAM, and that was that. No manual removal work needed. Real no-brainer job. So I wrote up the bill for weekday rates (like I said, she's a nice lady), and she handed me twice that -- in cash -- and thanked me for coming out on a Sunday. Woo-hoo!

Sometimes I love my work.

-Rich
 
No substitute for a customer who truly appreciates you....is there?
 
be sure to disable and then re-enable system restore. Disabling system restore clears the still infected restore points that can cause it to reappear.

Personal sec. rouge has been a pretty easy one for us to remove at my shop. Others have been more troublesome. We have 15-20 of these rouge AV's come in from customer computers a week.

Update your flash, IE, and OS and that helps tremendously. Flash mainly is where these exploits are gaining access.

Good job helping your customer.
 
pbramlett said:
be sure to disable and then re-enable system restore. Disabling system restore clears the still infected restore points that can cause it to reappear.

Personal sec. rouge has been a pretty easy one for us to remove at my shop. Others have been more troublesome. We have 15-20 of these rouge AV's come in from customer computers a week.

Update your flash, IE, and OS and that helps tremendously. Flash mainly is where these exploits are gaining access.

Good job helping your customer.
Click to expand...

Thanks.

Oh, yes, clearing System Restore is standard procedure. So's emptying all the temp folders, cookies, and the prefetch directory, and updating whatever's needful of updating. Once in a great while I find malware hiding out in pagefile.sys and hiberfile.sys, as well. Those are usually the ones that I have to hunt down and remove using ERD or a Live Linux disk.

This one was simple, though.

I had another Pers Sec case today. The client was actually my friend and car mechanic, as well as being a pilot. I also maintain his Web site for a pittance because he's a good friend. I used the same fix: Ran Combofix, started MBAM, and ran to do another job in the neighborhood while MBAM was scanning.

The client I ran to is a college professor who said she was having trouble installing IE8 -- I found it was already installed -- and who couldn't figger out how to paste the license key into her AVG renewal. She teaches education, by the way.

Then I went back to Moe after MBAM was done to clean up the crumbs, reinstall his ShopTrakker runtime (it had become infected), clean the registry, and perform other tune-up stuff. We bartered the malware cleanup / PC tuneup and the Web site renewal for a brake job (pads and rotors) and a synthetic oil change.

-Rich
 
You must log in or register to reply here.
Back
Top