Hi all.

This may get kinda long, but I'll try to parse it a bit. I work for an independent sales/repair facility. Anybody that does this understands that a large percentage of repairs are due to spyware and/or virus damage. We've decided to not try and be heroes and just backup data, wipe and reload Windows if ther is over 40 items in our spyware/malware detection. I know that everybody has their favorites that they use. We are using malwarebytes antimalware to detect. And spybot, ad-aware, and norton av. If the customer decides to have us wipe and reload, we transfer their data to another computer that is running the latest norton, so that should catch any files that are infected. Long story short we've been having people lately whose computers have come back all jacked up. We give a handout explaining about how spyware works, what to try and avoid, and we install spybot and ad_aware on these computers. And we make sure they know about antivirus and that they MUST have it installed first thing. We are now contemplating making a restore point for EVERY computer that we do this to as a last step before shutting down and running malwarebytes on it before giving it back to them. We are also interested in finding a cheap, hopefully transparent program that can at least track internet history. I think some of these idiots are just doing whatever they want, going anywhere and claiming that, of course they did nothing, and that the data we put back on MUST have been infected. I know this is possible, I'm just looking for a way to avoid this. We've even thought of just backing up their data to DVD. Unfortunately, when the customer has 17G of pictures and 22G of music, this starts to be quite a time consuming process. We don't suspect everybody, we're just trying to do the best job for the customer without haveing ro RE-do it at our cost. Forgive the rant about idiots, but unless you do what we do, you cannot believe how many people out ther who have no concept.

dr format

What do you intend to do with the log that this software might create? Prove to the customer they have been idiots? It's a good idea, but how are you going to pinpoint the site/email that caused the infection? You will have to wade through goodness knows how many log entries.... and investigating their history might well invoke all kinds of privacy issues.

I think all you can really do to protect yourselves against people claiming you didn't do the job properly is to have them sign a waiver that says if you back up their data and wipe the machine, you will do your best to ensure the data that is put back is clean, but cannot be held responsible if the data remains infected.... and if they have any sort of p2p/bit torrent client then all bets are off... then check the registry for the keys that get left behind after uninstalling - limewire is particularly easy to spot.

We are also interested in finding a cheap, hopefully transparent program that can at least track internet history.
Wouldn't that mean you were installing spyware on your client's computers?

Yeah, I agree it would be puting spyware on their computer. And I understand signing a waiver. What is really bad is we have Best Buy as a so called competitor. I've seen their release/ waiver/ denial of all responsibility and frankly would rathe not have to do the same thing. There comes a time when you just decide that no mater what you do for someone or tell them, they will misunderstand or just hear what they want to hear. And frankly a lot of people just cme in and try to bully you to get what they want. I think this is because somebody let them get away with that kind of behavior. We don't, but it certainly can make for a stressful day. AND those kinds of people ALWAYS show up when you've got a store full of people. I also do laptop power port repairs, and have a disclaimer that I have the customer sign, and I require 2/3 payment up front. I understand that it would take a lot of timne to go through their logs, I just want to see their interned address history if their computer will not boot windows. It's not our intention to spy on anybody. Heck. I turn off thumbnails, screen savers, and desktops that have personal stuff on them. I respect the privacy of anybody that brings their stuff to us, I'm just trying to make sure that when it goes out the door, it's CLEAN. Maybe run the malwarebytes scan and save the log to the desktop as proof to the customer we did our job.

dr format

Sorry I forgot to ask, but where in the registry keys would I find eveidence of p2p/limewire stuff> Do I just search for limewire in regedit.

dr format

There will always be those people, you are not going to get away from that. Even if you have them bang to rights with trackable proof, it won't be their fault. However read this (http://www.securityfocus.com/infocus/1827)

'over 40 items in our spyware/malware detection'

Many scanners report tracking and other cookies as 'malware' when these really aren't. If the user doesn't clean them routinely after surfing, 40 is EASY to accumulate.

It is possible for Norton and Spybot and Malwarebytes and AdAware to still miss something, so guarantees are impossible. However, reasuurance that you indeed DID run those, and they came up clean, is good and should be given to the client.

After that, you are better off just informing them in your hand-out that after the comp leaves the shop your responsibility ends.

Invasion of privacy can be a dicey charge.

Thanks for all your advice. I really didn't want to see what they did, just where they went to protect us from being acused of sending out a computer that is infected. Think we'll work up some kind of sign off for the customer to absolve us of responsibility and let it go at that. Sorry some of my frustration was coming out during my 1st discorse. It's been a long, long week.

dr format

There's no way you can warranty a machine to remain free of malware once the customer has gotten it home and online, but if you're seeing a recent jump in customers complaining about machines that appear to be infected after they get home, the computers probably are being re-infected by the data files copied back after the drives are formatted.

Sure, there are lots of folks who turn right around and reinstall some of the same junk that was on the system as soon as you remove it, but my experience is that you have a fairly constant level of this behavior. So, I think an increase in symptoms is evidence of an increase in disease. You can't just make a backup copy of files to a computer running NAV and realistically expect the software to find all infected files. Norton (most other AV software too) remains very weak on removing non-traditional threats. If Norton alone were effective, you'd just scan all your infected systems with it and they'd be clean, right?

The real problem is that your boss has decided to take the path of least resistance rather than invest the time to learn more about malware removal and improve his methodology. Sloppy practices, sloppy results.

http://www.superantispyware.com/shoppingcart.html?action=add&sku=SAS000&tag=SUPERANTISPYWARE I find this works well.

another program you could install is spywareblaster, its freeware. The program has a large database of malware related websites which blocks the user from accessing them it doesnt even run in the system tray you could have a look. Like someone already said there is no one program or all programs for that matter that can detect all malware also as someone said as norton is a very well known company malware writers target specific ways to circumvent such protection. your best bet is to research the malware market at new methods of malware prevention, removal and importantly protection.

Whenever I clean a machine I do screen shots of all the cleaning programs and jpeg each one showing all malware and trojans etc etc found.
There is no silver bullet anywhere anytime.
40 infections is nothing really as CCT said.
Let's get the horse back before the cart.
THEY GOT INFECTED AND BROUGHT IT TO YOU.
Now you can save the data and wipe the drive and all that.
But in the end their data could well be infected even using best practises.
If they have 22 gigs of music its quite rare that it is all theirs in fact its more then likely
lime wired or torrented.
Time to sell them a laptop ext case and drive and acronis or ghost.
Image the drive when it leaves for them.takes a short time.

Since I'm the only tech at our company that can successfully remove 95% of the infections brought in I deal with this often. I even go against my bosses "do anything that will make them happy" policy. I will remove the infection. Give them a 15 minute lecture/class on how to avoid and do preventive maintenance. I then tell them they have 7 days to contact me if it's infected again while telling them that if the infection doesn't rear its ugly head within 24 hours it's something they did, but I'll honor it anyway just to show them what they did wrong. If they call me back a 3rd time I let them know I have to bill for time per hour and suggest they can also choose the route of wiping out the computer and having their data transferred over. To which if that happens if they get reinfected they must pay the full price for removal again OR they can pay the full price for wiping windows out yet again for them. Like you said fixing infections is a main part of our business and how we make money. Once you start choosing not to make money for your main service you're not going to get far.

Back again after a somewhat relaxing Sunday. slgrieb, the problem is not in refusing to invest in more and better ways to fix spyware,ad-ware problems. The problem is the bottom line. Our labor rate is based on $60 per hour. AND we have flat rates on everything. We charge $90 for a wipe and reload of Widows. This includes ALL updates and service packs. We also rip out all the junk that the major manufacturer's put in, namely the web-based games. We give a handout explaining spyware/adware/malware and tell the customer that the internet is a potentially dangerous place to play. WE warn against p2p sites, free,rebate,coupons,help you search, etc. I agree that a note on the customer's bill explaining that we cannot be responsible for their behavior, and that they could potentially re-infect themselves with their data. WE also run malwarebytes ans spybot on the data we save off BEFORE we put it back on. Frankly most people really balk at the idea of spending much money for repairs, and it's a constant battle to get them to even read our spyware handout. I don't think we're sloppy, we're handicapped by what the customer will spend. I can't tell you how mant people come in here holding their external hard drive in their tear-stained fingers, begging us to save the data. They do not understand that an external drive is a HARD DRIVE at heart, and backing up on CD or DVD is vital. The sad state of affairs, is a lot of people are not willing to invest any time learning about even minimal maintanence for their computer. They think it's like their TV. And there is so little profit in the inital hardware purchase, very few salespeople can afford to give more than minimal advice. And don't get me started on the big box stores treating customers like idiots. Then they come in here, with all the baggage that involves, and we have to sort out their discontent and frustration. I'm not complaining. This is part of our job. If we find that they are unteachable, we let them go. My boss made a decision a long time ago that we cannot please everyone, we do not price match, and the customer is not always right. Needless to say, we have a lot of happy customers because of these policies. Waren't lazy, we bust our butts for our customers. The hard part is getting them to LISTEN.

rant off

dri format

Amen to that...

I agree it's a pain to teach any clients. That's kind of why I operate the way I do with my infected clients. I'm nice only for the first few times. If they refuse to learn I found that the old method of let them get burned to learn fire is hot method. IE the more they keep spending to have me remove the infection they'll either learn or give up on the damned PC. Now mind you I do check up on it to make sure it wasn't something I didn't fix that's why I generally will look it over once more for little or no cost if they bring it back in short time complaining. However it usually turns out that they went to some perverse or hacked site in search of things they shouldn't really be obsessing over anyway and reinfecting theirselves.

By the way Professor Niclo has only had one D student in his teaching career (Not computer career in general just his new method). Sadly there is always the one person who ruins a perfect record. Aside from that the others have never made more than 1 callback and in most cases the issue is resolved on the first time. Some would say "well maybe they went elsewhere" and I would have some doubt instilled in me. However I have a stellar referral rate which argues against such statements.

Niclo, I think you've got a nicely balanced approach to the problem. I can do most malware removals in around an hour to an hour and a half. I still don't think an initial scan, followed by backing up files, scanning the files, reloading Windows and copying the files back to the system is going to be quicker and more efficient than that, dr format.