Mom in law caught herself a malware infestation

[The Gorn]

I got two calls from her last night when I was out in the yard raking and burning leaves. Her computer "wasn't working".

God, do I despise dealing with end-users on technical matters. Can't describe anything that is going on.

I drove over there.

The power light of her computer (a newish Lenovo PC with Vista 64 bit and 3 gig ram we got her last Christmas) was flashing. I told her "this means that it's in STANDBY. Half on half off." Looks at me like a deer in the headlights. Not taking it in, no idea.

I rebooted it.

Windows starts to boot. But before going to the desktop, it stops with an application window displaying a "Window" logo and the name "ThinkPoint". It has two buttons - the "exit" button is greyed out and the only button enabled says "Scan Now".

She caught herself a G_d damned malware. Probably got the payload from one of her idiot women friends who promiscuously shares cute kitten pictures with a CC: list of 12,000 of their closest friends.

I told her (being patient as I could) that all that would happen until it was fixed was that it would ask her for a credit card and it would charge her something like $50 or so repeatedly while claiming that it was finding horrible viruses and infestations. She's clueless, like I am talking Sanskrit.

This, by the way, is what the idiot who worked for the last idiot that I worked for was under indictment for distributing, in Federal court last summer: http://www.computerconsultantsforum.com/forum/private-by-approval-discussion-area/local-internet-entrepreneur-faces-criminal-charges/

Anyway, I told her that anyone in the technical support business would charge her a minimum of $200 to repair her computer, and that she was QUITE lucky that she had a son in law who does this. (the mild abuse that I was heaping on her was, however, always free.  )

I can't REALLY blame her completely because there is absolutely no way that I can boil down what to look for to prevent this in the future. So that a late 60s, computer-illiterate end user can understand that they are being scammed.

Blame the crap Windows environment and the crap Windows usability for this lack of trainability, for want of a better word.

This really stressed me out because, worst case, the malware had junked up her system so thoroughly that I would have to reinstall Windows. Several hours. Hunting down drivers.

I hauled the PC home and at home Googled the problem. I actually found several sites advertising what appeared to be competing malware that was offered as a "solution" to THIS problem.  The internet is a f*cking jungle, I tell you... I finally found "good" information on Microsoft's internal support forums.

It turned out to be quite easy to defang once I understood what was going on.

ThinkPoint plants itself on the PC by one simple registry change: One of the "Run" registry settings is set to point to the malware executable ("hotfix.exe"). This has a modal dialog that prevents Windows from ever executing Explorer.exe (the desktop shell.) I booted into Safe Mode/Command line, ran REGEDIT from there, and deleted the entry.

I next found and deleted hotfix.exe from the command line.

Rebooted. Windows comes up normally.

Beautiful. Once in a while a blind squirrel finds a nut.

I next updated and ran Windows defender. It found nothing.

Next I downloaded and ran the free version of "Malwarebytes", a widely used anti-malware suite.  It found 5 infection files which it quarantined. (HEY! MICROSOFT! THANKS FOR WINDOWS DEFENDER!!!! I NEED THIRD PARTY MALWARE PRODUCTS TO FIND STUFF THAT YOUR LAME CORPORATE CRAP DOESN'T RECOGNIZE!  )

Then I tried to do Windows Update. It kept failing.

I then attempted the command "SFC /scannow" from the command line, which was recommended to find and repair any system file corruptions that prevent Windows Update from running.

What I found was that one service, called "trustedinstaller", which is CORE to Windows Update, was missing. The file trustedinstaller.exe was missing. In reading I found that most malware will remove core files associated with Windows Update to cripple updating, so that you can't update with hot fixes or malware removal tools.

GREAT! It took about 1/2 hour to find a shadowed copy of that file on her system and then figure out how to remove security from the target service directory so that I could copy it in.

Once I copied the file in, the service displayed without an error.

I did get Windows Update working again and updated with 65 updates that had piled up. The PC had never been updated. (Of course, mom in law had no idea.)

I'm going to TELL mom in law, as in "you want me to work on your computer ever again, you DO this", to buy Malwarebytes for $25. The paid version provides the real time malware shield. I've concluded that she really needs this to prevent another occurrence. And my wife can learn Vista well enough to run over there and run system checks every few weeks.

Yeesh.

I hope that guy that works for my ex client goes to the slammer. I'd love to stick a fork in the eye of whoever authored this garbage.

[TRexx]

So GB, tell us how you really feel.   

(Be glad your MIL lives nearby. My mother lives 100 miles away.  I spent the Saturday replacing her printer.  One of her neighbors managed to FUBAR her printer trying to clear a paper jam with a screwdriver. The hardest part was convincing her to pay $89 for a new one instead of $100 to fix the old one.)

[Richardk]

Isn't that fun?

Now try explaining why it costs $200 to repair a $450 laptop to some user, if you did this for a living.

Most around here charge about half that but they only make a few simple attempts before declaring that the OS must be reinstalled, for an additional fee, of course.

I hope she appreciates all your help. 

[The Gorn]

Isn't that fun?

Now try explaining why it costs $200 to repair a $450 laptop to some user, if you did this for a living.

A pretty good analogy that could be understandable by laypeople popped into my head over the weekend.

Auto body and frame repair.

It's quite easy to total out an older car in a minor accident. It's very easy to do damage to a car that well exceeds the blue book value of the car to repair.

It was relatively cheap to build the new car in a controlled factory environment. It is quite dear and labor and cost intensive to reverse damage in the completed vehicle.

However, what you're always up against in PC repair is the user whining that you just shouldn't ever earn that much off of them, ever, and your analogy stinks because car repair guys work MUCH harder than you do, and you just don't deserve anything. 

[Richardk]

I like that analogy.

What's even harder for them is when all their "stuff" is gone because they never did a backup or when they need to purchase Windows again because they never burned a disc or don't know where it is.

[The Gorn]

Be all this as it may...

This repair was pretty straightforward. I was satisfied that "I still have it", even though I couldn't care less about commercializing my PC repair abilities - it's a total, abject loser of a scumwad, race to the bottom business.

But I can't see making this a business. Things vary so much. For one straightforward (like this) job you have 5 or 10 jobs that have 1/2 dozen things wrong with the system AND the OS needs to be reinstalled AND the user won't pay for a new copy of Windows because they pitched their disks.

Some guys (and gals) do make a go of this business. I am in awe of anyone who can earn above a poverty wage doing this kind of work.

[I D Shukhov]

Be all this as it may...

This repair was pretty straightforward. I was satisfied that "I still have it", even though I couldn't care less about commercializing my PC repair abilities - it's a total, abject loser of a scumwad, race to the bottom business.

But I can't see making this a business. Things vary so much. For one straightforward (like this) job you have 5 or 10 jobs that have 1/2 dozen things wrong with the system AND the OS needs to be reinstalled AND the user won't pay for a new copy of Windows because they pitched their disks.

Some guys (and gals) do make a go of this business. I am in awe of anyone who can earn above a poverty wage doing this kind of work.

I'm not sure about doing this as a consumer business, but I do know that malware analysis and protection is very big where I work.  The company has bought two cybersecurity companies in the last month.  Each company had about 125 employees.  They are clearly going the "buy" rather than "make" route (as in using existing employees).  When there are requisitions, they  usually describe people who have used reverse engineering tools for analyzing malware and  people who can work in assembly language.   I realize that's a different expertise than removing malware from an infected computer, but understanding the characteristics of malware is common to both.

[Richardk]

When there are requisitions, they  usually describe people who have used reverse engineering tools for analyzing malware and  people who can work in assembly language.   I realize that's a different expertise than removing malware from an infected computer, but understanding the characteristics of malware is common to both.

Common to both but that's "way different". The people I typically see removing malware at the consumer level know they have to remove/fix something called "files" or if they are 'experts' they might dive into something called the "Registry".

I'm exaggerating but many have no idea what reverse engineering tools are or assembly language.

[Thinking about it, that's true for our entire profession. Most clients don't understand the difference between a kid doing the work and a pro.]

[The Gorn]

I'm not sure about doing this as a consumer business, but I do know that malware analysis and protection is very big where I work.  The company has bought two cybersecurity companies in the last month.  Each company had about 125 employees.  They are clearly going the "buy" rather than "make" route (as in using existing employees).  When there are requisitions, they  usually describe people who have used reverse engineering tools for analyzing malware and  people who can work in assembly language.   I realize that's a different expertise than removing malware from an infected computer, but understanding the characteristics of malware is common to both.

You're describing two entirely different echelons of work.

You're describing product design and development and research. Which leads to the products and techniques used by others.

R&D is a high-status, well paid niche that demands degrees, years of applicable experience, etc.

Employing the resulting product applications in the field is where all of the high school dropouts and those not anointed to be good enough to be hired to conduct the R&D try to eke out a living.

I'm nowhere geographically close enough to anyplace where I would be a viable candidate for the R&D roles.

So I must figure out how to make a living "in the field", remote, flyover country, away from where all of the sharp IT people hire each other.

Malware repair is the lowest-of-the-low kick the service provider in the balls type business. I am doing other things  now.

[Aussie]

My MIL thinks I walk on water.

FIL, well, let's say he has strong ambivalent feelings towards me.  As in, I fell from grace as a up-and-coming techie in 2002 when IT pulled back west of the Arafura but stayed east of Suez (fricking' Chennai).  On the other hand, I gave him his only grandchildren (I have both a brother and a sister in law.  The latter who is, of course, unmarried and unpartnered and, of course, an EXPERT on relationships).  So with dear ol' dad-in-law,  it's kinda of a case of "you-son-of-a-not-all-that-bad-dude".

But with MIL, it's pretty much a case of, I hope you're treating Bruce alright, daughter-of-mine. Which is why I found out her favorite old radio shows, downloaded them off the archive.org website to disk last year, and wrapped them up as a Chrissie present.

Bottom line?  I dispute the stereotypical MIL paradigm.

[The Gorn]

Bottom line?  I dispute the stereotypical MIL paradigm.

Welcome back...

Just to be clear I'm not referring to the "MIL as battleaxe" trope.

She's more like Edith Bunker in personality, except maybe a bit less savvy. Very non demanding - doesn't want me to yell at her.  And completely flummoxed by ANY computer concept.

Example:

After this last episode when I set up her computer, I told her to never, EVER click on "Continue" with a UAC dialog box.

I demonstrated it to her. I showed her how it makes a "bonk" sound, darkens the screen, and has "Continue" and "Cancel" buttons. I told her that if she ever can't do anything on her computer because she gets this warning - then DO NOT press continue - call one of us to look at it. 

Quite simple guideline: it nags you like this - cancel, don't continue.

She didn't quite seem to understand. Just one little thing I'm asking her to remember. She may not even get that right.

So, it's that kind of thing that is the most aggravating. Learned helplessness and perhaps some increasing senior moments.

[benali72]

I put all family members whose computers I support on Ubuntu. 

I sometimes get calls about "how do I do this?" but at least I never get any calls about malware infestations.

Maybe installing Ubuntu for MIL would be a good idea. If she's malware prone it should at least solve that problem. 

If she requires a high degree of document interchagne with Windows users I would not recommend Ubuntu. A technical person can easily read and learn how to do this but it's not so good for end users if they do a lot of shared-document editing.

Best of luck... (I know how you feel)...

[The Gorn]

I put all family members whose computers I support on Ubuntu. 

I sometimes get calls about "how do I do this?" but at least I never get any calls about malware infestations.

Shrewd man. It had crossed my mind. I understand what you're saying. I used Ubuntu as a development platform on my final software contract. The latest Ubuntus feel exactly like Windows.

The catch would be any non flash (downloadable) games that MIL wants to play. Flash and Java could be played on Linux. I guess ActiveX is a dead technology, so that's no factor any more.

She doesn't even understand how you'd use a word processor or anything non internet on her computer, so that's a moot point. She doesn't have a clue about the C: drive, the file system, or anything else that isn't graphical.

She really could use a "dumb terminal" that is Windows like and never notice the difference.

I will definitely keep it in mind. I did get her to buy her own copy of Malwarebytes.

[Aussie]

"After this last episode when I set up her computer, I told her to never, EVER click on "Continue" with a UAC dialog box.

I demonstrated it to her. I showed her how it makes a "bonk" sound, darkens the screen, and has "Continue" and "Cancel" buttons. I told her that if she ever can't do anything on her computer because she gets this warning - then DO NOT press continue - call one of us to look at it. "


Then make the point by changing the "bonk" sound to your own custom WAV file.  So long as no-one liable to hear it has a weak heart or nothing, perhaps Janet Leigh's scream from the shower scene in Pyscho ?  If the folk down that way are as distrustful of townies as some of my relatives west of Sunday, maybe a reverse psychological city-slicker voice saying "C'mon, li'l lady, push the Continue button, that's the way..." would be more effective.

Of course, you could always lay down some golden UAC tones with soul and style yourself.  What's Lou Rawls got that you ain't ?

[The Gorn]

Of course, you could always lay down some golden UAC tones with soul and style yourself.  What's Lou Rawls got that you ain't ?

The ability to actually sing, for one...