Every town has at least one “computer repair” business – you know, the guys that charge $100 to clean your PC of viruses, install programs, add new memory, etc.  I’m “lucky” enough that my town has a few such businesses, but you know what?  They’re clueless.  Yep, I said it.  They. Are. Clueless.

Let me explain how I reached that conclusion.

A few days ago, my wife got into a conversation with the helper in my son’s pre-school class.  She had mentioned how she took her computer to one of the local repair places to get spyware/adware/viruses cleaned up.  It cost her a couple hundred dollars by the time she was done, but she gladly parted with the cash in order to get her computer in working order.  Guess what?  Shortly after getting her computer home, she noticed a tray icon that kept popping up a message that her computer was at risk and she needed to get it fixed.  Clicking on the toast that popped up took her to a web site that tried to sell her software to “fix” the issue. Whatever.

She called the repair guy back and complained.  His reply? “Wow, you’re just unlucky I guess.  Bring it in and I can take care of it.”  She said, “will I still have to pay the $80 to get it fixed?”  Believe it or not, the guy said, “well, it might cost up to $90.”  WTF?  Wow.  Uncool.  Shouldn’t this guy have said, “wow.  I missed something.  I’m sorry.  Bring it in and I’ll take care of it.”?  It was at this point that my wife asked if I’d take a look.  While I generally dislike doing stuff like that, I said I’d see what I could do.

Triage

A newish Dell desktop computer was dropped off at my house along with a description of the problems she was having.  I hooked it up to a monitor, keyboard and mouse, but did NOT connect it to my network.  I booted the system, and when XP finally loaded, noticed there were 6 accounts on the system – 2 adults and 4 kids.  None had passwords on them and all were “admin” accounts.  Ugh.  Ok, moving on.  Logging in as any one of the users, I was almost immediately presented with 2 things: McAfee AV was installed and the message she complained about popped up.  I poked around a bit, seeing what apps were in the startup group, what apps were being started from HKLM/Software/Microsoft/Windows/CurrentVersion/Run and HKCU/Software/Microsoft/Windows/CurrentVersion/Run.  Nothing unusual in either place.

Since the computer wasn’t hooked up to the network, I clicked the toast that had popped up (and continued to pop up every few minutes) so I could see where it was trying to go.  Once I knew that, I headed to my computer to see what a search would come up with.  Within a few seconds of searching, I found details on the virus (because that’s what it was), printed out instructions for manually removing it and headed back to the Dell.  Guess what?  None of the files listed in the instructions were there.  Hmmm…

After some more searching, I decided there must be something else going on, maybe a rootkit had been installed.  Off to sysinternals to grab some of the great utils!  I copied rootkitrevealer and autoruns to a USB key and once again headed back to the Dell.  I wanted to see if I missed something in a startup location, so I ran autoruns first.  Unfortunately, I still didn’t see anything out of the ordinary, so I ran rootkit revealer which ended up finding NOTHING.  Hmmm…interesting.

Getting Serious

Having already spent more time on it than I wanted (less than an hour), I started killing off processes hoping I’d figure out which one was displaying the tray icon.  No luck.  Ok, back to sysinternals to grab process monitor.  My plan was to click the icon in the tray to see what processes were involved.  Before doing that, I excluded several known processes from the display so I could better focus on the issue at hand.  I noticed that when I clicked the icon, iexplorer.exe was about the only process that was launched, but guess what?  I could view the stack to see exactly what files were involved. 

As I scanned through the list, I found one of the files listed in the original removal instructions.  Hmmm…I had already checked sys32 and couldn’t find the file, but here it was, big as day, being used by this process.   I hit the command line again, but this time, instead of just doing a cursory “dir”, I did an “attrib” on the filename and found it — marked as HS (hidden and system).  I removed those attributes and then tried to figure out how to get rid of it.  I couldn’t delete it since it was being used, but I was still curious how in the hell it was being started to begin with.

I fired up autoruns again and went very slowly through the list.  GRRR…I had actually missed something on my first pass.  Once I disabled the item so it would no longer run on startup, I rebooted.  Aha!  Once the machine restarted that tray icon was no longer there, so I hit the command line, navigated to sys32 and deleted the offending file!  Just to make sure I didn’t miss anything, I rebooted again and then logged into each account (did I mention that none of them had passwords?)  Everything looked good!

Lockdown!

Before giving the computer back to her, I talked to her about locking the system down a bit.  She agreed, so after some other cleanup (temp internet files), I set each of the kids accounts to be “limited” and I placed a password on the two adult accounts.  That way, the kids would have a much tougher time installing crapware and they’d have to go through mom or dad.   Hopefully limiting those accounts will stop this from happening again.  Of course, it could have been mom or dad surfing some questionable site, but that’s none of my business.

Ok, so back to me saying the local guys were clueless.  It seems to me that if you’re going to be in the business of cleaning up computers for people (which, BTW, I’m not), you should know how to track this stuff down and fix it.  Don’t tell your customers, “oh, you’re just unlucky” and then charge them $100 to fix something which should have been fixed to begin with!  Maybe I’m wrong.

What do you think?