Ran into a nasty one yesterday

K

Kirby

Active Member
Reaction score
227
It appears to be a Poweliks variant. A customer brought the computer in unable to click on things in the Taskbar. I rebooted, set the laptop power button to shut down instead of sleep and checked and it was all good. I assumed she had just been putting it to sleep instead of shutting down, especially since the Start Button didn't work. Still, did a little standard checking and noticed some files in AppData which were odd. One folder in Local, one in Roaming, each with 2-3 files. I say 2-3 because it kept changing. Files would disappear and reappear. One LNK, one BAT and one EXE. Delete the directory and it came right back.

So I thought it was the perfect opportunity to use my old trick of editing the small EXE with Notepad to save a corrupted version of it, then reboot. For viruses that watch for deletion and put themselves back this has always worked. Instead of deleting it, corrupt it and reboot. When it comes back up the corrupted EXE fails to run and you can then delete it. But with these it didn't work. They fixed themselves.

Long story short, they were only a minor symptom. Found 3 more LNK files in the Startup directory, 2 pointing to the EXEs (which weren't EXEs when Windows wasn't running. They were 4 characters.5 characters when examining the hard drive directly). The third LNK actually ran a long Javascript. And it also had the entry in the HKCU "Run" folder with the bad characters so it wouldn't show up, which also ran a much longer Javascript. This is what was creating all the files.

I finally had to add a DEBUG option to MSHTA using Notepad so when the computer booted and the registry key tried to run the script it would come up in Notepad instead. Then, without the script running, I could export the Run key, delete it, and re-import it (because the keys with bad characters don't get exported).

I'm still not done pouring over it to see if I got everything. Oh, and one "Run" entry pointed to another key under HKCU/Software/gbil, which I also deleted. This appeared to be the meat of it. I'm not sure how things are normally done around here, but I'm attaching the REG export as a TXT file in case anyone is interested. Not much of a Javascript guy myself, so it means nothing to me.
 

Attachments

Wasn't Rogue Killer detecting and removing the Poweliks? I never ran into one myself but I can recall one of those tools being the ones to detect it successfully.
 
I actually think I did get it removed, but then I ran Tweaking.com Windows Repair and forgot to uncheck the "reset file permissions" box and it screwed up the permissions in the Users folder irreparably. I have been known to spend a week on a problem before. I don't like to lose. I know, it's not profitable, but if you just nuke it every time you don't learn anything. There have been problems I spent days on where, afterword, fixing the issue was literally like a 3 minute job, once you know how.
 
Kirby said:
I have been known to spend a week on a problem before. I don't like to lose
Click to expand...
Just curious how would you charge a customer for all this time?

For me i may "loose the battle but ill win the war" by fixing clients issue and selling them my managed services by which they will hopefully be more educated and less likely to download or install stuff they shouldn't be.
I'll take a look at an infected PC but i generally get a good idea of how bad it is after looking at it for 20 minutes (call it my Spidey Senses) and give the client options like i can spend 2-3 hours and remove the viruses or you can go for the backup and reload option.
 
I have a maximum fee of 2 hours, so any time after that is my own time. It's a stupid business move, but I'm a perfectionist, so after 2 hours I'm not thinking "Crap. I'm not getting paid for this any more", I'm thinking, "Now I can make it absolutely perfect, do every update, fix every issue and have this thing leave my shop immaculate."

I'm really lousy at business. I'm good at helping people, so that's what I concentrate on. It may barely pay the bills, but it does pay them. And I have extremely loyal customers because they know I'm always looking out for their best interests and not my own. The day after I quit my last computer job before opening my own shop I had a customer track me down at a friend's house in a panic.
 
I don't necessarily think there is anything wrong with being a perfectionist and wanting to go the extra mile, but you have to draw a line in the sand.

Your time is valuable, if not to the client but to yourself. Virus Removals can be time consuming and while generally most are just removing junkware and crap that causes no damage there are others like this that can wreak havoc. Just when you think you have fixed one thing another thing pop ups.

You gotta cap some things, go for the better route and move on. Clients just want the issue fixed, and you offering the best solution is keeping their best interests at heart.

Spending countless hours on an issue may help on learning some things but it can also build up unneeded stress. Clients go to you because you offer great service but fix the issue. Work smarter not harder. I am speaking about this because I been there so many times.
 
I hear what you're saying. It's just who I am. There is nothing I loathe more than saving data and reinstalling Windows. I would rather spend 3 days fixing a problem than half a day reinstalling Windows. I have started accepting defeat sooner now, but it has actually made me money in the past. Like I said, I have spent days figuring out a problem where, when I'm done, it's a really quick fix. But like the pharmaceutical companies who recoup their R&D expenses, I don't charge my minimum fee for a 5 minute fix that I spent days researching and figuring out a fix. The other guys are going to be charging to wipe the system down, which is the most disruptive thing you can do for a customer. I'm going to be charging for the same amount of time and a better fix with a quicker turnaround.

There have been times when it has actually made me more money in the end. I don't remember the specifics any more, but years ago there was a strange problem with Windows or Office that I couldn't find any fix for other than "wipe it". And it was getting to be a common problem in my shop. With a little bit of experimentation I concluded that all I had to do was delete a "Microsoft" directory somewhere in the user folder and the problem went away. So yeah, I spent a couple of days figuring it out, but after that it was literally a 30 second fix.

But that's not even why I do it. I've worked on computers a long time now. I'm to the point where when I sit in front of a computer if there isn't a problem with it', I'm not interested in it. I could not care less about Facebook or Twitter or even games. I rarely use a computer outside of work. I'm at work right now typing this. This was the first actual virus I had seen in probably 2 years and let me tell you, I was excited! I worked an hour and a half past close on it. I tore it apart and figured out how it was loading and where. I invented new ways to stop it from loading. Right now I'm writing a program to help me kill the next one easier. I'm the type of guy who used to write software to do my homework for me in junior high. I found the picture of the developers in the memory of my old Tandy Color Computer 3 as a teenager, not because I had heard about it and went looking, but because I wrote a program to PEEK each memory address in the ROM and display it as a pixel just to see what I would find. Yeah, it's a job now, but the thrill of discovery, that's the real reason I got into it in the first place. Killing a virus with Notepad and Regedit, that's porn to me. I don't do it because it will make me money and I don't not do it because it won't make me money, I do it because it's the last thing about computers I truly enjoy doing.
 
Kirby said:
I hear what you're saying. It's just who I am. There is nothing I loathe more than saving data and reinstalling Windows. I would rather spend 3 days fixing a problem than half a day reinstalling Windows. I have started accepting defeat sooner now, but it has actually made me money in the past. Like I said, I have spent days figuring out a problem where, when I'm done, it's a really quick fix. But like the pharmaceutical companies who recoup their R&D expenses, I don't charge my minimum fee for a 5 minute fix that I spent days researching and figuring out a fix. The other guys are going to be charging to wipe the system down, which is the most disruptive thing you can do for a customer. I'm going to be charging for the same amount of time and a better fix with a quicker turnaround.

There have been times when it has actually made me more money in the end. I don't remember the specifics any more, but years ago there was a strange problem with Windows or Office that I couldn't find any fix for other than "wipe it". And it was getting to be a common problem in my shop. With a little bit of experimentation I concluded that all I had to do was delete a "Microsoft" directory somewhere in the user folder and the problem went away. So yeah, I spent a couple of days figuring it out, but after that it was literally a 30 second fix.
Click to expand...

I am just addressing the bold parts.

I honestly don't mind nuke and paves. Why? Because I automate a ton of it. Back up the data with Fabs. If you aren't using that then yes it will be a time waster. This program grabs a lot of the default stuff. Reinstalling Windows 10 takes 15 mins or so. 30 mins at max. Windows 7 will take a little longer but there are fixes on this forum to help speed along the updates process.

I rather not spend 3 days fixing a problem because I want to give the computer back to the client. People aren't as much of a need for their PC especially if residential like they would be for their car. But I would be annoyed if my mechanic was trying to figure out an issue when there was alternative solutions. Granted you offer the client solutions and let them choose.

If you want to spend 3 days working on an issue better to do it on your time and not on the clients. Research the issue and file it away for next time.

You can charge more for the quicker fix because you already know it, instead of having to work longer to make that money up.
 
Nothing wrong with what you are doing. I've done the same thing since 1996 and chances are high i'd be able to disable a virus like that before most people can do a full av scan. I still do a full AV scan so it doesn't really save me time on issues that AVs detect but at least im prepared for anything new. I could nuke and pave when I was a kid and for that to be a technicians go to procedure kind of disgusts me a bit. I understand where they are coming from but its just not for me.

Kirby said:
So I thought it was the perfect opportunity to use my old trick of editing the small EXE with Notepad to save a corrupted version of it, then reboot. For viruses that watch for deletion and put themselves back this has always worked. Instead of deleting it, corrupt it and reboot. When it comes back up the corrupted EXE fails to run and you can then delete it. But with these it didn't work. They fixed themselves.
Click to expand...

I've never done that before, it should be more reliable to simply replace the .exe in question with a renamed notepad.exe as whatever is launching the exe would easily be able to add a file replacement procedure on launch error.
 
ComputerRepairTech said:
I've never done that before, it should be more reliable to simply replace the .exe in question with a renamed notepad.exe as whatever is launching the exe would easily be able to add a file replacement procedure on launch error.
Click to expand...
Well, yeah, if you want to go the obvious way with it which, yeah, never really crossed my mind before...

cypress said:
I am just addressing the bold parts.

I honestly don't mind nuke and paves. Why? Because I automate a ton of it. Back up the data with Fabs. If you aren't using that then yes it will be a time waster. This program grabs a lot of the default stuff. Reinstalling Windows 10 takes 15 mins or so. 30 mins at max. Windows 7 will take a little longer but there are fixes on this forum to help speed along the updates process.

I rather not spend 3 days fixing a problem because I want to give the computer back to the client. People aren't as much of a need for their PC especially if residential like they would be for their car. But I would be annoyed if my mechanic was trying to figure out an issue when there was alternative solutions. Granted you offer the client solutions and let them choose.

If you want to spend 3 days working on an issue better to do it on your time and not on the clients. Research the issue and file it away for next time.

You can charge more for the quicker fix because you already know it, instead of having to work longer to make that money up.
Click to expand...
I've had one vacation, a 3 day weekend during which I took support calls, in 15 years. I can count the number of sick days I've taken in that time on one hand. I don't do this "on my own time". Business hours are for working on computers. My own time is just that, at least when I have a say in the matter. I don't even like to talk to people about their computers after hours.

My customers always know they have the option of me just wiping it to get it back faster, but I've found that people generally hate having their computers wiped, at least in my business. This doesn't work the same and that doesn't look the same and they hate that. And I hate dealing with the customer who just can't accept that it's impossible for me to get the computer back to them exactly like it was before I wiped it.
 
I cap my Virus Cleanup charges to 2 hours as well. So I think you are doing good by your customer. There's no way it is fair for the customer to pay much more than that. I also charge a minimum of 2 hours for the cleanup as well. So no matter what the customer pays for 2 hours. Even if it only takes me 15 minutes. So I pretty much look at it as you win some and you lose some. Most of the time I can cleanup a virus pretty quickly. So I make easy money. Sometimes I come across a computer with a new virus and I have to spend more time on it. I try my best to try to figure out what the virus is doing and log exactly how I manually remove it so that I can easily remove this particular virus from another clients computer. If the virus is really difficult and I have already spent a few hours on it... then I contact the customer and suggest a backup / reinstall if they are in a rush to get it back. If they aren't in a rush then I let them know I'm going to look into it some more but that if I still have difficulty cleaning up the virus I would strongly suggest a backup / reinstall. I let them know that in cases like this sometimes it's best to start fresh anyways since the virus could have already caused damage to system and could cause them issues in the future even if we do get it cleaned up.
 
That's pretty much me exactly, except that I occasionally do insist on a wipe and reinstall when I am pretty sure that I can't get it perfect.
 
Kirby said:
I've had one vacation, a 3 day weekend during which I took support calls, in 15 years. I can count the number of sick days I've taken in that time on one hand. I don't do this "on my own time". Business hours are for working on computers. My own time is just that, at least when I have a say in the matter. I don't even like to talk to people about their computers after hours.

My customers always know they have the option of me just wiping it to get it back faster, but I've found that people generally hate having their computers wiped, at least in my business. This doesn't work the same and that doesn't look the same and they hate that. And I hate dealing with the customer who just can't accept that it's impossible for me to get the computer back to them exactly like it was before I wiped it.
Click to expand...

That is all good stuff. I cap virus removals around 2 hours generally as well when on site which I rather not do but it happens sometimes. In this case of corruptions files and stuff get messy I give them the option and strongly suggest it.

Fabs autobackup puts a lot of the files right back where they were. Only issue is when you are facing legacy software or specific stuff that is PITA to get a hold of. Otherwise they just want their bookmarks and pictures back to where they were previously.

In your original instance, I would just think it is time to call it and reload if after trying numerous things no solution has been met. But to say that a wipe and reload is the first thing that would come to many of the techs mind here would be incorrect IMO.
 
cypress said:
That is all good stuff. I cap virus removals around 2 hours generally as well when on site which I rather not do but it happens sometimes. In this case of corruptions files and stuff get messy I give them the option and strongly suggest it.

Fabs autobackup puts a lot of the files right back where they were. Only issue is when you are facing legacy software or specific stuff that is PITA to get a hold of. Otherwise they just want their bookmarks and pictures back to where they were previously.

In your original instance, I would just think it is time to call it and reload if after trying numerous things no solution has been met. But to say that a wipe and reload is the first thing that would come to many of the techs mind here would be incorrect IMO.
Click to expand...
I cap all in-house work at 2 hours EXCEPT data recovery. If data recovery can be done in 2 hours, no problem, same rate. But for any data recovery which takes more than 2 hours I charge an extra $10 an hour and a 3 hour time cap. I've had things take nearly a week to scan and recover. If I have a bench computer down a day or two I have to charge more.

For on-site work, there is no cap. I really HATE on-site work with a passion! Especially the free installs when I sell a computer. Everybody wants you to come to them, but nobody wants to pay for it. They see "free installation" and think that means "Take down the old computer and move it to a different room, run a new cable to connect it to the Internet, remove all the viruses and malware from it, then set up the new computer, unbox the new printer and install it or, even better, install the old printer, but the disks don't work with the new OS so you have to download 350MB of drivers on their 1.5Mb connection out in the country, oh, and then look at the toaster and see if it can be fixed. And by the way, transfer data from the old computer to the new computer using a USB flash drive, which you didn't bring because it says right on the Sales Order AND Invoice that the installation does not include on-site data transfer, but that's okay because I have a 4GB flash drive you can use to transfer 150GB of music and movies a few at a time."

I also had to implement an emergency fee when one customer waited 5 weeks and finally got the service for free because literally everything that came in was an emergency. Implemented the emergency fee years ago and I think I've charged it something like 3 or 4 times. You would be surprised how many emergencies are far less urgent when it's going to cost an extra $50.
 
Yeah I am not too crazy about on site work myself, especially with those clients that go off the deep end talking about various things. Others I really enjoy, but when it comes to things like Virus Removals and Nuke and Paves I much rather take it back home and get it done there.
 
I have one customer that's a family run business and the family is chatty as hell. I'll be doing something complicated where I have to read the screens and choose the right options or start all over and they'll be talking to me about just random stuff or asking me unrelated computer questions. I can't hold a conversation and concentrate on what I'm doing at the same time, so it's really annoying.
 
The perfectionist approach that you guys are describing, while perhaps personally satisfying, is a terrible business practice and I'd strongly advise anyone starting out not to take this approach to the extremes that you're talking about.

Futhermore, if you actually want to survive long term in this business get away from domestic stuff and get into pretty much anything else - MSP, B2B, coding, consulting - anything other than domestic stuff.
 
You must log in or register to reply here.

Similar threads

callthatgirl
How to Import and Export PST into New Outlook
Replies
0
Views
163
callthatgirl
callthatgirl
Appletax
[SOLVED] Can't remove fake BSOD that might use mshta.exe
Replies
5
Views
484
NviGate Systems
NviGate Systems
britechguy
ListHotKeys - VBS to PS1 conversion - Why doesn't the latter give me the pop-up?
Replies
0
Views
199
britechguy
britechguy
Appletax
[REQUEST] Free Version of Outlook Keeps Reinstalling
2
Replies
20
Views
2K
britechguy
britechguy
thecomputerguy
OK how do I just STOP NEW OUTLOOK alltogether?
2
Replies
22
Views
2K
Sky-Knight
Sky-Knight
Back
Top