Security

Priority zero projects, or how family tech crises trump client projects

Chip Camden describes halting work on a client project to fix his daughter's PC, which was infected by a Trojan. Let us know how you handle priority zero projects.

We consultants often have to juggle priorities to keep all of our clients happy. Usually it's easy enough for a client to define their own priorities, but it can be hard to know which client's #1 needs doing first. And then once you've sorted that out, along comes the priority that pre-empts them all.

I sat down to my workstation on Sunday with a plan to devote the entire afternoon to an important project for a client of mine. I had almost worked myself into the zone, when the phone rang. I wouldn't have answered it, except that it was from my wife. Our daughter's PC kept popping up a "My Security Shield" warning about infected files. When she clicked the button that offered to take care of the problem, it asked her to buy the full version. She couldn't dismiss it, and it stayed on top of other windows.

This sounded suspicious to me. A quick Google search revealed this to be a known Trojan -- the only infection is "My Security Shield" itself. At this point, I felt a mixture of relief and regret. Relief that I don't let my family members use administrator accounts, in spite of the inconvenience that causes for them. Regret that I never forced them off Microsoft Windows.

Naturally, my daughter's unfinished homework project (which was due the next day) existed only on that computer, so I had to abandon everything else I had planned to do in order to fix this.

As I've pointed out before, I'm a software development consultant, not a PC repair guy or even a network administrator. Being a techie, though, I often take on those roles for my own systems, even when it might be more efficient to let someone else handle it. Those of you who do specialize in this area have my permission to snicker at this account of my proceedings, and please offer suggestions on what I could have done better.

I walked my wife through the steps I found online to remove the Trojan, but we couldn't find any of the supposed registry entries or files. I then had her update her anti-virus database and run a full scan, still no dice. I found another package that claimed to take care of this specific compromise, but it didn't do the job either.

"You've worked well with me over the phone," I said to my wife. "As well as anyone. But this has become a hunting expedition, and I need my own eyes to hunt. I'll come over."

After I arrived, it didn't take me long to find it: a cryptically-named .exe in my daughter's AppData directory with a creation date of that same day. After I deleted it, the problem went away. Then I spent a couple of hours trying to figure out how it got there. My daughter claimed she hadn't downloaded anything, and her Downloads directory confirmed her innocence. She said she hadn't opened any email attachments or clicked on any ads or offers online. I looked for any other files with recent dates that might be the delivery mechanism, but I came up empty. The fact that two different anti-malware programs failed to find it, and that we couldn't find any of the known files and registry entries, tells me that this was a new variant of the "My Security Shield" Trojan -- updated to get past the known checks. It hasn't returned since, but I keep waiting to get the call.

I'm telling you this story, though, to ponder my other problem: my entire afternoon of working for my client got pre-empted by free work for my family. I've written before about keeping support favors from taking too much of your time, but in this case I could hardly say "sorry, I can't help you." Family comes first, even in the technical realm.

Of course I have to wonder what non-techie parents do in a case like this. I suppose they drop everything and rush the computer in question to their local PC repair expert. Considering how many billable hours I lost dealing with this myself, I probably should have done that as well, but that would have probably seemed cold-hearted on my part.

About

Chip Camden has been programming since 1978, and he's still not done. An independent consultant since 1991, Chip specializes in software development tools, languages, and migration to new technology. Besides writing for TechRepublic's IT Consultant b...

73 comments
JohnMcGrew
JohnMcGrew

...I don't know how "civilians" survive ITdom.

tv_p
tv_p

I recommend keep creating Restore points to rescue you.This is not an 100% solution but it works in 99.9%.

SaadHusain
SaadHusain

It happened at night and I had an important presentation to get ready for tomorrow. Fortunately, I had a SuperBootDisk and was able to boot up off the CD and get the file. I then tranferred it onto another computer and both were happy. On the weekend, I was able to research and fix the problem. Post Mortem: Have SuperBood and a free computer always available. And of course - back up.

Thump21
Thump21

Chip, (this is all just a thought, not a criticism) kudos on taking care of the family but you may have missed the objective that might have allowed success in both arenas. The mission could have (should have?) been to get a copy of the homework assignment file(s) copied off (e-mailed off?) to another computer. This would likely have taken less time and frustration than trying to resolve the problem. A Safe Mode boot-up in Windows (or a USB WinPE) likely would have allowed grabbing the file to a USB flash drive, and you could return to your work while the family sought-out another computer to use until you were able to focus on the problem without such distractions as supporting your family. --just a thought, I've been there myself.

RTHJr
RTHJr

I had three computers infected the same way and my research found that Adobe Flash and Java had reported vulnerabilities. All someone had to do was go to, say, a news web page, then a dynamic ad rotary pane would invoke Java or Adobe Flash and trigger the vulnerability.

David.Izen
David.Izen

If it's essential (and homework due the next day tends to fall into this category for any parent - you want to show it's important that work gets done on time, and that the work has a value) then enterprise practices apply. It doesn't need to cost big bucks to ensure data is backed up and there's a spare old workstation around that allows any PC to be expendable. Data is safe and homework can be finished on a working PC averting panic and giving time to fix the infected PC without having to miss an afternoon pigeon-holed as client time.

cd003284
cd003284

To approach the question, I need useable definitions for "priority zero projects," "family tech crises," and "client projects"; otherwise it's very simple: that which provides home, hearth, food, medical care, etc. comes before that which does not.

Rick in PA
Rick in PA

We got hit with "My Security Shield". The pop-up is crafted to look a lot like a typical windows warning, and it's easy for someone to be duped into clicking on it. Somehow it installs without administrative rights. After reading a 20 something step removal guide that might remove it (it seems to thread itself deep into the system, at least that was my impression), I just re-imaged the disk.

gdburton
gdburton

I also would not claim to be an expert, a "competent jobber" maybe. Infections are almost always a "hunting expedition". Especially as most infections do not advertise themselves as clearly as ???My Security Shield???. So the steps of :- 1. Identification, (may require scanning with a number of different tools). 2 Researching a number of solutions, as typically, as you found, they do not all work out as well as described. 3. Implementation of a fix that does work. 4. Test/scan that there are no other remnants left. If you can get this done in 2 hours you have done well! Investigations of how it got in are rarely productive or commercially justifiable. Especially when "clients" and especially teenagers are not always forthcoming with the important damming information. :-) Further suggestion:- concentrate on the immediate problem, (the homework) extract and print off the file in its current state. Then introduce the client to a reliable, fall-back document production technology developed a few years ago, called a PEN! (Sorry been there done that!)

jevans4949
jevans4949

The few times I've had to deal with this sort of virus, I've found it helps to unscrew the drive from the infected machine and stick it in a USB caddy device. You can then delete the problem files and run your favourite antivirus on it, bypassing the malware's defences. It works with an XP system anyway. I don't think you can always blame the "daughter"; sometimes these things are hidden in perfectly bona fide websites. Most don't say "Click here to download malware."

IT
IT

In most of the cases, to over come the difficult that face to you is the only choice you have to do, no matter wether it is efficiency or not. Keep in mind, a problem before you is bigger than a very big problem before a group of people.

bp1argosy
bp1argosy

"chuckling* Chip, you did the right thing - because it's true: family comes first. I'm an IT consultant myself (one of those PC/network guys you mentioned), and if I had someone working for me who ignored his own daughter's needs, I'd be concerned about that person. Doesn't matter if it's a homework assignment due the next day .... or even if she DID mistakenly click on something that caused the infection (against your own strict and Thor-like orders!) .... she's your daughter, and she and your wife needed your help. That's what dads do. You help when they call, chastise them if they did something they need to learn from (she didn't), and then you kiss them on their cheek and send them on their way ... after first extracting a promise to remember that THEY owe YOU a 'favor", to be collected at some point in the future. After all, that's what the Godfather movies were all about - right?

westafer
westafer

I always tell my customers and family that when they are on the internet and get a pop-up that says there is an issue they should never ever click any where in the window. This is different from years past. You could always click no/cancle and be ok. Then you had to click the red "x" and be ok. Now the best thing to do when getting these pop-ups is to turn off the computer with the power button. Clicking any where on the security box will install it to the computer and life will turn into a living He!!. Always repair and scan the computer in safe mode at the next start up. This can eliminate it from the take over and allow the system to be cleaned as well as running a virus scan of choice.

kfields
kfields

..but here are the first basic steps I use that have proven pretty effective in the majority of cases with Trojans like this: 1) If noticed early like in this case, perform a system restore. This has a good chance of disabling the bug. 2) Scan with tdsskiller. 3) Install and scan with MalwareBytes. Working on the 80/20 rule this seems to be effective in my experience as steps for the 80.

dave
dave

Having owned an IT consulting business for a decade and having personally fixed/cleaned dozens of infected computers over the years I can say 'you done pretty good Chip!'. In my experience the 'cleaning' tools rarely solve the problem and in many cases only mask it, which is worse. I have found MalwareBytes to be one of the most effective detection and removal tools, but it's far from 100%. The key to your success was identifying the .exe responsible for the symptoms, and you were lucky that deleting it was a) possible and b) successful. More sophisticated malware would have held that file in use so you could not delete it or would have put a hook on any changes to the file so it would be alerted when you attempted to delete it, and in the background 'reinstall' itself creating a new version of the .exe under a new name so you would think you fixed the problem when in fact it still existed and would come back to haunt you down the road. I frequently use tools from SysInternals (available for free download) like Autoruns, Process Explorer, MoveFile and others to identify and eliminate permanently the related files and registry entries. Basic procedure is: a) Use Process Explorer to identify the owning process of the pop up window and get details on that process to identify the file from which it originated. Drag the little target from Process Explorer and drop it on the popup. P.E. will take you to the process info. Also use Autoruns to check processes that are automatically started when Windows launches and look for suspicious entries, usually the malware will not be 'signed' with a certificate and will have seemingly random filenames like fajos3fa.exe or similar. b) Boot in Safe Mode with minimal processes running and hope the malware isn't smart enough to launch anyway (sometimes you have to boot into another OS or utility that doesn't launch Windows) and delete the malware file. Also search the registry for references to that file and delete them (beware that deleting reg entries can cause other problems, be careful or find an expert to assist). Also run Autoruns and delete or at least disable any suspicious entries (this too can result in necessary processes not running on reboot so only delete if you are dead sure). c) Boot normally and run through the detection process again to be sure the malware didn't find some sneaky way to reactivate itself. Also know that Microsoft provides free support for malware removal and they have lots of nifty tricks that are too involved to discuss here, like using permissions to make execution of the malware file impossible etc. Bottom line, the average PC user, heck the advanced PC user, probably will fail to fully eradicate malware manually. Best bet for users is a 'real' professional (not the highschool kid next door) or spend a few hours with MS support.

info
info

I'm surprised you haven't come across these before, even if it's a new variant. Although, like you said, you specialize in software apps. You did the right thing in helping your kid, and I'm thinking that, like me, you reevaluate things 'on the fly'. Your client's project could probably take the time hit, or they'd be understanding. Or, like me, you just make up those hours into the night. IT can be a b**ch at times... The only critique I could offer is that you should have called a contact that you know in the deskside/network support realm for their advice. I ran into this same one again yesterday, and what I've found to work is: a) Run your favourite malware program (mine is MalwareBytes) as Administrator. Fortunately, this bypasses the .exe registry hack these things implement to stop programs from running. For now. *Sigh* b) In this case, MalwareBytes came up empty. No surprise, as these things evolve. Since there's a known threat, a quick download of ComboFix from 'bleepingcomputer.com' is in order. After disabling Symantec Corporate AV, running ComboFix cleared the threat. I could also have tried McAfee's Stinger, which specializes in these particular threats, but it didn't occur to me at the time. They're getting better. One almost got past me because it was on a computer I suspected of having a faulty hard drive, and imitated the EXACT error messages that would have occurred from a massive MFT failure. Then a 'Tech Scan' window came up that I'd never seen before, but it looked 'Microsofty' enough that I let it slide. When the report showed many errors, I wasn't surprised, but the item that said 'Hard Disk RPMs below accepted range' tipped me off. Not many tech 'programs' would know that. *Sigh* Just another variant of this MalWare... I've watched people AS they've got these. They do NOTHING. The sites they happen to be on are mainstream, heck, the first one I witnessed was on Chevrolet's website! They popups just happen on their own, and they go by most 'mainstream' AV programs (I've seen MS Security Essentials and Symantec Corporate AV) like they don't even exist. I'm about to adopt ESET's NOD32, and we'll see if that fares any better.

Your Mom 2.0
Your Mom 2.0

Wow, can't imagine blowing off an important project just to remove malware on my child's PC; guess either you're a better dad than me or you just don't need your client's business that badly. No critique here on your approach to removing the Trojan, but I disagree with your choice of priorities. How about just turning off the PC & doing something else until Daddy finishes his work? Don't get me wrong, I'd be right there for my family if this had been an actual emergency, but I can't imagine ignoring work for my clients just because my daughter couldn't check her Facebook or something.

Sterling chip Camden
Sterling chip Camden

At the time, we didn't have another computer that was suitable for the project. To prepare one would have taken about as long as fixing the problem.

Sterling chip Camden
Sterling chip Camden

... to always save documents to the server (which gets backed up daily), I wouldn't need to worry about client time. But nobody listens.

HAL 9000
HAL 9000

Peace and Quite so you can do your work that provides [i]that which provides home, hearth, food, medical care[/i] Is what comes first. If you don't have a suitable environment in which to work and are constantly being nagged to do something or because you didn't do as you where asked particularly when you are supposed to be on Free Time you don't get any of the work that provides [i]that which provides home, hearth, food, medical care[/i] done and worse still you increase the Billable Hours with little to no results which means that you loose another customer and have even less chance of doing [i]that which provides home, hearth, food, medical care, etc.[/i] Col

DarkGuardian
DarkGuardian

You could also use a bootable LInux flash drive and accomplish the same thing (and not have to open the machine). Works great in a pinch. Personally, I have 2 drives going, one with the OS and programs, the other with all my data. For a laptop, you could hard partition before you install the OS. Either way, it's often the quicker solution. While it's fun to try to figure out how, and 'beat' the malware, I find it's quicker and more efficient to simply wipe and reinstall/reimage the OS drive, and get the user back to functional. And you're absolutely right, can't blame the user on this one. They're annoying and sometimes unavoidable. Just need to educate so they recognize it themselves (what their AV *actually* looks like) and what to do (Task Manager or Alt+F4; never click since the X may be part of the ad; update and scan immediately; contact your IT POC immediately). My wife now just jumps up and finds me as soon as anything she doesn't recognize pops up (even if it's just Firefox looking to update lol).

apotheon
apotheon

Back when I did catastrophic malware infection cleanup for clients on a regular basis, I was the guy who had an almost intuitive grasp of how to quickly and effectively hunt down every last trace of a piece of malware in the registry and on the filesystem, expunging it all with extreme prejudice. That is not a job for the faint of heart. It has been years since I have practiced that particular skillset. It's a soul-sucking occupation, and I've moved on. These days, I protect myself from MS Windows malware by basically not using MS Windows at all. My advice to others is to keep backups on Unix-like systems, use filesystem integrity auditing on those systems to make sure data files remain clean, and -- if something goes wrong on the MS Windows system -- wipe, reinstall, and reload data from backups. Anything short of that on MS Windows is just begging for trouble. It helps to use PXE boot for MS Windows, too.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

This is pretty much what I do. Another red flag can be the location the .exe is running from. If it is running from a temp directory, a users profile or from the windows directory (and it is not a Microsoft executable) then it is suspect. Side note, I believe Chrome by default runs from the user profile because it can be installed without local admin privileges. Bill

apotheon
apotheon

Any site with unsafe JavaScript loaded in a browser as complex as Firefox can run afoul of cross-site scripting, so that the malware doesn't even have to come from that site's servers to arrive via its webpage. That doesn't mean the Chevy site's servers weren't sending you malware -- just that it doesn't have to have done so for it to look like it was. Flash is another likely source of client-side exploits, and car company sites love to abuse the heck out of Flash.

PMPsicle
PMPsicle

A lot of these *#&*(*&(^(**&))*))(*)^^%*(* (more than 4 letters I know, you do the math :D ) are actually distributed through ads. The *&^! just buy an ad in a server then upload the virus. Unsuspecting Ad distributer sends the ad to an unsuspecting content provider and guess who gets hit? (Even worse, the answer is all three! There are times I HATE computers.)

AnsuGisalas
AnsuGisalas

You mean it doesn't come pre-disabled, what lousy service :D :p I don't know, I've heard ghastly things about Mcafee and Norton, both... don't know if the corporate version is any better... Or did you mean corporate AV as in "forced on me by corporate"?

apotheon
apotheon

I don't know what article you read, but the article I read did not describe things in a way that suggested anyone "blew off" an important project. He just rearranged his schedule. . . . and the article specifically mentioned homework due the next day -- a homework "project", which suggests more than just one night's math problems or something relatively trivial like that. There was nothing in there about how she couldn't "check her Facebook or something." I think these problems of misunderstanding wouldn't happen if you bothered to read a little more closely. Attention to detail is important.

ed
ed

The article said the only copy of his daughter's homework project was on this computer, so the entire free (maybe cheap, too) world would come to an end if the problem were not resolved that afternoon. Been there, done that. Was even more entertaining when it was my wife who was in school. One of the more memorable experiences was in WP 5.1 for DOS (I'm afraid this may hint at how long I've been doing this) when my spousal unit asked a question about starting a new project. Regrettably, she left out a detail or two, one of which was that the current project had not been saved... Fortunately, we had a spare bedroom. Over the non-attached garage. With no heat, AC, or plumbing.

apotheon
apotheon

Tell it "fetch" and you've got a getter, but without a setter you've got no dog in the fight at all.

apotheon
apotheon

0x7fffe45cccb8 (That's the value of argv, in case you're curious.) Merry Christmas.

info
info

It's like Ford vs. Chevrolet. I saw McAfee catch things that Norton missed, and the other way around... I tended to avoid both, but the Symantec Corporate AV versions from 7-10.x were actually pretty good for what they were. They just fell a bit flat on these new Malware threats, and their new EndPoint packages aren't as easy on CPU and memory as Corporate was. ComboFix doesn't like any other active scanning program running, and hints at dire consequences should the two tangle... ;)

Your Mom 2.0
Your Mom 2.0

I'm assuming the homework couldn't be copied to another machine via flash drive or over the home network? And yes, there is a risk of the malware infection copying itself to the flash drive, but it's fairly minimal with this particular Trojan, & just copying a couple of data files is fairly low-risk.

apotheon
apotheon

Family concerns regarding computers can be very trying. When my mother calls with a new complaint, I wonder how she managed to be a "Senior Systems Analyst" (and similar things) for more than thirty years without learning more about how her computer works than the client I used to (privately) call "The Luddite". Oh, well. ENOCLUE

apotheon
apotheon

I see catching that was no problem for you.

Sterling chip Camden
Sterling chip Camden

Any dereference that doesn't cause an exception is a (relatively) pleasant one.

apotheon
apotheon

Have you ever seen a pleasant dereference? edit: Maybe silence indicates taking exception to that remark.

apotheon
apotheon

Well . . . that's a pretty unpleasant reference.

Sterling chip Camden
Sterling chip Camden

Setters are fine, but they aren't pointers. Maybe that's for the better, though -- most pointers aren't smart enough to refrain from leaking on you.

apotheon
apotheon

Well . . . it's definitely on par for Debian these days, relative to FreeBSD. At least the frustration isn't taking a byte out of my face like MS Windows would.

apotheon
apotheon

It's a 64b processor plus a bit of frustration.

Sterling chip Camden
Sterling chip Camden

That's "arg" with a voiced, bilabial fricative finish. /me notes that you're on a 64-bit system (or at least 48-bit).

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Probably a slightly different version since Chip's daughter was using firefox vs IE. Anti-virus manufacturers update their signatures quickly and even 24 hours is often times enough to go from not seeing a virus to completely removing it. Bill

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Had a couple people running AVG free on older systems. After an update their PC slowed down to a crawl. Ended up adding additional memory which fixed the issue (went from like 512 MB to 2 GB. Bill

ultimitloozer
ultimitloozer

I removed the same piece of crap from a neighbor's computer 2 days ago. Merely required restarting the computer in safe mode, logging in as Administrator, updating the Malwarebytes database and running a full system scan. Found 3 droppers in the IE temp folders and the trojan itself sitting in the user's AppData directory. Because of this, I am surprised that Malwarebytes did not find it in your case.

ultimitloozer
ultimitloozer

I've seen some of these newer ones go right on by it and it isn't worth a damn for virus removal. I currently use Norton 360 and it doesn't have a problem blocking the drive-by downloads at the firewall; never hits the hard drive at all. Not sure of how well Avira and Avast are at preventing the infections, but they seem to be good at removing them. AVG - both free and paid versions - is probably the biggest resource hog but my neighbors who are using it have not been calling me with malware issues.

Greenknight_z
Greenknight_z

ClamAV is no protection. The best free AVs are Avira, Avast, and Microsoft Security Essentials, install one of those instead.

Sterling chip Camden
Sterling chip Camden

I don't like either Symantec or McAfee. Her system had ClamAV installed, and I downloaded MalwareBytes after the problem occurred. Neither recognized this one.

apotheon
apotheon

Using a "flash drive" to transfer files off an infected computer is an awful idea, if the computer to which you plan to transfer the files is set up like a standard MS Windows system. All it takes is for an infection to stick a malicious autorun.inf file on the USB flash storage device, and the next computer with autorun enabled that touches it will be infected too. I used to do malware catastrophe recovery professionally, at one point having to recover data from a computer in a medical office that (no kidding) had literally thousands of discrete infections on it. I have seen people infect multiple systems trying to take exactly the sort of advice you would give, and had to clean up all of those systems when I got there so that data could be recovered from all of them safely before they got nuked and paved to provide a clean system onto which to load the recovered data. If there was anything Sterling did wrong (and I'm only guessing here), it was in not immediately copying data to an external drive, wiping and reinstalling the laptop, changing system configuration to secure it (including deactivating autorun), and scanning the recovered data before copying it onto the freshly reinstalled laptop. Then again, that might have doubled the time he spent on Sunday trying to solve this problem. I'm glad he didn't follow your advice. The last thing we need is a more people who know just enough to be dangerous, and not enough to realize it, going around spreading infections secure in their half-baked knowledge that they have The Answer. It's even worse when some clueless know-it-all actually insults people for not having that same level of misguided confidence in the wrong idea.

Sterling chip Camden
Sterling chip Camden

My daughter was very pressed for time -- she finally finished the assignment the next morning before school. My wife's system was not setup to be able to work on the project, and doing so would have taken about as long as I spent getting rid of the virus. Letting her use one of my systems wasn't an option I considered seriously.

PMPsicle
PMPsicle

Yes, he might have been able to use a flash drive. In cases (which is what this blog article is) the author simplifies the situation to illustrate his point. He may not have had another computer his daughter could work on. It was a Sunday and he may not have wanted to work on the project. He may have been breaking family agreements by working on a Sunday. His daughter might NEED the time (10 pm "Oh, I've got homework!"). He may have simply gotten so far into it that he couldn't get out. He may not have thought of using another computer. Or he may have told her to wait and was just telling us he started. You don't know. There are any number of reasons. And unless he shares you will never know. So just accept that Chip considers his family more important than his work. Add your suggestion certainly, but accept his judgement.

Editor's Picks