Good to bad in one day
Mar. 17th, 2010 09:58 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
altivoWell, of course. It was Wednesday again.
The good happened in the morning, before work. I got that limited palette exercise finished and actually it looks pretty decent for what it is, a color sketch on a 9 x 6 sheet of watercolor paper. For details and a link to the picture over on DA, checkargos' journal.
Work went downhill though. Around 5:30, when everyone left but the director and myself, we discovered that someone had let a disgusting trojan into one of the circulation desk PCs. This thing masquerades as an antivirus program called "Antivirus XP" (and of course I know perfectly well we have nothing of the sort installed) and claims that your machine is loaded with viruses and spyware and is being "attacked" from various network ports "RIGHT NOW" to try to get you to agree to a "free scan." The supposedly free scan either does nothing or else it installs more crap that will need to be removed. It disables any genuine antivirus software and turns off the Windows Firewall. Fortunately we have a good external hardware firewall, so I knew the claims about being attacked through various ports that are blocked by that device were phony. That in turn proved that the entire thing was a scam. Apparently it builds up to convince you to pay for a "full professional" version of their software, which doesn't really exist. Removing it is no doubt a nasty job too.
I shut the thing down and marked it "out of order." Some one is going to get their ears burned tomorrow, though. Probably it will take my entire work shift to clean this mess up. I suspect I'm going to have to hide Internet Explorer on those machines, and make them use Firefox with popups blocked and AdBlock Plus active, since they just can't learn not to click on these stupid spyware things. I'd filter them down to a list of approved sites if I could get away with it, but I don't think the director will go along with that. Actually, I'd take Windows away and give them Linux, but so far I haven't been able to sell that either, despite the fact that other public service machines that the same staff have been using for three years now have only Linux on them. Most of them are blissfully unaware of the difference.
Weather was nice, sky was really clear. When I got home, Gary had left a note asking me to close the barn doors that he'd left open due to the nice weather. I went out to do it and saw the best star-studded sky I've seen in probably a couple of years. The moon is just a young sliver, so no light pollution from it, and the air was so clear that even the filthy commercial and subdivision lights from towns to the east of us was minimized. Orion and Canis major were blazing high in the sky like I haven't seen them in what seems like forever. If only so many neighbors weren't afraid of the dark, we'd probably even have our view of the Milky Way back tonight, it's that clear.
The good happened in the morning, before work. I got that limited palette exercise finished and actually it looks pretty decent for what it is, a color sketch on a 9 x 6 sheet of watercolor paper. For details and a link to the picture over on DA, check
argos' journal.Work went downhill though. Around 5:30, when everyone left but the director and myself, we discovered that someone had let a disgusting trojan into one of the circulation desk PCs. This thing masquerades as an antivirus program called "Antivirus XP" (and of course I know perfectly well we have nothing of the sort installed) and claims that your machine is loaded with viruses and spyware and is being "attacked" from various network ports "RIGHT NOW" to try to get you to agree to a "free scan." The supposedly free scan either does nothing or else it installs more crap that will need to be removed. It disables any genuine antivirus software and turns off the Windows Firewall. Fortunately we have a good external hardware firewall, so I knew the claims about being attacked through various ports that are blocked by that device were phony. That in turn proved that the entire thing was a scam. Apparently it builds up to convince you to pay for a "full professional" version of their software, which doesn't really exist. Removing it is no doubt a nasty job too.
I shut the thing down and marked it "out of order." Some one is going to get their ears burned tomorrow, though. Probably it will take my entire work shift to clean this mess up. I suspect I'm going to have to hide Internet Explorer on those machines, and make them use Firefox with popups blocked and AdBlock Plus active, since they just can't learn not to click on these stupid spyware things. I'd filter them down to a list of approved sites if I could get away with it, but I don't think the director will go along with that. Actually, I'd take Windows away and give them Linux, but so far I haven't been able to sell that either, despite the fact that other public service machines that the same staff have been using for three years now have only Linux on them. Most of them are blissfully unaware of the difference.
Weather was nice, sky was really clear. When I got home, Gary had left a note asking me to close the barn doors that he'd left open due to the nice weather. I went out to do it and saw the best star-studded sky I've seen in probably a couple of years. The moon is just a young sliver, so no light pollution from it, and the air was so clear that even the filthy commercial and subdivision lights from towns to the east of us was minimized. Orion and Canis major were blazing high in the sky like I haven't seen them in what seems like forever. If only so many neighbors weren't afraid of the dark, we'd probably even have our view of the Milky Way back tonight, it's that clear.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2010-03-18 07:08 am (UTC)Antivirus XP is a textbook example of malware done right - it is resilient to being removed, will recreate itself Brainiac-style from even the tiniest of remains, and fights with a vengeance against any kind of cleaning tool.
Take off and nuke it from orbit, it's the only way to be sure.
(Yes, this was me - feel free to delete the anonymous post)
no subject
Date: 2010-03-18 11:30 am (UTC)You guys are giving me ammunition for putting Linux out there. Unfortunately we do have a couple of staff who are gullible enough to fall for those screaming pop-up things and I'm afraid that's what it was. Now, what they were doing on a web site that would have displayed one of those is the real question.
This also supports my age old argument that antivirus/anti-spyware software is virtually worthless because it never keeps up fast enough. The machine had all the latest stuff on it. Symantec eats half the CPU with all its paranoia processes, yet this got in anyway.
no subject
Date: 2010-03-18 10:42 pm (UTC)The trick is simple: Send in a normal-looking set of ads, let them run quite normally for a couple of weeks, then Friday night you patch in the evilness.
'Hilarity' ensues.
no subject
Date: 2010-03-19 11:21 am (UTC)They are now switched to Firefox, with IE hidden from the desktop. I will install AdBlocker Plus on those machines this morning.
no subject
Date: 2010-03-18 09:34 am (UTC)no subject
Date: 2010-03-18 11:34 am (UTC)This really makes me angry. They've been told time and time again not to install anything on those machines, not to download stuff from the web, etc. They know better. I swear I'm going to put Linux on all three of them and be done with it.
no subject
Date: 2010-03-18 10:22 am (UTC)Oh, and it spreads over local area network too, somehow. :-P
no subject
Date: 2010-03-18 11:36 am (UTC)no subject
Date: 2010-03-18 10:33 am (UTC)I was able to stall it the first time it hit here. Taskbar showed the process and I eliminated the file. Spybot removed a lot of it, but there was one element it missed, a .dll called iehelper_old.dll, and it came back with a vengence. It wouldn't let me delete itself, so I renamed the bugger and everything ran okay again.
I flattened it a day later, as everyone above tells you to do, because once it gets in it leaves little bits of itself all over the registry. Think of that "Earwig" episode of Night Gallery with Vincent Price.
Oh, and if the staff person was doing their job then they really aren't to blame. This thing comes in in PDF and IE holes. If they were playing on the web outside of their duties, then sure, they violated your policies.
no subject
Date: 2010-03-18 11:42 am (UTC)Some claim that it prevents spybot or antivirus programs from loading. However, I ran a live update of Symantec and then a scan, which of course found nothing. Symantec is worthless and has been for years now.
I can ghost the hard disk if I have space on the network server for the disk image, but that's unlikely. Windows has grown to such a huge waste of storage and resources that I can't afford the spare disk space any more.
no subject
Date: 2010-03-18 02:07 pm (UTC)However, Symantec is worthless for this. Spybot was blocked in one instance, and I loaded it via flash drive in another. My son's machine wouldn't start in safe mode, and staff did, but, well, blah blah blah... you know what you're doing. Good luck!
no subject
Date: 2010-03-18 04:45 pm (UTC)I am going to try Spybot at least before wiping it, even though I got the go ahead to replace Windows with Linux on the machine if I can't recover without wiping the drive. Meanwhile, the machine is yanked and replaced with a much slower machine. I hid Internet explorer on the front desk machines and installed Firefox as the default browser. Updated Adobe Reader to the very latest version (it was behind on all of them.) Updated Symantec to the latest (it was already on yesterday's definitions but who knows...) And put signs on the temporary replacement machine telling them half a dozen things NOT to do. Watch, they'll do them all anyway.