I'm starting to keep count

Jun. 9th, 2009 11:40 am
[identity profile] mouser.livejournal.com posting in [community profile] techrecovery
Maximum number of toolbars found on a single system: five

Maximum number of virus programs: two (but a coworker found three on one...).
  • Add Memory
  • Share This Entry
Threaded | Top-Level Comments Only

Date: 2009-06-09 04:53 pm (UTC)
falnfenix: A dark purple horse with a pale purple mane snorts ice crystals into the air. The background is dark blue. Beneath the horse's head is the word SKYDANCER. (Default)
From: [personal profile] falnfenix
you're just starting to chip the surface, there...

Date: 2009-06-09 04:55 pm (UTC)
From: [identity profile] ex-deliveryboy.livejournal.com
Image

Image

Date: 2009-06-09 05:05 pm (UTC)
From: [identity profile] xforge.livejournal.com
Do individual instances of spyware and hijackware count? And this would not even include cookies; I once did a salesman's laptop that had over 500 pieces of hijackery, and I'm not even sure I got them all.

Date: 2009-06-09 05:19 pm (UTC)
From: [identity profile] mouser.livejournal.com
Ah - but those were done to prove a point, - and unless YOU get to fix them it really doesn't count.

Date: 2009-06-09 05:20 pm (UTC)
From: [identity profile] mouser.livejournal.com
These machines were all reimaged just three months ago.

Date: 2009-06-09 05:23 pm (UTC)
ext_23563: (Default)
From: [identity profile] vampireborg.livejournal.com
I'll admit to using the StumbleUpon toolbar mostly because it amuses me to go Wiki hopping.

My favorite scan that I did, it still amuses me four years later. Win 2K box, someone went to go play poker. Whoops.

Image

Date: 2009-06-09 05:23 pm (UTC)
falnfenix: A dark purple horse with a pale purple mane snorts ice crystals into the air. The background is dark blue. Beneath the horse's head is the word SKYDANCER. (Default)
From: [personal profile] falnfenix
and?

when i worked at my old job (hospital IT), we'd have to reimage one machine in the ED every few weeks. it wasn't in a public area - the techs just don't know how to use the computers for work purposes. even when the department's computers are thoroughly locked down, it's surprising how much crap they manage to install.

basically: get used to it. it won't get much better until they're all logging into a terminal server.

Date: 2009-06-09 05:37 pm (UTC)
From: [identity profile] wolfhound668.livejournal.com
I had a developer start at my company about three months ago. Within a week his laptop had to be reimaged due to a nasty zero-day virus. Two months later he did it again.

This guy works in IT and in theory at least should know better.

Date: 2009-06-09 05:43 pm (UTC)
From: [identity profile] jimbojones.livejournal.com
I actually have the most perniciously infested computer I've ever seen on my workbench right now. Not so much in terms of "most random crap on it" - it's not even close, on that category, I've seen machines with ten or so toolbars and any number of other pieces of crap on them - but just in terms of how VILE and impossible-to-repair it is.

I took this damn thing as far too much of a personal challenge and spent nearly seven hours on it, pulling every stop out - I booted into Linux from a boot CD and ran CHNTPW (Offline NT Password and Registry Editor) and deleted files, ran ComboFix, GMER, MBAM, and more while booted into Windows, you name it. Seven fucking hours. After seven hours, I thought I had it licked - I'd gotten clean scans on MBAM and ComboFix, antivirus programs would actually run without me needing to rename their mutexes so the installed rootkits wouldn't lock them or send them to the debugger, AVG was getting updates... life was good.

Well, life was good for maybe five minutes - then AVG started reporting rootkit agents in NDIS.sys and about ten or fifteen more actual, legitimate, necessary-for-operation Windows system files.

At that point, I said "fuck this noise" and did what I should have done after two hours - pulled the machine and taken it back to the lab to salvage data C-A-R-E-F-U-L-L-Y and nuke the rest from orbit.

This is the XP Service Pack 3 workstation of a user who has only needed one other cleaning in the past two years (which was done only two months ago), and whose only bad habit is looking for internet games to play. Not gambling, mind you - the best I can figure from the forensics of the thing is that she originally got nailed by a trojaned version of a free game called "Diner Dash".

Sigh.

find /mnt/sda1 \( -name *.exe -o -name *.com -o -name *.sys -o -name *.dll -o -name *.tmp -o -name *.cmd -o -name *.bat -o -name *.scr -o -name *.pif \) -delete

Date: 2009-06-09 05:47 pm (UTC)
From: [identity profile] mouser.livejournal.com
...files scanned ten thousand, files infected ELEVEN thousand...


Okay - that's amusing!

Date: 2009-06-09 05:55 pm (UTC)
ext_23563: (Default)
From: [identity profile] vampireborg.livejournal.com
Twelve thousand registry keys scanned, THIRTY THOUSAND infected. It was awesome for me as the PFY intern to have to fix.

Date: 2009-06-09 06:51 pm (UTC)
From: [identity profile] bothunter.livejournal.com
May I suggest DeepFreeze from Faronics? (http://www.faronics.com/)

Date: 2009-06-09 07:07 pm (UTC)
From: [identity profile] mouser.livejournal.com
I know the product and REALLY wish I could - but we're contract I.T. and they've made us leave them local admin.



I'm just glad it's fairly easy to reimage.

Date: 2009-06-09 07:14 pm (UTC)
From: [identity profile] ptstech.livejournal.com
Ouch.

Date: 2009-06-09 08:05 pm (UTC)
From: [identity profile] amynnah.livejournal.com
I just passed this around the Support Groups... :D

They thank you for the laughs. :)

Date: 2009-06-09 08:37 pm (UTC)
From: [identity profile] bothunter.livejournal.com
Then let them be local admin. DeepFreeze will just undo all of their stupid mistakes!

Date: 2009-06-10 02:02 am (UTC)
ext_130371: (itcrowd)
From: [identity profile] ravenofdreams.livejournal.com
My toolbar record is nine. AV - two, at least that were updating.

Date: 2009-06-10 03:35 am (UTC)
From: [identity profile] the-s-guy.livejournal.com
Go get 'em, Edgar!

Date: 2009-06-10 04:44 am (UTC)
From: [identity profile] hyuga.livejournal.com
Really? Only five? I mean, don't get me wrong, that's a lot. But surely there's been worse...

Date: 2009-06-10 04:45 am (UTC)
From: [identity profile] hyuga.livejournal.com
I see this point has already been well made upthread :P

Date: 2009-06-10 04:49 am (UTC)
shirenomad: (insanity)
From: [personal profile] shirenomad
Whoa! That is not a small number! That is a BIG number!

Date: 2009-06-10 04:55 am (UTC)
ext_23563: (lol whut)
From: [identity profile] vampireborg.livejournal.com
OMG KENSHIN.

It never fails to amuse me that there were over twice as many registry keys infected as EXISTED on the system.
  • Add Memory
  • Share This Entry
Threaded | Top-Level Comments Only

Profile

techrecovery: (Default)
Elitist Computer Nerd Posse
Tech Comedy (Reddit)

April 2017

S M T W T F S
      1
2345678
91011121314 15
16171819202122
23242526272829
30      

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Mar. 21st, 2026 03:00 am
Powered by Dreamwidth Studios