I Am NOT Making This Up

[fuego.livejournal.com]

Let me precede this story for those of you who haven't seen them...some of the ads for Apple's newest Powerbook show the 3 computers in a row with the same graphic on them. A picture of a pagoda by a river. It's kinda pretty. But it was the last thing on my mind when I picked my last call up this evening...

Skippy: "Hi. Um I'm a little embarassed about this but um...you know that pagoda picture in the ads for the new Powerbooks?"

Me...has to think a minute "Huh? Um...oh yeah, that. Cool picture."

Skippy: "Yeah well, see I bought the computer because of that picture.

Me(*Boggles*): "Okay..."

Skippy: "Well I'm kinda upset that it wasn't included as one of the backgrounds and I want the picture. Where can I download it?"

Me: "Um...I don't think it's available for downloading. In any case, it's not on our website."

Skippy: "Ok...well can you tell me where I can find it?"

Me: "I wouldn't even begin to have a clue. Like I said, I don't think it's available."

Skippy: "Okay...can you tell me the title of the picture?"

Me: "I don't know. I don't have access to the background information on our ads. I only see the finished product, like you."

From there it dissolved into several minutes of the customer repeatig the same questions, demanding that I transfer him to the marketing or advertising department (Which I have no ability to do) I tried suggesting that he Google for "pagoda wallpaper" or something like that...he wanted me to promise that he'd find it there. Yeah, right. And just generally rendering me unable to speak for several minutes afterwards.


I think this replaces the woman who was going to return her computer because it didn't have a solitaire game on it as most insane call ever.

VPC testing Microsoft Antispyware Beta 1

[coyoteden.livejournal.com]

Did some testing with Microsoft's golden boy, Antispyware Beta 1.

Installed and updated it on the VPC, then did a quick scan. Result: None found, as expected. Snapshotted the state of the VPC. Started back up and went to our infamous cracks.am page in IE. MS Antispyware real-time agents are on. I folowed the helpful flash about how to bypass the ActiveX block and let the site try to install whatever it wanted.

Results:

Immediately after clicking "Install" AVG went off, warning me that a few viruses had been detected. I clicked "Delete File" on every one of them, and all but the last one was deleted. However, for "optimize.exe" AVG told me the file was already in use. Checking task manager did indeed reveal a few new processes with random names.

Soon after, a new browser window popped open with a new toolbar. Oops. Oddly enough, MSAS shows it as a "Bad" toolbar in the System Explorer and soon popped up an alert that istbar.xxxtoolbar was "trying to install". A little too late there. So what happens now if we click remove? Nothing, but we get another alert saying 180solutions is trying to install. Remove? Sure. Are you sure? YES.

Preparing to clean... it closes the toolbar-laden browser. The sais.exe process is killed. And it's telling me the files as it removes them. Nice, but why were they allowed to run in the first place?

"Successfully removed." Do I want to run a full scan now? No, because there are more alerts. Istbar.xxxtoolbar is back. Remove it again? OK.... And the alert comes right back. Remove. This time it actually does "Preparing to clean..." As it finishes, the alert about ISTbar pops up again. So I clean again.

This time it doesn't come back, but something is trying to change my search page to couldnotfind.com. Block. Are you sure? Yes, dammit. No more alerts. Ok, so real-time protection has kind of done its job. The toolbar is gone from IE, but there's still WebRebates0.exe, Webrebates1.exe, and Sdaovj.exe running... Now for the scan.

I hit "Spyware Scan" and use the defaults. It finds 11 threats, including two variants of IST, the 180Solutions it supposedly blocked, and 61 signatures for TopRebates. It also tells me there's 1 infected process running. I count 3. And our old friend CoolWebSearch is making an appearance.

Realtime missed all of this.

Hit continue to clean. Now the remaining nasty processes die, and when it's done removing files and settings I'm offered the option to "Restore my browser." This will let you set start, blank, and home pages for future un-hijacking. Couldnotfind.com has jacked the start and search pages, so we'll set the MS defaults. I thought I blocked that change in realtime.

After cleaning is complete, I closed MSAS and checked the system in HijackThis. There is a leftover toolbar entry, but the file it tries to load is missing, so it's harmless. Aside from that and most likely some leftover installer files, the system is clean.

Firefox protection: Visiting the same site in firefox and allowing the java applet to be trusted starts a randomly named process and from there the results are the exact same as using IE.

Verdict: The scan and clean works beautifully, but realtime protection needs some serious improvement.

( Screenshots )