Tuesday, March 15, 2011

Major PC Clean Up Time

No, not for me. I run Linux, and don't have these problems.
The Church where my wife and I were married has a PC in their office that I've worked on a couple of times before. The last time it needed a new power supply, and while I was at it, I maxed out the memory, and installed a newer, bigger hard-disc. Well, I got a call from them the other day that they couldn't get on the Internet, so not having TOO much else to do these days, I drove over there to see what was wrong.
They had installed a Linksys Cable-and-DSL Router, which was working fine, but *something* had changed the way they connect using their Ethernet port. It had been set to use a proxy, which they don't require, and as a result, they couldn't connect. A simple change, and they were back on the Net in no time. Since I was already there, I went to see if Windows Update had anything new, and it wouldn't connect. Hmmm....we have Internet connectivity, but can't get to the WU site. So, I went to run the anti-virus/anti-spyware programs I installed for them, and they wouldn't run. Since they were using MacAfee, not one of my favorites, I uninstalled it, and tried to install AVG.
It would install, but wouldn't run!.
Now it starts to get interesting. I opened my Bag-O-Tricks, and grabbed one of my run-from-CD virus scanners.
HOLY SMOKES! They had 117 infections of various types that one program found, 57 more another program found, and a staggering EIGHT HUNDRED assorted types of Trojan Horses, keyloggers, password stealers, and other various pieces of malware that my third Magic Bullet found. At this point I wasn't going to be able to save the patient on-site, so I brought it home to work on.
I copied all their documents, photos, and records to a clean hard-disc, and ran various utilities on the drive to make sure their data was clean, and not booby-trapped with other nasty junk. Right now I'm running DBAN on the original drive, and after it's finished scrubbing the drive, I'll reinstall Windows and all the protection utilities I install for people. When I take it back in the next day or so, I'll give them a tutorial on how to use and update these programs, and a printed list of things to do weekly.
So how did this mess happen? They let a few of the church's youth group use the machine for a few hours, unsupervised, to ostensibly "check their email"! I didn't find any evidence of Adults Only sites being visited, but I did see plenty of file sharing and music downloading, along with a couple of visits to some warez sites. It's anybody's guess which site did the Drive-By Download on them, but the point is that it did happen. Whoever used the computer tried to cover their tracks, but if you know where, and how, to look, it's not terribly difficult to reconstruct.
From now on, the PC will be "Off Limits" to anybody but the office manager, and we'll be changing the passwords on it to something easy to remember, but hard to guess. I've also instructed them to watch their credit cards and bank accounts for suspicious activity, just in case any of the staff did any financial transactions while this PC was compromised.

2 comments:

  1. One of the more annoying ones I run into is the "Security tool" thing.

    I ALWAYS tell clients to never let a child on a computer that they rely on for work!

    ReplyDelete
  2. Yeah, I made it very clear to them that they could lose irreplaceable data, or financial reports, and they *seem* to understand.
    I told them if they really want a PC for the "youth" to use, I'll supply the PC, BUT they have to buy the monitor, keyboard, and mouse.
    And, of course, it will be running Linux!

    ReplyDelete

Keep it civil, please....