Thursday - Early Childhood Visits

On Thursday, I had to run to the office to kick-start the mail server. After I took care of a few other issues in-house, I headed down to Fouke and to Texarkana for some troubleshooting. In Fouke, one of the student machines got infected with the "Windows Repair" drive-by fake spyware program. I sincerely *HATE* these stupid fake spyware programs. They pretend to scan your machine and report all kinds of problems, when in fact the program itself is causing the problem! In this case, Windows Repair "scans" the computer, but what it is really doing is resetting all the attributes to HIDDEN and READ-ONLY for every single file it can get its hands on. Naturally, this produces all kinds of "drive errors" because the system cannot write to read-only files! It is brilliant in its simplicity. It is also a bugger to get rid of! I tried to run Malwarebytes, but that was futile. Even in Safe Mode it was worthless because of the attributes, plus the program was outdated. So, time for the "hard way:" I deleted the following files from Safe Mode: Documents and Settings\All users\Application Data\(random gibberish filename).exe Documents and Settings\infected-username\Application Data\(random gibberish filename).exe Unregistered and Removed this: Documents and Settings\All Users\Application Data\(random gibberish filename).dll Then removed these:

Documents and Settings\UserName\Start Menu\Programs\Windows Repair\Uninstall Windows Repair.lnk

Documents and Settings\User Name\Start Menu\Programs\Windows Repair\Windows Repair.lnk

Documents and Settings\UserName\Start Menu\Programs\Windows Repair

Documents and Settings\UserName\Desktop\Windows Repair.lnk

Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS].dll

Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS].exe

Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS]

I right-clicked on each folder in C:\ then chose Properties. in there, UNCHECK the "Read Only" box and UNCHECK the "hidden" box. I realize this is overkill and may actually serve to subject Windows to other issues at some point, but I needed the system up and running.

Once the attributes were changed, I rebooted and logged in as an Administrator. I updated Malwarebytes. I also disabled System Restore and deleted all the Temporary Internet Files (manually through a command prompt).

I scanned the machine and found three infections, which Malwarebytes cleaned up.

I rebooted and everything appeared normal.

After that, I headed to the Supt's office, but he was out of town.

I went to Texarkana to work on their computers.

I had to install new A/V software on two machines. I set up a user password on one machine. That went smoothly, except on my way back to the office, the teacher called to tell me her computer was now runnig VERY slowly. I will be back there to check that out.