Monday, February 15, 2010

Up all night with a sick computer

We were watching The Quiet Man at home the other night, minding our own business, and the question came up about which roles were played by Maureen O'Hara's brothers.

This being the modern age, I fired up the computer and went to IMDb.com, which has all the information about seemingly every movie or television program ever made.

And... the other night, at least... it apparently had something else, which explains why I've provided no link in the preceding paragraph.

One question led to another, and I jumped from page to page within the movie website, looking up Maureen O'Hara's daughter and then her grandson. I clicked on no ads.

And, yet, suddenly, on my screen appeared a dire warning: Security Alert! My computer, the screen said, was unprotected against viruses and worms and did I want the latest protection?

Well, I pay for an anti-virus program, thank you, and I am not going to say "yes" to any pop-up that appears on my desktop uninvited.

I knew that much, but still made a near-fatal mistake: I "x"ed out the pop-up. It turns out that saying "yes" would have launched the virus. But so, too, would saying "no" -- or even trying to "x" the window out.

Now all sorts of boxes began popping up: Another security warning, this one saying that a scan revealed 34 separate infections on my computer. I saw an unfamiliar icon in the tray in the lower right hand corner of the computer screen. It was a sickly green shield. I brought it up on my screen and saw it was running a scan of my system as part of an install routine. I tried to "x" that out, too.

The boxes became more threatening. Did I want to proceed "unprotected"?

Oh, yes I did, I said to myself through gritted teeth. I don't want this sort of "protection" at all. I realized almost immediately that I was under attack.

I tried "x"ing out of each box in turn. I launched my Norton program and ran the recommended quick scan -- but, despite the evidence of my own eyes -- it claimed to find nothing amiss.

It found nothing wrong even though I could open no program without getting a stern warning that it was infected. The computer even claimed that Solitaire was infected... and it would not allow the program to be activated.

I closed out of Firefox and erased all temporary files as I did so. I thought that, since I had terminated the install program, I might by this method halt the invasion.

I was wrong. The virus began opening windows in Internet Explorer. First it started to open up Viagra.com -- then, when I "x"ed that out, it started to open up something called "adult.com." (I immediately suspected that this was not a site that dispenses parenting advice.) When I "x"ed that out, the virus tried to launch something called "porno.org." I kept "x"ing and the virus kept launching.

After receiving negative results from the Norton scan, I opened up the Norton Security Center which claimed that my virus protection was out of date. I happen to have a current, paid-up subscription, so I knew that was wrong. But there was a link below the message which promised more information and I clicked on it.

I was whisked to a site called "Antivirus Soft" where, for something like $50, I could get three months of protection against these sorts of dastardly attacks.

That's when I unplugged the Internet.

I learned later that this was the first reasonably bright move I'd made.

Once I disconnected, I tried running another scan. I hoped that the antivirus program would now realize the situation and take corrective measures. But it again reported that nothing was wrong. It also claimed to have looked at a significantly different number of files than it did on the first scan.

Einstein said that madness is doing the same thing over and over again and expecting a different result. I was angry, alright, but I was not mad. I resolved to try something different. Alright, I thought to myself, the quick scan found nothing. So the virus may be too deeply embedded. I should choose the comprehensive scan option this time.

I went ahead and clicked. This scan, at least, was obviously searching the entire hard drive -- I could see by the numbers of files searched and the locations being examined that this was the case.

But it was taking a long time.

Meanwhile, the virus, though no longer able to bring up the scary websites, kept trying. There is apparently a limit to the number of tabs that may be opened up in IE. I don't know what that limit is, but we exceeded it the other night by a factor of more than three -- by the time the comprehensive scan was concluded, a fourth IE window was open, trying vainly to launch Viagra.com, adult.com, or porno.org. There was a security warning box in the middle of my screen I could not "x" out. But I could move the Norton window to one side so I could see most of it.

And I and my son Jim (we took turns monitoring) saw quite a bit of that Norton screen in the six hours it took to run the comprehensive scan. Perhaps it was the glut of IE tabs that slowed the scan down. But at this point, I was -- belatedly -- not "x"ing anything out because it seemed to merely encourage the invader.

By 4:00 or 4:30am, the comprehensive scan concluded. And it concluded that nothing was wrong at all.

Alright, I thought, trying to project the calm demeanor of the test pilots immortalized in Tom Wolfe's The Right Stuff: I tried A; it did not work. I tried B; it did not work. Switching now to plan C....

This time, I tried shutting the computer off. After all, if I had prevented the install, all these problems were coming from something operating in a temporary buffer... and shutting down the machine would close that out, right?

Well... wrong.

At least this failure did not waste six hours.

I had to plug the Internet back in for a moment, at this stage, as I worked on Plan D. Since Norton was obviously compromised, I would have to go to the hardware manufacturer and see if I could obtain assistance from that quarter. I needed to look up and print out my warranty information. In so doing, I found out that Dell would not be available to talk to me until 8:00am. I also got to "x" out some more launches of Viagra.com, adult.com and porno.org. I disconnected the Internet again and got a couple of hours of sleep.

Moments after 8:00am I was on the phone with "Frank" from Dell. I don't know why so many computer companies insist on having their customer service people assume Anglo-sounding names -- but I'm pretty sure "Frank" was from well out of town -- and sure, too, that no one in his family calls him by that name.

"Frank" solved the problem by having me do a "system restore." First, we tried to launch this from the regular Accessories tab in the XP programs menu.

The virus would have none of this.

So "Frank" guided me through the process of rebooting the computer in "safe mode." To do this, one hits the "F8" key as the machine begins its boot cycle. Eventually, I did this correctly. From there, we could launch the System Restore program. We asked the computer to restore itself to a status a week before these unhappy events occurred -- figuring that, even if the virus was not attached to an imdb.com page but had instead been incubating for awhile, we'd probably get to a time before the remora latched on.

This seems to have worked.

I later spoke with Vinkesh at Norton (I'm guessing that this may actually be the name by which he is known to his friends and family) to find out why the antivirus did not "see" the virus while the attack was on.

Vinkesh explained that the first thing a trojan horse virus does is identify and disable real security software. Neither "Frank" nor Vinkesh professed any knowledge of the fake product "Antivirus Soft" -- but both confirmed that I was the victim of a trojan horse attack. Vinkesh also recommended that, in the event of a future attack, the computer be immediately rebooted in safe mode and a virus scan launched then. But the key is never, never, never respond to the pop-up. Even trying to "x" the pop-out out would allow the virus to take hold.

I do not recount these adventures merely as conclusive proof of my lack of computer skills. Rather, I post this in the hopes that someone else may profit from my experience.

My wife pointed out that it would be particularly ingenious for the creators of this "Antivirus Soft" scam to embed their virus in old movie pages on IMDb.com. Twenty-somethings who have grown up around computers are not likely to investigate whether Maureen O'Hara had children. But straitlaced old fogies like me, the sort who might look up old movie facts, might be so terrified at the prospect of the uninvited launches of Viagra.com, adult.com and porno.org that they could be stampeded into clicking a "yes" button and providing their credit card information -- and at least $50 -- to make it stop.

But now you know that this would be a very bad idea.

No comments: