I took three support calls today. Not because I wasn’t working; I was working hard, but I still only took three calls.
You see, one of those calls was eight hours long.
I had someone call in from a seed company somewhere in Pennsylvania at the end of the day yesterday. I worked with him just long enough to determine that he had an adware infestation on his two-week-old system which needed to be cleaned out. He said he’d call as soon as I got in to work this morning.
As good as his word, he called me at 7:10 by my clock, 8:10 by his. I flipped around the call so I was in the right status to please the phone system, and we started work.
Very little went right after that. He and I started digging through the Task Manager, looking for processes that were running and shouldn’t be. And boy, we found them. We found frsk.exe, which is a browser hijacker, WinFavorites, which is adware, several chunks of 180solutions’ NCase, and something else using a process called “sysupd.exe,” which is EEEEEEEEEEEEVVVIIILLLLLLLLLLLL. CounterSpy identifies it as part of TSCash, a dialer that WILL NOT DIE. Kill it one place, and it spawns in three others. It’s as bad as Hydras. We killed and killed and killed, and I took him through Registry edits that had me sweating, and STILL it came back! (Fortunately, the customer was too blithely ignorant to realize the magnitude of the stuff I had him doing in the Registry, or he might not have had the courage to try.) Ad-aware wouldn’t touch this piece of code, Norton wouldn’t touch it, and everything I tried with the customer to delete it failed. (Hours too late, this evening I found this explanation of a way to own and kill the file.) At last, after four hours’ hard work, I admitted defeat and told the customer we were gonna have to go for a format-reinstall of Windows.
Doing a format-reinstall for Windows XP, adding back all the drivers from the Empire’s Resource CD, and installing and updating Norton Anti-virus 2004 (to try to protect him against future adware infestations) and TinyTerm, the terminal emulator he uses to communicate with the home office, took the other four hours. The whole time, I was alternately reassuring him he didn’t necessarily do anything “wrong” to end up with all this shit on his machine, and listening to him grouse (with very good reason) about people who let this kind of stuff loose on the Net. (What I kinda suspect he did was to let one of his kids Web-browse on this machine, but I didn’t want even to mention that possibility. Matters were bad enough as they stood.) When we broke off at three, I left him with the Word Perfect suite, MS Money, and Encarta still uninstalled, but I told him to try installing them on his own and to call me tomorrow if he ran into trouble. I expect I’ll call him to follow up, on general principles and because in Auric support we’re expected to “take ownership” of cases, and as nasty as this one was, it’s sure is a prime one for ownership.
Working the marathon meant I missed morning break, worked through lunch, and barely squeezed in afternoon break an hour and a half late. Good gods . . . I hope I don’t have another call like that one any time soon.
7 Responses to The call from the Inferno