|
Was just about to make dinner tonight when I got a frantic text message from my grandma saying her computer got locked down and it's telling her not to turn it off. gently caress. I bought them a motherfucking iMac because I know they click on any loving link and don't know what the gently caress they're doing but "that's too hard, we'll stick to windows and risk having our entire life savings drained because mac is too hard. P.S. It happened again can you help save us." YES I CAN, USE THE loving IMAC FOR gently caress'S SAKE. Anyway so I went over there and it looks like some website in Edge had opened a full screen "WE'VE LOCKED YOUR COMPUTER, DON'T YOU DARE TURN IT OFF. PHONE THIS NUMBER TO GET YOUR COMPUTER BACK!" warning, complete with an text to speech voice making all sorts of demands through the speakers, which I basically alt+tabbed out of and closed the browser and everything seemed to be running completely normally... Or so I thought. I copied the offending website's URL from Edge history, tried it again for shits and giggles, and it came back 404. By "URL" it was basically just a random IP address with some funky hashtag per-session code after it. I deleted everything after the IP address itself and it resolved to some sort of Brazilian hosting page. My best guess is that it runs a unique per-session thing that wouldn't be traceable after the fact, hence why I wasn't able to reproduce it, but I don't really know the ins and outs of networking poo poo to be fully sure. My baseline assumption was that they just clicked too many stupid ads and got sent to this outwardly appearing malicious but otherwise harmless "ransomware lookalike" honeypot, but a few other things started popping out at me. My grandpa volunteered some knowledge without being prompted that he pays a company called Nerds On Site $5/month to monitor their computer. I asked "Then why am I here? What value are they to you if this keeps happening? How are they monitoring you? What do they have installed on here?" "Oh, I don't know. He came to my door and told me he does this job for the Canadian Tire on this side of town so I let him in." "So you accepted some guy's cold-call, he installed some random stuff on your computer, and you pay him $5/month on the basis that he told you he's the systems tech for Canadian Tire?" "Yes." "Did he prove that to you in any way?" "No." "Does that not seem suspicious to you that a nationwide chain is relying on some random guy for their IT support, instead of what is very likely an on-site team?" "Well if you put it like that..." GOD DAMNIT! So I had him show me one of this company's recent bills. It listed its service as "Webroot monitoring." I have no idea what the gently caress that is, so I google it. I find a program called Webroot SecureAnywhere. I don't see any immediate red flags, but the results I am finding all seem obfuscated or fake in some way to trick me into thinking it's meant to be doing something that a non-technologically oriented person might consider to be technologically advanced. I'm not a tech guru, but I've been around long enough to know when something isn't right. I searched "Webroot" on his computer and there it is. The first strange thing is that windows Add/Remove programs told me it was installed ten days ago on May 15th. Neither of my grandparents claim to have installed it, nor has anyone aside from them and myself touched that computer in the last ten days. I'm extremely confused how this program came to exist on their computer ten days ago if nobody physically installed it. Second red flag. I opened the "Webroot SecureAnywhere" program and started poking around to see what its deal was. It looks like a regular sort of AntiVirus program, maybe Nerds On Site put this here long ago and I was unaware? The problem with that hypothesis is that I'm sort of their go-to tech guy for basic poo poo. I installed some Ram and an NVMe for them about three weeks ago, and copied their entire OS onto the NVMe, and basically made it 100x faster for them to click every loving bullshit link in the universe. I did all of the cursory checks at the time to make sure they hadn't hosed themselves to death with virus and malware yet, and I don't recall seeing this Webroot program at the time, as I'm sure it would have registered in my brain that they had something like this to ostensibly protect them. Anyway, in the Webroot application, I find a tab that lists "Account information," so I click it, and discover it has a serial number listed, partially obscured, which suggests to me that someone has logged into this application in the last ten days and got the program signed in. I click a link that takes me to the program's login portal, and ask both of them "Do you recognize this login page, and can you log into it for me?" Neither of them have ever seen it before, don't know any login info. Okay, strange. There's a little button under the partially obscured serial number that says something like "Copy Keycode Info." I click it, expecting it to copy the serial number into clipboard for me to inspect, instead it shoots me an error that says: "The keycode is currently hidden and cannot be copied." What the gently caress? Then why would there be a button for me to copy the keycode? If this were a legit program, it would have done the thing it says. What the gently caress is going on here? The logic here is all screwy. So I head back to google and type that exact query bounded by quotations on both sides and get four (4) unique results across the entire internet, and all four are from variations on the theme of VirusTotal's hybrid-analysis / adaware quarantine service. Basically, that exact search string happened to show up in the exploded sample text of at least four viruses submitted to those websites. Which has me even more puzzled. Nerds On Site may have ostensibly installed this program, yet this program is throwing up red flags, and the exact text string of "The keycode is currently hidden and cannot be copied." is showing up in a few virus quarantine pages and nowhere else. That's when I came to this thread and started reading it for tips. I installed Wireshark, watched a quick tutorial that basically in a nutshell told me that "If you see a "data" category listed in the hierarchical sorting view under TCP or UDP, basically there's some hosed up poo poo happening bruh." So I captured all of the traffic over ethernet for a few minutes, sorted the data via hierarchy view, and saw that about 7% of all traffic was in this dreaded data category. I still don't know what this means. Then my grandma came in and started badgering me about "you must be tired, it's time for you to go home, thanks for fixing our computer," but because she's deaf I couldn't explain to her that it's not fixed, and had to relay through my grandpa that "No, it's not fixed, I think there's something incredibly wrong here, PLEASE DO NOT TURN THIS COMPUTER ON UNTIL SATURDAY!" Basically all of the "data" traffic was connecting to a single port in the 64000 region, and literally right when I started to get an idea of what might be happening here, it's 10pm and I'm tired as gently caress and they won't shut up and leave me alone so I had to leave, and now I'm trying this out here to ask if anyone has anything they could point me towards insofar as blocking that port or if there's a cmd command that I can execute to fry every capacitor on that motherboard and force them to use the iMac because holy loving poo poo I hate playing the family tech support role, but I also know that if I don't do it, they're just going to hire some random loving idiot off the street to make their lives even worse. I loving hate it I hate it I hate it I hate it I hate it I hate it I hate it I hate it I hate it I hate it I hate it I hate it I hate it I hate it I hate it I hate it I hate it I hate it I hate it I hate it I hate it. I started using a mac in 2008 and told them to gently caress off and figure it out, and over time I forgot what a breath of fresh air that was to not be the family IT guy. But now I have a windows computer again so guess who needs help? I love them both dearly but holy gently caress it's exhausting. They're turning 90 this year and they make a special trip to the bank every other week to reset their password because they forgot it. I wish I could just teach them how to use a Mac and never have to worry about this poo poo ever again. All they do is click button > look at funny email. The hurdle of jumping over to mac to do the most menial trivial bullshit is practically nonexistent, but it might as well be the grand loving canyon. The only reason I think I have even the slightest confidence in my ability to at least help out in this situation is because I find network security in the broad sense, and social engineering/pen-testing specifically, to be super interesting fields and therefor I like to stay informed about all of the ways people trick other people. Only problem is that this inevitably coincides with me discovering how easy it is to trick old people literally all the goddamn time because I have grandparents predating the invention of the Monopoly board game who, through the grace of god, have a computer with internet access. 
XYZAB fucked around with this message at 06:06 on May 26, 2023 |
#
¿
May 26, 2023 05:49
|
|
|
|
| # ¿ May 11, 2024 09:45 |
|
|
CaptainSarcastic posted:I'd strongly consider copying out whatever data they want/need from the machine, putting it on external media (and scanning the poo poo out of it), then nuke and pave, followed by a fresh install where they don't have the admin password, and install something like Teamviewer or use the built-in Windows remote assistance function in case they actually need to install something that isn't malware on their limited user accounts. What’s the go-to Windows virus scanning software these days? I’ve been able to stay completely oblivious of this stuff for 15 years and it seems like there’s been a huge divergence in that time between pseudo-fakeware/malware/bloatware consumer “virus scanners” that don’t do poo poo, and corporate virus suites that cost an arm and a leg but actually do the thing they advertise. Revoking their admin privilege sounds like a great idea after I nuke their current install though, so thanks for that idea. This is all a huge pain in the rear end for me even moreso than it might be for anyone else because I have an extremely painfully advanced case of dry eye disease, and the amount of time I have to spend in front of a screen literally makes my eyes feel like they’re being cut by a thousand razor blades. I might just opt to say “no more windows computer for you, I’m sorry, but the way you use it I would literally rather kill myself than keep dancing on this tightrope.” Not really, but I tend to not want to spend my time doing the things that aggravate my condition. I.e., tech poo poo, reading, etc. Again, though, if I don’t help them, it’s akin to just throwing them into the lion pit and them not understanding why they’re being eaten. Edit: Please tell me there’s a dedicated Linux distro skinned like Windows specifically for this situation. Alternatively what’s the go-to distro for something like this? Cup Runneth Over posted:Yep, that definitely sounds like a rootkit, export the family photos then flatten and reinstall. You might consider some parental monitoring software (get it?) to keep them out of trouble if you can't just tow their PC out of the house and force them to use the Mac. Please tell me there is also actually a thriving parental monitoring software industry, for the love of christ. XYZAB fucked around with this message at 17:07 on May 26, 2023 |
|
#
¿
May 26, 2023 16:51
|
|
|
PerniciousKnid posted:They're 90, just tell them Windows stopped selling new computers. I upgraded their computer from a 500gb 5400rpm boot disk to a 1tb NVME drive, and from 4gb of ram to 20gb, which helped me uncover that their system wants to use 7gb at all times and was likely the reason their poo poo was slow as hell all the time. The NVME was just the icing on the cake after that. Their computer experience went from absolute dogshit slow to hyper futuristic Minority Report level quantum speed and their answer is still "if my printer don't work I'm buying a whole new computer." Okay grandpa.  But now I need some advice for me: I have an HP Z640 workstation running dual Xeon E5-2690v4's. Would there be any benefit going from my current 2x32gb dual rank memory configuration, to an 8x8gb single rank ram configuration in this system? Each CPU is listed as having four memory channels, so ideally to get the most out of this system I should have all eight available DIMMs filled, right? Does it matter if I populate all 8 slots with single rank vs dual rank memory? How much of a bottleneck is a 2xDIMM 64gb configuration compared to an 8xDIMM 64gb configuration, really?
|
|
#
¿
Aug 20, 2023 00:47
|
|