The call came in just the evening before. A rather exasperated chap describing the strange symptoms exhibited by his hitherto trusty laptop. Deadlines were approaching, and he needed to justify the deal he'd made earlier which allowed him to work more from home, as long as productivity remained satisfactory.

So... I had a context, and a good idea about the importance of a solution to him. On the phone, I queried the type of strange behaviour, and took notes about the messages displayed. Anti-virus was detecting something, but apparently couldn't clean the infected file(s), quarantine it, or even delete it. That was earlier - a virus name had been mentioned at the start of the troubles, but now even the AV was struggling to stay active. Windows was dreary, like it had chronic fatigue, and the mouse cursor played peek-a-boo on the screen, making any kind of investigation tricky. (Unfortunately, the user had never learned more than a handful of the keyboard shortcuts to Windows navigation and control - could've been handy.)

Apparently, AV software had been set to update regularly some time ago. The customer had no reason to think it wasn't still being updated up to the point of infection, but, he admitted, even if he could control the mouse now, he wouldn't know how to prove the updates definitely happened. Still, there was a Firewall. It had been recommended by a friend some time ago, and was free off the Internet. It had seemed happy enough - well, it just sat there in the system tray, blinking once in a while. And there had been some recent appearances of that blue globe icon related to automatic Windows updates; it had been telling the customer that there were some updates to download. And would he like to go and get them now, and install them? Sometimes he did, most times he didn't ~ "bit of a distraction, too busy, deadlines, don't need a reboot right now, thanks."

On the phone, the make of AV had been determined, and the appropriate updater files obtained for immediate application. At the visit, first priority is stabilisation of the system to effect control. Known non-critical processes are killed off; and those that refused to die become suspects. Safe mode scanning with AV updates determined 1 major culprit (the recent variant W32/Mydoom.bc@MM - carrying the BackDoor-CEB.f Trojan), and two separate hangers-on (Klez within a zip archive, and an inactive MyDoom variant remnant within a left-over quarantine folder from a probable earlier AV installation, since superceded).

With current infections quarantined or deleted (actual cleaning seems rare these days, since many recent virus-type/generated files are only useless covers with 'seductive' names to solicit user action.) - the firewall needed replacing. The latest free version of the out-of date one already installed is taken from a TechScope CD, as an interim safety measure. A modest slice of time passes as the firewall installs, then another reboot, into normal mode.

With the firewall in place, set a second AV scan going to verify, while taking a quick manual look at the registry for start-up items, and other common areas of infection. Then a review of Internet Options, Zone settings, Privacy, etc., locking down, playing safe as we go. Then it's back online with updated AV on-access scanner (shield), while the manual verification scan set running a while back chunters quietly on a medium priority; and a new, free, low-featured, but effective, firewall allowing some crucial, but safe, next moves.

A manual Windows Update scan from the Microsoft site; in another IE window, it's to the AV site to check out the Library info on the infections in order to make sure the details of their legacy are accounted for - i.e. registry keys, droppers, hidden batches. Print that off for reference. Wait for AV scan to complete (may suspend Internet connection while waiting) - system is clean - continue... Install the Windows Critical Updates (WCUs) - 14 in total, and only 3 weeks since the last batch, says the man. Let it settle - and restart.

Back to the firewall site - grab some info for the customer about better options. Routine anti-spyware / -adware installations are agreed, and implemented (a 40 minute job). Updates obtained, scans taken, several dozen "New Critical Objects" are removed and re-verified. Offline, all schedules for defence systems are checked and secured. User account reviewed and tightened. Customer's work is intact, and laptop ready for use. Customer's deadline will be met, but customer agrees to a further one-hour session later in the week for a review of the operations taken, and some basic training in routine maintenance habits. The visit took 3¼ hours this time, but the hassle the infections incurred has inspired a certain, and more serious, preventative notion within the user. No more complacency, lesson learned, control regained.

"The patient has recovered well,
but he's been put through the mill."