n01getsout.com’s blog

Recently, a friend of mine asked me to look at his karate instructor’s computer. I went over there and the computer was continuously rebooting. It was running Windows 2000 and MSN as their internet provider. He, like most other computer users, did not have a backup of his software or data. He runs his business off of this computer, which has irreplaceable information from the past 10 years and has a program that manages all of his students, training, schedules, and billing. He said he does not have the CD that the program came on anymore as the last person that worked on his computer destroyed it. Microsoft in their infinite wisdom decided to set the computer up to automatically reboot when it encounters a blue screen of death, rather than show the error message and just let the user reboot on their own. I guess even Microsoft hopes that problems will just fix themselves. “No problem,” I thought, “I will just reboot into safe mode, set it to not reboot on errors, fix the problem, and I will be done.” Yeah right…

Of course nothing ever seems to be easy when you are fixing Windows. I don’t know how many Windows boxes I have helped clean and repair, but this one was far and beyond the difficulty of anything I have worked on before. I rebooted into safe mode, set it to not reboot on errors, and rebooted. I saw that it was a page fault in W32.exe “Spyware,” I thought. Another reboot into safe mode, ran Spybot and AdAware, and several hundred pieces of spyware removed. Rebooted only to find that the computer would blue screen after it loaded Norton Antivirus.

I won’t bore you with the complete recount, but I removed about 50 viruses and several hundred pieces of spyware, some of which were particularly nasty. Microsoft’s System File Checker (sfc /scannow) refused to run, complaining that the RPC server was not running even though the Services Control Panel said it was. Norton Antivirus, Microsoft Word, Windows, and about 2000 other infectable file was infected with the W32/Virut.a virus. AVG Antivirus decided since it could not repair the virus infected files it would delete them instead, which deleted Word, Internet Explorer, Registry Editor, and many other important things before I could stop it. I ended up working on this computer for about 20 to 25 hours, and there was still more I could have done to it, but they said they only needed to limp by for the next 3 months until they can purchase a new computer.

And now for my big list of what pisses me off about this situation:

• Windows 2000 does not have a built-in firewall or antivirus, allow this to happen in the first place. Windows XP has this, but Microsoft should have back-ported these to Windows 2000 as well.
• Norton Antivirus had expired, meaning the computer wasn’t protected. I blame Norton whether the owners knew it was expired or not. Companies should not charge for virus definitions.
• Norton Antivirus was the only program I found that said it could repair files infected with the W32/Virut.a virus. This sucks because Norton isn’t free (although they do have a free trial) and many viruses specifically target Norton and shut it down or reboot the computer when it loads.
• AVG Antivirus deleted several key files that were infected with a virus and I fail to see how deleting everything, including Windows files, is an improvement when it leaves you with a broken system.
• The Windows Task Manager sucks: it cannot close some tasks, it does not list some tasks, and it lists many tasks by the Windows name (such as svchosts.exe) . This definitely works to the advantage of spyware and viruses. I hope that Microsoft starts bundling Process Explorer with Windows now that they have purchased Sysinternals, but I doubt they will.
• Windows will not let you delete files that are in use, which forced me to boot up a LiveCD every time I needed to manually delete a spyware file.
• Even though there is a huge amount of great freeware for Windows out there, most are restricted to personal use only and not for small businesses. I had to give the computer back in the same vulnerable state, even though I did clean it off.
• Why does Windows allow programs to execute from temporary directories? My Linux box doesn’t allow this. Most of the viruses and trojans on their computer came from Internet Explorer’s temp directory.
• Rebooting Windows all of the damn time!