I must be, the jobs I take on and how I try to fix them!
In this case, a regular customer for computer and sign work rang to say her HP All-in-one had a virus. I fired it up and instantly got the False Faulty HDD messages, very clever, even I was taken in by the quality of the dialog box – using the S.M.A.R.T. name – I really did wonder if it was a real message. I quickly booted into Ubuntu and ran a disk utility SMART Test on it, and it was perfect.
This infection is reasonably easy to get rid of, just a couple of executables in the Program Data directory, and away it goes. Obviously this was not the only problem, it never is!
All menu items had disappeared, and all files had disappeared off the system. This is to make a user think there really is a problem with the disk, and pay for the special software to fix it. It turns out that all files and folders had been marked “hidden”, and that all menus had been cut and placed into another folder. There is a small utility call “unhide” which restores most of this stuff. At this stage the system was looking almost normal.
The owner had let Norton expire about 10 months ago, and when I tried install Microsoft Security Essentials as a replacement, it wouln’t install. This sometimes happen when the OS is not up to date, so I tried to windows updates, and found that no windows updates had been successful since may 2011!
So after running various other antivirus suites and getting rid of a few issues with each, I finally installed Avast, and let it do a scan. Avast used to be one of my favourites, but recently it has got a bit naggy, so I haven’t been installing it or recommending it so much. But in this case, it kept telling me about a root-kit virus in partition 4. At this point alarm bells really started ringing, as an HP All-in-one out of the box should only have 3 partitions, System, OS and Recovery.
Not wanting to do too much permanent damage, I decided to do full backups, and after backing up the whole of the OS file system using Ubuntu (much easier than Windows) I decided to clone the whole disk also. The clone fell over trying to process partition 4! Those alarm bells were getting louder!
I booted into Gparted, and looked at the partitions, and found that a very small partition of just a few megabytes had been created in the few spare megabytes which are found at the end of every disk. It was named “.”, it was hidden, and it was the boot partition! I deleted it, made the System partition boot, and tried to recreate the MBR by using a Windows disk. The windows disk blue screened repeatedly!
So, I cloned the three remaining partitions, completely formatted the hard drive, and restored the partitions. After a bit of fiddling, including a Windows start up repair using a Windows 7 install disk, I got it all up and running again.
So all was good, not a single virus could be seen, BUT updates would still not download and install! I did a bit of research, and read a page by a very down to earth guy who said it doesn’t matter how you get rid of a root-kit virus, its just not worth doing it, there’s too much damage already done, and a windows repair or upgrade is not going to fix the problems either. In the past I would have taken this as a challenge, but in this case, where the owner is totally responsible for the state of the computer, and bearing in mind that 15 hours had already elapsed, I bit the bullet, formatted the disk, and re-installed Windows 7 from a set of disks the customer gave me. Not the restore disks, but it does seem to have picked up most of the required drivers automatically.
Saved data is restored to the computer, Office re-installed (but probably not the correct version) and all windows updates and service packs downloaded and installed. Just email (may need an office upgrade, I have a feeling they were using Outlook!) and a few bits and pieces to go. I’ll leave most of the personisation and other junk to the owner.
I could have saved myself a whole bunch of pain if I had just done that at the start!