The last two Sundays I’ve worked a total of 10 hours on a co-worker’s home computer trying to get rid of a virus she picked up. The virus doesn’t destroy files but it wreaks havoc with Internet Explorer, replacing your bookmarks and installing toolbars with links to gambling and pornography sites. The toolbars are very difficult to remove and hidden programs go behind you after you delete files and replace them with new versions so that when you start Internet Explorer the toolbars return.
The first Sunday I downloaded Microsoft’s updates to Windows that should prevent new infections of the virus (actually called a Trojan after the horse). Over a dialup this took a while: there had been about sixteen updates to Windows XP since Jenny bought the computer. Meanwhile the virus would fight back, interrupting the downloads by redirecting to other sites or just hanging up the phone altogether. I got stuck in a loop running one of the most popular tools for getting rid of this type of program called Spybot. It would spend 10-15 minutes scanning the computer, tell me about all the problems it found, offer to clean the up, then tell me it would have to get a few remaining ones when the computer restarts. Restart the computer and the thing reinstalls itself and Spybot is at a loss again.
I did some research and thought I had it figured out. I would reboot in safe mode and run the scan. But this didn’t work either.
The following Sunday I loaded the last of Microsoft’s security updates and introduced another anti-viral called Ad-Aware SE. It took just as long to scan the hard drive and was equally useless in removing the problem. But it was identifying some of the files so at least I knew the problem was CoolWebSearch. And I knew there were some bad processes going on in the background like instances of Internet Explorer that were hidden off-screen. But if you shut them down, they would start up again a minute later. Because Windows XP has so many background processes with indecipherable names, good luck figuring out which are legitmate and which aren’t. For instance, a process called “services.exe” is legitimate unless it is running twice in which case one of them is the Trojan.
The virus also thoroughly infects the registry, a file so large and complicated and yet so critical to the operation of your computer that Microsoft doesn’t want to acknowledge that it exists. This is more indecipherable stuff where it is very hard to tell what is legitimate and what isn’t. I was knocking stuff out left and right in there and next time I opened it they were back.
Eventually I read up on it some on the internet and found a program whose sole purpose was to rid your computer of CoolWeb, called CWShredder. Unfortunately their website was down this weekend but I found what I think is the latest version elsewhere and ran it. It says it caught almost everything and would catch the rest on the next reboot. And I think it may actually have worked, but it was hard to tell because I had something else that seemed just as resistant to removal. Plus the authors of CoolWeb have introduced variants that CWShredder (last updated in June) doesn’t know about. Commercial software like Norton or McAfee doesn’t remove this either since this is a Trojan and not an actual virus (somehow that lets them off the hook? They do protect against future infections, but so does updating Windows).
Anyway, I still haven’t fixed it. I may give it another hour or so before I reformat the hard drive clean, and install Windows and all of their other software from scratch.
Microsoft
I know that the evil people who wrote CoolWeb and other malicious adware that introduces pornography to people’s computers are to blame for this. But Microsoft clearly was an enabler. Windows XP was supposed to be secure when it was released a couple of years ago and yet they’ve had 16 critical security updates since plus two Service Packs so big you can’t download them over a phone line and innumerable recommended updates. Get behind on those updates and you are toast because the release of the update tells people where to look to exploit the holes in the security.
In older versions of Windows there was a folder called Startup. If you wanted a program to run when you booted up, you put a link to the program in the Startup folder. If there was something running you didn’t like, you went to the Startup folder and deleted the icon. Now it is stored in layers of folders of the registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
They still have the Startup folder for amateurs, but that wasn’t good enough for Microsoft so they came up with this more deceitful way of hiding this. If a piece of software installs itself to start up automatically this is where it will hide and they don’t have to give you an option not to do it. CoolWeb gives you no option and also makes sure that anytime it starts up it puts itself back in the registry again.
The registry is so huge, complex, and unfriendly (except to evil software which gets to it with ease) that you really have to be careful about even opening it. But Microsoft stores just about every setting for your computer and software in there. It used to be the settings were stored in text files that had the extension .ini. You could edit those if you wanted, or just delete the .ini files for programs you didn’t want. Microsoft essentially threw all the virus writers in the brier patch by giving them a great place to hide out and where they could cause the maximum damage.
Also it used to be easy to do things like change the association of a file. If you wanted Paint to open .bmp files it was easy to make that happen. If you wanted to have Photoshop open them, you could make that happen. But Microsoft even made that incredibly complicated to the point where I really don’t know how to do it and am at the mercy of program to give me a preference that will steal back associations. This was such an unnecessary piece of added complexity.
Then, when Microsoft tries to simplify things, they really just seal your fate. I guess they thought people couldn’t deal with the 3-letter filename extensions. So by default they are hidden now. This is why when you get an attachment that looks like it is a text file message, it is actually a Visual Basic Script that can wipe out your computer because the .vbs extension is hidden but the filename of file.txt is visible (the file’s full name is file.txt.vbs but only the last extension counts and they hide that one).
You want to uninstall a piece of software? There was a time when this just meant deleting the folder it was in and maybe having a leftover .ini file in the Windows folder. But Microsoft (and every other company now) puts all kinds of files in the Windows folder (and subfolders like System32) that you will never be able to uninstall all of those files unless the software company gives you an uninstaller (and, surprise, CoolWeb chose not to do that).
Even though I own stock in Microsoft and you should buy as much of their stock as possible too, they’ve made computing so complex that an amateur like me gets lost when looking at a list of 50 background processes with names like nisum.exe, svchost.exe, scagent.exe, tnmng.exe, etc. Can you spot the piece of software causing the problem? Trick question. They are all legitimate. How would you have any idea?
So maybe Microsoft with their huge numbers of software writers would write software that would get you out of jams they had a part in causing? Fat chance. But other people with much less money and resources than Microsoft will write programs that do and give them away for free, like Spybot Ad-Aware, and CWShredder. Why doesn’t Microsoft do this? Why don’t they just write these guys a check for a couple of hundred thousand? Why don’t people demand that Microsoft fix the problems they allowed to happen? They just release a software patch and say it’s up to you to know that you have to download it or lose your computer.
There was another way to avoid all of these problems that most people don’t bother with: don’t use Internet Explorer. None of these things would infect you if used Mozilla (Netscape) instead of the Microsoft product.
See a follow-up entry
I felt bad for you as I read this article. And for Jenny. But I did enjoy reading this all in virus-free Safari on our 17″ iMac using OS X Panther. (The host of this MovableType blog system.)
Prior to this read, Kelly and I were watching the Apple Expo in Paris via QuickTime. Apple has a new iMac which Kelly immediately declared as “dorky” and “not as cool as ours.” We like how the 17″ monitor floats in front of the half dome base on the magical soft-touch chrome neck.
I wasn’t that impressed with the new iMac either. We already have all-in-one PC’s at work that are similar. You can put a flat screen on your desktop and hide the PC somewhere under the desk or whatever and get essentially the same effect.
ooo..deep stuff. some of microsoft’s actions make no sense. We’ve had trouble with trojans, but they didnt really do any damage.