The IT Toolbox: Tools of the Trade

About a year and a half ago, I bought virtually identical Toshiba NB205 netbooks for each of the kids, and they've proven to be great little computers, with killer (~8 hour) battery life, a great form factor given their respective ages (9 and 12 now), and just enough processing oomph for their limited needs, involving light editing (Microsoft Word, part of Office 2010 Home and Student), web browsing, and Flash-based web games. Over the intervening time, I've also used these systems as a proof of concept project of sorts, occasionally examining them to see how they're fairing from a virus and malware perspective. (I mentioned this previously in a mid-2010 commentary, So Easy Even a Child Can Do It.)

To date, the experience has been pretty positive. Armed only with Microsoft Security Essentials (MSE), the software giant's free and unfairly maligned anti-malware solution, my kids have used the web, largely unescorted, since they got the machines. But over the holidays, my son's computer stopped booting, and after a lengthy investigation, I discovered the cause: A malicious piece of software that, among other things, attacks the Windows master boot record (MBR). There were two other viruses on the system as well.

How I discovered this relates, I think, to something that will be relevant to all readers. That is, I am—as you are, no doubt—the PC support guy for virtually everyone I know outside of work. In the past two months alone, I have helped both of my parents set up new PCs, but I've also repaired PCs owned by my babysitter, two neighbors, and now my son. Each of these PCs required its own special set of fixes, but my son's computer involved some interesting hardware as well as software, stuff that I—again, like you no doubt—have lying around for expressly this purpose. So I thought I'd share some information about the tools I used to fix the PC, and solicit some advice from you about the tools and techniques you use.

Going into this, I didn't suspect malware was the cause. A non-booting Windows PC could be the result of a number of things, and my first concern was to try and get the data off the hard drive just in case I couldn't restore it. (For some reason, I was also thinking potential hard drive failure, so I wanted to see if the hard drive worked as well.) In a corporate setting, this is often not required as data can be centrally stored and replicated to the PC, and while this will be the case for home users soon enough as well, my son's PC is a standalone device, with no meaningful backup plan. In this way, it's probably pretty typical, but in my defense, he's not exactly doing mission critical work on the thing either.

Getting the data off the hard drive involved physically removing it from the netbook and then connecting it to another PC. Oddly enough, just removing the drive was time consuming: The Toshiba's back panel is held on by tiny Allen (or "hex") screws and while I have a set of a dozen Allen keys, none actually fit. And that's the first bit of advice here: While most PCs have pretty standard components, make sure you have what you need to crack them open. I had to jury-rig a solution with a flathead screwdriver that was designed for repairing glasses, and even that was too big.

That wasted time behind me, I used my trusty USB 2.0 to SATA/IDE cable to connect the netbook's hard drive to both power and, via the USB adapter, to my own PC. I can't recommend this kind of thing enough, and it's inexpensive to boot. This allowed me to see two things. One, the hard drive was just fine. And two, it was infected, based on the alarmingly red notification that MSE immediately popped up. And in a delighting development, I had given that software infection to my own PC. Fortunately, a full scan by MSE followed by choosing "clean up" for the relevant items fixed that problem. But it took quite a bit of time, and that maybe is a lesson here as well: This stuff always takes way longer than one expects. And by the time I got around to actually fixing the problem on my son's PCs, a few hours had already elapsed.

I did take this time to back up the important data on the hard drive. Surprisingly, there was some, including school papers, some cell phone photos, and music. I say surprisingly, because when I asked him if there was anything on there he wanted to save, he said no. You just can't trust users.

Since the drive was in fact fine, I reinstalled it on his PC and proceeded to the recovery phase. My kids' computers came with Windows XP originally, but I wiped that out and replaced it with Windows 7 Home Premium on both; because these PCs use original generation Atom processors, however, I had to use the 32-bit version of Windows 7. This means I needed to use a 32-bit Windows 7 system repair disk to try and fix the boot issues. Now, you can easily make a system repair disk from within Windows 7's excellent Backup and Restore UI. But you need separate 32-bit and 64-bit versions of the disk, and should use the correct one for the PC you're repairing. And sadly, you can't make a 32-bit repair disk from a 64-bit version of Windows 7, or vice versa.

(I have both 32-bit and 64-bit versions of this disk on hand, and so should you. If you don't, you can also use your original Windows 7 Setup media, if you have that.)

Because netbooks don't have optical drives, I had to dig out an external DVD drive, another tool that's solved a lot of problems over the years. Oddly, in this case, I couldn't get the PC to boot from the DVD drive, however. So after failing with that for a while, I eventually made a bootable USB key-based system repair disk, which was surprisingly easy. And it worked just fine. (I've never written up this procedure, but I should. In the meantime, here's a decent description of the process.)

There are a couple of approaches to system repair, including a handful of command-line utilities you can run, but the wizard-based Startup Repair tool on the system repair disk has always worked for me, and it did work in this case. After a week of dead-ending, my son's computer was booting again.

Of course, it was booting into a hostile environment, one in which automatic updates had been silently turned off and a number of suspicious files were loading at startup. Again, MSE to the rescue, though it's unclear why it failed my son in the first place—that was all cleaned up eventually, though it took a very lengthy full scan and then a cleanup to make that happen.

Four hours had elapsed. Yikes.

In So Easy Even a Child Can Do It, I wrote, "I've often said that basic security controls plus an iota of common sense should be enough for most people—my kids have no common sense at all." And that is exactly what happened here, I think. My son's a kid, and unsophisticated in the ways of the world, an ideal target for malware writers. So the lesson here isn't that he needs more protection, it's that he needs a bit more oversight.

(And since I know someone will ask: Yes, I stand by my assessment of MSE. This is good software, effective at what it does. I use it on all my PCs, and still recommend it, as well as its corporate siblings Forefront and Windows InTune.)

More to the point, with the right tools, you should be able to tackle any problem. Maybe wiping and replacing Windows would have been faster in this case, but I was happy to belatedly restore the computer to its original fighting shape.

OK, that's just one man's story. Are there any tools or techniques you've developed in your own work with PCs? Let me know!

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish