A friend called me up the other day in a panic. Every time he logged onto his PC, it would log him straight back out again. He was totally distraught. This was the system he used to run his small business, and all his most important documents were on there. But let’s sidestep the fact that he should have been performing regular backups. It’s a fundamentally important point, but not the one of this story.
So, anyway, I did some research on the Web, and found the reason for his situation. Apparently, a Trojan called Troj_blazefind.a had replaced the Userinit.exe logon program with its own version called Wsaupdater.exe. This allows it to download all manner of Malware to the compromised PC without the user’s consent. On its own, the presence of Troj_blazefind.a doesn’t knacker your system. But someone had run the usually excellent Ad-aware from Lavasoft to clean up the PC. This had removed the Malware, but not fixed the logon registry entry, so this still pointed to Wsaupdater.exe, which no longer existed. This was why he could no longer log onto his PC.
"I’d managed to find a large proportion of his work, and turned a catastrophe into a mere disaster"
The solution to this involves the Windows XP Recovery Console. So I phoned him up and told him to boot from his Windows XP CD and head for the Console. But, of course, this requires you to log onto the system in question with the Administrator’s password. He couldn’t remember what it was, as it had been set up by the PC’s manufacturer during some onsite tech support and he hadn’t kept a record of it. While he really should have done that, again this is not the moral of this story. There’s so very much more to tell.
Just in case you’re nodding off, I’ll cut out the next bit. Let’s just say he used Repair Windows to get back into his system. But when he had a look around he found all his most important documents were strangely missing. The directory he kept them all in had miraculously disappeared. So my phone rang again. Somehow, I managed to talk myself into looking into the situation, and he brought his PC round that night. He was right – the folder and all its contents were nowhere to be seen.
So I pulled out the hard disk and attached it to a PC with a copy of the amazing EasyRecovery Professional from Ontrack Data Recovery
installed. This is an expensive piece of software, but it really does the business. The most basic version is over £300 plus VAT. You might remember the venerable Norton Utility (confusingly, just one part of Norton Utilities), which in DOS days could analyse your hard disk or floppy below the level of the file attribute table (FAT) and retrieve data you thought you’d never see again. The Norton Utility has essentially disappeared, but Ontrack’s EasyRecovery is even better. It searches the disk for deleted files and directories, and allows you to recover them to a different location, which has to be on another hard disk to avoid overwriting other hidden data on the original disk.
I found literally gigabytes of deleted files. Most of these were now totally useless – the bits and pieces of Windows Restore snapshots and all manner of temp files. But many of them were exactly what my friend needed – his precious business files. The directory information was mostly gone, and some of the files had obviously been overwritten by other data and were corrupted. But I’d managed to find a large proportion of his work, and turned a catastrophe into a mere disaster.
However, that wasn’t all I found. During my analysis, I’d also retrieved the contents of all the My Documents folders for all the users of my friend’s PC. One of these, which belonged to one of my friend’s employees, was full of material that was unlikely to have been part of his work activities. Let’s just say that nice girls don’t usually engage in the kind of activities most of these JPEGs and movies depicted. All of this stuff had been deleted prior to the PC going down. But I’d inadvertently retrieved hundreds of megabytes of it.
"Let’s just say that nice girls don’t usually engage in the kind of activities most of these JPEGs and movies depicted"
So, at last, I’d gotten to the root of the problem. The probable chain of events went something like this: A male employee is working late one night on his own. Maybe he’s finished his work for the day, maybe he’s just “taking a break”. His employer has broadband, so he decides to surf for some “light entertainment”. He visits a few dodgy websites and downloads enough pr0n to make the Razzle back catalogue look pedestrian. He relieves the stress of his working day. Then he decides to cover his tracks. Little does he know that one of the sites he’s visited has installed Troj_blazefind.a on the system, and as he runs Lavasoft Ad-aware he unleashes a chain of events that will eventually lead to his downfall.
In all this, my friend has been remarkably philosophical. He hasn’t even sacked the individual in question. After all, what’s the Internet for? Statistics show that a huge proportion of Net traffic, maybe even the majority, revolves around porn. But that doesn’t stop his employee being a very, very silly boy. You really have to have a few brain cells missing to use someone else’s computer to fulfil your fascination for activities not available at home, particularly if you then store the files on a directory with your name on it.
Whatever you do, be very careful what you get up to on a computer that’s not yours. You may think that you can cover your tracks and hide what you’ve been doing. But you’d be completely wrong. Fortunately, nothing I found was of Gary Glitter proportions, not that I looked very closely (ahem). But it’s very easy to track what websites people have visited, monitor and record their Internet traffic in real time, or retrieve files long since deleted and forgotten. All it takes is one slip and you could get caught. And as dodgy porn websites are the most likely source of the kind of damage which will have the tech support guys poring over your work PC, you’re more likely than you think to make that slip.