Luckily, this wasn't one of those typical, "I've installed eleven different PC cleaning programs and they all installed all kinds of malware and my computer takes two hours to boot and etc etc".
Instead, her only real concern was that when she logs on to the desktop, she gets this window popping up telling her the computer is infected with X amount of viruses, then it will pretend to scan your computer, and finally tell you to buy the full version to take care of the infections.
Yeah, one of those viruses.
I noticed that the desktop was solid black except for the task bar, and no icons were on the desktop. All that was visible on-screen was this one window. And, this window refused to close: it simply ignored the X button being clicked. I right-clicked on the task bar and noticed that "Task Manager" was greyed out.
Great, it's one of those viruses that disables Task Manager. Starting
taskmgr from the Run dialog confirmed:
Task Manager has been disabled by your administrator.I've seen the likes of these before. Usually, if a virus does this (and a lot of viruses do), they'll also disable your Registry Editor, so that you can't just go in and re-enable the Task Manager. I was expecting I'd need to write a program to fix the registry for me because Regedit would be disabled, and if so, this is where I would've called it a day.
Fortunately, the virus didn't stop me from getting into the Registry Editor. So, I went in and re-enabled Task Manager. I just had to make sure I deleted the following key from both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE (in this case, only the LOCAL_USER was affected by this and all the other registry changes).
\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (1)In Task Manager, I first killed off that GUI, and a couple other suspicious looking names.
Back in the Registry, I went to the Run and RunOnce keys in both places to find the name of the virus (viruses always place their keys in these places in the registry). It turns out this virus's main EXE file was under C:\Documents and Settings\All Users. So, I went there in Windows Explorer.
This folder was completely empty. OK, the files were all hidden, so I went into the Folder Options to enable the "Show hidden files/folders" option. There they are! I saw the hidden EXE's that this virus was running off of. After a few seconds, all the icons disappeared again. Clever virus! It changed my "Show hidden files/folders" option back off again.
I turned it back on, and deleted these files. Then, I rebooted the computer (since I removed all the startup keys--and made sure I looked in the "Startup" folder of the start menu)--the viruses weren't likely to start back up after a reboot. I was right. Virus has been neutered. Now I had to clean up the damage.
First, I had to fix the desktop. The virus had disabled right-clicking on the desktop, disabled desktop icons, and disabled the ability to set the desktop wallpaper. I had to fix this by deleting these keys from the registry (again, only under CURRENT_USER, but check for LOCAL_MACHINE too if this ever happens to you):
\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu (1) \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (1) \Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (1)This let me restore the desktop to its original glory. Then, I noticed the Start Menu was just absolutely empty. There were no "recently used" apps in the menu, and when I moused over the "All Programs" link, I just got a small pop-up menu that said "(empty)"
So I right-clicked the Start button to "Explore", and noticed that all the start menu folders were marked as hidden. This was done in the local user account and the "All Users" folder. So, I un-hid all these folders to bring back the start menu items. But, this virus did something even more evil than that: it deleted every shortcut file from the Start Menu.
So, we got all the folders back in the Start Menu, but every folder was empty. Like, "Start->All Programs->AOL Instant Messenger->(empty)".
This virus really went to great lengths to make my great aunt's life more difficult. I neutered it and undid most of the damage, but there's no automatic way to restore the Start Menu shortcuts. Plus, I noticed that many of the programs mentioned in the Start Menu aren't even installed anymore at all. Maybe the virus actually deleted as many programs from the computer as it could? The only programs in "C:\Program Files" were core built-in programs that come with Windows (speaking of which, every folder in C:\Program Files was marked Hidden as well!)
If this was my computer, I'd reinstall the OS. But it's not, and I'm not getting paid for any further tech support, but figuring out what extent this virus messed up the system was fun enough in itself.
I, along with pretty much every other savvy computer user, never do the "Recommended" installation of software and always go with the "Custom Installation" route, so that I can opt out of installing unnecessary toolbars and other spyware/adware that comes with free Windows software. But does the Average Joe Windows user know that? Definitely not; the Average Joe just clicks through the install dialogs until the program he wants is installed, not knowing that he also just sold his soul to the devil by installing all manner of malicious spyware on his system.
So, I conducted an experiment.
I installed Windows XP on a virtual machine, and installed only a small selection of software that the average user would likely use, and went with all the "Recommended" installation options for every program installed. Altogether, I only installed 9 programs, and most of those were something everybody can say they've installed: instant messengers.
Memory: 256 MB
HDD Space: 10 GB
I installed a fresh copy of Windows XP, installed the VirtualBox guest additions, and used this as the baseline for a "vanilla" Windows XP installation -- a fresh, clean, pure instance of Windows with nothing really installed on it.
In our fresh vanilla Windows XP install, we see the default desktop, the start menu, the Task Manager with few enough tasks in it that we don't even need a scrollbar, and a default Internet Explorer 6 window with MSN as its homepage.
Then, I started installing some software.
Then I installed Yahoo! Messenger 220.127.116.112 - this installed Yahoo Messenger, put an icon on my desktop, installed the Yahoo! Toolbar, and set my homepage and search engine to Yahoo.
Then, Windows Live Messenger 2009 (Build 14.0.8089.726) - this one didn't install a desktop icon, but it set my homepage in IE back to MSN.com and changed my search engine back to Bing.
These are the three most common instant messengers that most people use. So, I went and installed other essential software:
Sun Java Runtime Environment, JRE 6 version 15. Java also took the liberty of installing the Bing Toolbar in my Internet Explorer.
Then I downloaded WinZip 12.1 Free Edition. Windows XP comes with built-in support for zip files, but Average Joe is bound to come across archives of other types and will be told to get WinZip. WinZip installed for me the Google Toolbar in Internet Explorer.
Then, the Adobe Flash Player 10.0.32.18 - this is, so far, the only piece of software that installs what it says and nothing more. It's also the only thing I've installed in my experiment that installed only what I wanted it to.
Finally, I got a couple extra instant messengers installed: Skype 4.1 and ICQ 6.5 - Skype installed the Google Chrome web browser and ICQ installed the ICQ Toolbar and set my homepage and search engine to ICQ.
At this point, I have only installed 8 programs; 8 programs that Average Joe End User is likely to install. Using the default options on all the installers, my system is now fscked up already. But why stop there? Average Joe also needs an antivirus suite, with all this scare going around about viruses.
So, Average Joe installs AVG Free because Average Joe is a cheapass who can't afford Norton or McAfee. AVG may be well-intentioned, but that didn't stop it from installing the AVG Toolbar "Powered by Yahoo!" into my Internet Explorer as well as changing my search engine to AVG Search.
So, what's the damage? 9 programs, and this is what my system looks like:
My Task Manager list has grown exponentially; I have to resize it vertically as tall as it will go, and even then there's still a scrollbar. And do you see the IE window in all that mess? It's completely being murdered under the weight of the 7 different toolbars taking up HALF of the vertical screen real estate.
This is only 9 programs being installed. For a quick list, here they are again:
This, THIS is why Windows sucks. All Windows software installs all this crapware along with it, and all this crapware competes with each other (just look how many times my search engine had been changed).
This is the list of toolbars in IE, from top to bottom, which take up 50% of my 1024x768 vertical resolution:
19 cookies in Internet Explorer. Cookies!!!
The only thing AdAware found were cookies left by ad banners. No adware? No spyware? Are you kidding me!?
So, how do the startup programs look? Well, I'll tell you that rebooting this virtual machine is miserable. With all these programs starting up when the desktop loads, nothing productive can be done for a full 10 minutes. Here's the breakdown:
After this, the startup items were:
It should be noted here that free, open source software, almost never comes with crap like this. If you stick to fine programs like Firefox and Pidgin you can install them without worrying about what other crap they'll bring along with them.
I hate Windows.
One of the games that I've done more than a little bit of poking around at is The Legend of Zelda: Ocarina of Time for the Nintendo 64. One particularly interesting part of the game is the battle against Dark Link during the quest through the Water Temple. A typical battle with Dark Link plays out like this video on YouTube, uploaded by mtiller2006.
Dark Link's usual behavior in the Water Temple is to wait until you've gone to the opposite end of the room before even appearing. Then it just waits for you to get close to it, or target it, or try to attack it from a distance before it springs into life. It runs away if you get too close to it, and comes toward you if you get too far away. Dark Link isn't aggressive to begin with, but with enough time or enough prodding by the player, it begins trying to kick your ass.
Normal sword swipes get canceled out by Dark Link's sword swipes. Stab at Dark Link and he jumps up on top of your sword (and if he's feeling aggressive, he'll slash at you from up there too before jumping off). When attacked, he suffers damage, falls through the floor and then respawns, usually behind you.
Besides that, though, Dark Link's role is pretty simple. You battle him inside a boring square room. All Dark Link needs to do is walk around and use his sword, and do a couple of his own moves that the player can't do, such as standing on top of the other one's sword.
When placed in the Kokiri Forest by using actor replacement cheat codes, you see how Dark Link behaves when put into a room he wasn't intended to be put into. His home in the Water Temple is a simple, empty room, but in the Kokiri Forest there's deep water to swim in, fences to climb over, things to jump off of, and even a wall to climb (note that he doesn't make it to the top of the wall, but he does latch onto it and climb left and right pretty well).
Why would Dark Link be able to do all these things if the developers didn't intend him to? Well, this is one example where tweaking the game provides some insight into how the game was programmed. It's unlikely that the developers programmed Dark Link to be able to do all these things; it would be a waste of time, considering the room Dark Link was put into for the final game.
My theory is that Dark Link is basically a complete clone of Link himself -- programmatically. Only, instead of having a physical N64 controller held by a human that controls Link's moves, it's a "virtual" N64 controller operated by a simple program. So, when Dark Link approaches Link, the program basically moves its virtual control stick on its virtual controller in the general direction of Link. When Dark Link swings its sword at Link, the program just presses the "B" button on its virtual controller.
This explains why Dark Link is able to swim, climb fences, climb walls, and jump off ledges; all of these actions (for the player) only require you to use the control stick. So, because Dark Link has its own virtual control stick, it can do all these things too (not always perfectly; it couldn't make it to the top of that wall I had it climb).
I just think it's interesting how the developers used this kind of approach to programming Dark Link. Every other enemy in the game has a more proper program to dictate how it behaves. One would assume that Dark Link had a program just like all the other enemies. But as you can see here, Dark Link is the one enemy in the game that stands out, and therefore is the most interesting.
The general code behind Dark Link, I theorize, was also ported over to The Legend of Zelda: Majora's Mask for use with the character Kafei. In Majora's Mask, during a certain side quest you're allowed to take control of Kafei, and the entire sequence involves switching control back and forth between Kafei and Link. This implementation is done poorly and is prone to many glitches, indicating that the Zelda 64 engine wasn't designed to allow switching of characters. Also there are some cheats to switch places with Kafei while in Clock Town, similar to the cheat to switch places with Dark Link, evidencing further that Kafei's code likely evolved from Dark Link's.