![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
HACK HACK HACK HACK
Aug. 21st, 2003 03:18 amSo, a virus hit my Windows 2000 machine downstairs. We use it to host a dozen databases, about 400 megs of data in total. The little bastard must've invaded the operating system a few weeks ago. I'm not entirely sure what variety, either. I suspected the Blaster worm at first, but I could get into the Task Manager just fine, and MSBLAST32 or some other variant of filename wasn't listed. That's hardly an analysis, though.
Anyway. Our tech support guy from upstairs rebooted the machine last night, and it refused to go to the desktop. Explorer.exe was corrupt. When I came in I decided to copy off the database files, and then nuke the whole Windows install with a fresh one, apply every service pack available, and put the databases back. Sounds easy, no?
No. Here's why. Pardon me if I get too technical.
The computer has one hard drive, with two partitions. The first partition is NTFS, and contains the corrupt Windows 2000. The second partition is FAT32, and contains Windows 98. Howbout if I just boot into Windows 98, and copy the files off the broken Windows 2000 partition?
Can't do it. Windows 98 won't read NTFS.
Okay, I suppose I could take the machine off the shelf, crack it open, unplug and unscrew the hard drive, attach it to another machine running a good Windows 2000, and copy the files off manually. But that's a lot of labor, taking apart two systems. And of course, I'd also have to bring down another machine to do it.
Not advisable in a server room.
So how am I gonna get these files off? If I had my bootable Windows Rescue CD, I could do it that way, but it's not at the office. When I reboot the Windows 2000 install -- even in safe mode -- Explorer.exe fails to launch, because the virus has destroyed it.
Hmmmm, Explorer.exe.
I reboot in safe mode 'with command prompt'. After an intolerable delay, that comes up. I don't know why the hell it needs a GUI to display a text prompt, but anyway here it is. I try using DOS commands -- CD, MOVE, and COPY -- to copy the databases over, but the files are spread out across a tree of folders, and I can't figure out how to do a recursive copy from one partition to another. The 'usage' blurbs for MOVE and COPY don't even list a recursive option. This is enormously frustrating. If only Explorer.exe worked.
Hrmmmmmmmm. Explorer.exe.
I put in a Windows 2000 install CD, and navigate to the i386 folder. There I find a decompression executable, and a file called EXPLORER.EX_. Running one with the other gives me a fresh copy of Explorer.exe on my boot drive, which I launch.
There. I use the mouse to copy the folder tree from one partition to another. It takes about seven minutes.
Okay, so I've got the databases off, I'll just install Windows 2000 onto this useless partition now, and move the databases back onto it when I'm done. I've got this handy Windows 2000 CD here, it's already in the CDROM drive, so I'll just change the BIOS to launch it, and reboot. Looking good, copy process started...
ERROR: UNABLE TO COPY FILE DRIVER.CAB
Oh great. The CD is scratched. I pull it out -- no, it's clean. What gives? I try copying again. An hour has passed by now. The copy fails repeatedly on that file. From experience, I know it's a very large file. I press the 'C' key to try copying it again, and place my ear next to the front of the drive. Ah, that explains it.
The CDROM drive is defective.
Okay, I'm not defeated yet. I reboot the machine into Windows 98, and share that partition over the network. I put the CDROM into a nearby machine, connect to the share, and copy all of the Windows 2000 install CD onto that. I disconnect the share, and run SETUP.EXE. Now, all you fellow admins take note -- the most important option you can set when you're installing Windows is to change the default directory to something other than 'WINDOWS'. That alone has protected one of my main web servers from two dozen internet worms over the years. In this instance, I change it to 'WIN2K2', and off it goes.
Grind, grind, grind.
An eternity later, I've booted it to the desktop. That's funny, it never asked me for any network settings. Ah, this explains why. The network card isn't recognized. Well I can't download any service packs if I can't get online. So how do I install the drivers? I know, I'll reboot into Windows 98, and copy them down from there. The device manager in Windows 98 tells me that the card is a Netgear FA311. A few online searches later, I've downloaded the driver package to the desktop. It's a zip file, but that should be no problem for Windows 2000 -- after all, it has file and folder compression built right into the operating system -- right?
Wrong. Windows 2000 doesn't recognize the file.
So I need to install WinZIP. So I need to download WinZIP. So I reboot into Windows 98, and download the WinZIP installer to the desktop. I drag the installer onto the Windows 2000 partition, so I have a copy that's eaiser to get at than the one on the '98 desktop here. I launch the installer on the desktop, click through the wizard, and WinZIP is installed. Great, now I'll reboot into Windows 2000 and install WinZIP there! I open the NTFS drive and locate the WinZIP installer. Oops, the installer is an executable, so it made a shortcut instead of actually copying the file. No matter. I double-click on the shortcut.
File not found. "Windows is searching for..." What the hell? The original copy is gone!
I reboot into Windows 98, and download WinZIP again. This time, I also have the brains to unzip the network card drivers. I reboot AGAIN, into Windows 2000, install the network card drivers, and install WinZIP as well. Ah hah, here it is, on the last page of the wizard. A checkbox, checked by default, that says "Delete installer file."
Thank you very much. Jerks.
Finally I run Windows Update. The first thing it wants to install is an update for Internet Explorer. I tell it to go, and it opens the package download window. Then, a box pops up.
"SVCHOST.EXE has caused an illegal operation." Terrific.
The system is now unstable, so I reboot. I run Windows Update again and tell it to skip the first update. It downloads the Service Pack 4 installer, and begins grinding through that.
Five reboots later, I've installed all the updates. Six hours have passed now. I still don't have a driver for the video or sound cards, nor do I care to install them. All I wanna do is copy the database files back and be done with it.
"Cannot copy: There is not enough free disk space." What?! How? The databases all fit on here before!
From old install to new, the windows swapfile has grown by 128MB, but that's a relatively minor increase. What's the real problem? Did all those software updates leave file turds everywhere? I specifically instructed Service Pack 4 to NOT archive the old system!
Oh well, these databases shouldn't be kept on the boot drive anyway.
Now, after an additional FIVE HOURS of re-creating shortcuts and rebooting and testing, the problem is finally dealt with. I'm not going to bore you with how a fresh install of the database app kept crashing because the database's config files were pointing to the wrong drive, which was happening because the drive ordering on the machine had mysteriously changed from the old Windows 2000 install to the new. That little wrinkle alone took two hours to smooth out. I have lost an entire work day to the wonders of being a small-time Windows admin. Screw this, I'm going on vacation.
Anyway. Our tech support guy from upstairs rebooted the machine last night, and it refused to go to the desktop. Explorer.exe was corrupt. When I came in I decided to copy off the database files, and then nuke the whole Windows install with a fresh one, apply every service pack available, and put the databases back. Sounds easy, no?
No. Here's why. Pardon me if I get too technical.
The computer has one hard drive, with two partitions. The first partition is NTFS, and contains the corrupt Windows 2000. The second partition is FAT32, and contains Windows 98. Howbout if I just boot into Windows 98, and copy the files off the broken Windows 2000 partition?
Can't do it. Windows 98 won't read NTFS.
Okay, I suppose I could take the machine off the shelf, crack it open, unplug and unscrew the hard drive, attach it to another machine running a good Windows 2000, and copy the files off manually. But that's a lot of labor, taking apart two systems. And of course, I'd also have to bring down another machine to do it.
Not advisable in a server room.
So how am I gonna get these files off? If I had my bootable Windows Rescue CD, I could do it that way, but it's not at the office. When I reboot the Windows 2000 install -- even in safe mode -- Explorer.exe fails to launch, because the virus has destroyed it.
Hmmmm, Explorer.exe.
I reboot in safe mode 'with command prompt'. After an intolerable delay, that comes up. I don't know why the hell it needs a GUI to display a text prompt, but anyway here it is. I try using DOS commands -- CD, MOVE, and COPY -- to copy the databases over, but the files are spread out across a tree of folders, and I can't figure out how to do a recursive copy from one partition to another. The 'usage' blurbs for MOVE and COPY don't even list a recursive option. This is enormously frustrating. If only Explorer.exe worked.
Hrmmmmmmmm. Explorer.exe.
I put in a Windows 2000 install CD, and navigate to the i386 folder. There I find a decompression executable, and a file called EXPLORER.EX_. Running one with the other gives me a fresh copy of Explorer.exe on my boot drive, which I launch.
There. I use the mouse to copy the folder tree from one partition to another. It takes about seven minutes.
Okay, so I've got the databases off, I'll just install Windows 2000 onto this useless partition now, and move the databases back onto it when I'm done. I've got this handy Windows 2000 CD here, it's already in the CDROM drive, so I'll just change the BIOS to launch it, and reboot. Looking good, copy process started...
ERROR: UNABLE TO COPY FILE DRIVER.CAB
Oh great. The CD is scratched. I pull it out -- no, it's clean. What gives? I try copying again. An hour has passed by now. The copy fails repeatedly on that file. From experience, I know it's a very large file. I press the 'C' key to try copying it again, and place my ear next to the front of the drive. Ah, that explains it.
The CDROM drive is defective.
Okay, I'm not defeated yet. I reboot the machine into Windows 98, and share that partition over the network. I put the CDROM into a nearby machine, connect to the share, and copy all of the Windows 2000 install CD onto that. I disconnect the share, and run SETUP.EXE. Now, all you fellow admins take note -- the most important option you can set when you're installing Windows is to change the default directory to something other than 'WINDOWS'. That alone has protected one of my main web servers from two dozen internet worms over the years. In this instance, I change it to 'WIN2K2', and off it goes.
Grind, grind, grind.
An eternity later, I've booted it to the desktop. That's funny, it never asked me for any network settings. Ah, this explains why. The network card isn't recognized. Well I can't download any service packs if I can't get online. So how do I install the drivers? I know, I'll reboot into Windows 98, and copy them down from there. The device manager in Windows 98 tells me that the card is a Netgear FA311. A few online searches later, I've downloaded the driver package to the desktop. It's a zip file, but that should be no problem for Windows 2000 -- after all, it has file and folder compression built right into the operating system -- right?
Wrong. Windows 2000 doesn't recognize the file.
So I need to install WinZIP. So I need to download WinZIP. So I reboot into Windows 98, and download the WinZIP installer to the desktop. I drag the installer onto the Windows 2000 partition, so I have a copy that's eaiser to get at than the one on the '98 desktop here. I launch the installer on the desktop, click through the wizard, and WinZIP is installed. Great, now I'll reboot into Windows 2000 and install WinZIP there! I open the NTFS drive and locate the WinZIP installer. Oops, the installer is an executable, so it made a shortcut instead of actually copying the file. No matter. I double-click on the shortcut.
File not found. "Windows is searching for..." What the hell? The original copy is gone!
I reboot into Windows 98, and download WinZIP again. This time, I also have the brains to unzip the network card drivers. I reboot AGAIN, into Windows 2000, install the network card drivers, and install WinZIP as well. Ah hah, here it is, on the last page of the wizard. A checkbox, checked by default, that says "Delete installer file."
Thank you very much. Jerks.
Finally I run Windows Update. The first thing it wants to install is an update for Internet Explorer. I tell it to go, and it opens the package download window. Then, a box pops up.
"SVCHOST.EXE has caused an illegal operation." Terrific.
The system is now unstable, so I reboot. I run Windows Update again and tell it to skip the first update. It downloads the Service Pack 4 installer, and begins grinding through that.
Five reboots later, I've installed all the updates. Six hours have passed now. I still don't have a driver for the video or sound cards, nor do I care to install them. All I wanna do is copy the database files back and be done with it.
"Cannot copy: There is not enough free disk space." What?! How? The databases all fit on here before!
From old install to new, the windows swapfile has grown by 128MB, but that's a relatively minor increase. What's the real problem? Did all those software updates leave file turds everywhere? I specifically instructed Service Pack 4 to NOT archive the old system!
Oh well, these databases shouldn't be kept on the boot drive anyway.
Now, after an additional FIVE HOURS of re-creating shortcuts and rebooting and testing, the problem is finally dealt with. I'm not going to bore you with how a fresh install of the database app kept crashing because the database's config files were pointing to the wrong drive, which was happening because the drive ordering on the machine had mysteriously changed from the old Windows 2000 install to the new. That little wrinkle alone took two hours to smooth out. I have lost an entire work day to the wonders of being a small-time Windows admin. Screw this, I'm going on vacation.
