How Rising AV killed Windows 7

Yesterday I was going to sleep with one thought on my mind: ‘How it’d be wonderful to wake up without a PC, having all day just for myself… break out all the rutine and just to be free…’ Well, look out what you wish for, cuz it may just come true, right ?

And it does…

Today I woke up, done my things, and then there’s the time when you go to your cave to turn on PC. I looked around – it’s still there… waiting between a web of cables, looking at me by this only one monitor-eye… waiting for me to press the ‘Power’ button and make it alive. I’ve approach it slowly… and with a bit of fear, I’ve press the ‘Power’ button.
No explosion. No end of the world.
BIOS loads up…
Just a quick ‘beep’ and POST screen.

Checking BIOS status... No changes found, BIOS copy valid. - Status: Ready to go.
 Checking status... PC box was not open. - Status: Ready to go.
 Checking hardware... No changes found. - Status: Ready to go.
 Booting... Choose your OS...
Loading Windows...
 Fatal Error. Windows can not startup.
 Initializing Startup Repair Tool...
 Status: Ready to go.
 Launching Startup Repair Tool...
 ...searching for errors...
 Auto-fix: On
 ...Done. Unknown error.

o.O What the fuck ?!
Challenge accepted !

So, first I’ve reach my memory to check out for any new installed programs – nothing. I did not installed any new software. So the problem isn’t there, so where’s the problem ? Ahh… and then I realized…

As some of you know I’m a little perverted in the matter of knowing what’s going on in my OS. I like to know about everything. Every new driver installed, every new or changed service, every new or changed registry entry. Basically every single change in the OS. I’ve got few monitor programs installed which are making that possible to watch in the real time – I’m getting a notice about every change that has occur in OS, so I may verify if it’s needed or not and act properly to my judgement.

So I’ve recall that yesterday at 5:05 PM Rising AntyVirus was updated. It wouldn’t be nothing special… it’s set to update at specific times during the day, but there was something new. The update came along with a new driver – spoon.sys, and with a new service – I don’t remember the name, but I remember that it was set to start at boot time. The driver was signed by a ‘Beijing Rising Information Technology Corporation Limited’, and the signature was valid. Well, Rising have a few drivers that are loaded at boot start such as HookSys.sys or HookTdi.sys, so there was nothing suspicious about that.
It was only one change that has occur in the last 12h, so concluding – the problem with a 95% (there always is possibility that I’ve been hacked, or I’ve got some malicious program installed) is spoon.sys.

OK, now that I’ve localized the problem, there’s the time to fix it. How ?

Well, nothing more easy than that.
First – you may use System Restore, if you have… I do not.
Or you may use System Image to restore your OS, if you have… I do not.
Repair Disc ? – eee… I do not have it either…
So, let’s go with a standard procedure:

01. Put your Windows DVD into DVD-Rom,
02. Restart your PC,
03. Enter BIOS and change boot priority from HDD to CD-Rom,
04. Boot up from Win.DVD,
05. Select your language, keyboard input layout, etc.,
06. Choose ‘Repair your Windows Installation‘,
07. Choose the localization of OS that you want to repair,
08. Choose Startup Repair Tool,
09. Wait until the tool scan your OS,
10. Now display the report (see detailed information) and analyze it,
There you should find a string with an error status, in my situation it was something like this:
‘Bla, bla, bla... patch to file\spoon.sys - the file is corrupted.‘
Vuala – I told you so, didn’t I ?

Check if there isn’t any other errors. There wasn’t. Now we’re 100% sure what caused the problem. And to fix it we’re just gonna delete it (you may want to back it up first).

11. Cancel the Startup Repair window (you’ll be moved to repair tools window again),
12. Choose ‘Command prompt‘,
13. Use simply DOS command to backup our driver (for further analyze):
copy C:\Windows\system32\drivers\spoon.sys your_backup_location
14. Delete the corrupted file by simply DOS command:
del C:\Windows\system32\drivers\spoon.sys
15. Now close the Command prompt,
16. Restart your PC,
17. Change the Boot sequence to HDD first
18. Done – your Windows is loading normally :)

Ps. I have no idea why the Startup Repair Tool launched from HDD does not detected any problems (yeah, I’ve checked log carefully) but the one launched from Win DVD does, I guess that’ll remain unsolved mystery, cuz I don’t really care ;P

PPs. Now let’s update Rising AV once again and let’s find out if the problem occur again…

[UPDATE]
No spoon.sys with this update o.O, instead we’re getting few new files: some DLLs and XMLs. The problem does not longer occur, which make me cry… ;( – no more fun for me, no phones that ‘something’s broken…’.
/Me be sad, sad panda/ (referring to the asian engrish style if somebody didn’t know ;)