Weirdest thing…

Last night I booted my home machine. It started ok, but once I logged on it was dog slow. “Whut”, says I, “this is strange”.

Task Manager showed that one process, InoRT.exe, was using 99% of the CPU, but there’s no hard drive activity. InoRT.exe, that’s supposed to be the antivirus program. Hm, this is suspicious. I reboot, and still see the same symptom. At this point I’m more annoyed than worried, because I actually backed up everything interesting just this weekend.

Now I disable the network connection and let the process run for a while. No change. I then kill InoRT.exe; start Spybot S&D to scan; enable the network connection again so I can get updates for Spybot S&D (when did I even run that last? Can’t remember); disable the network connection and start scanning. The scan shows one entry I’ve never seen before:

n-Case is it? Never heard of. I start my second machine to do some research, and find plenty of references to it – turns out it some kind of spyware. How did that get there? I’ve applied all patches; I don’t run as admin, and my surfing habits aren’t very… interesting.

I keep reading and learn about the expected symptoms, how to remove it manually etc. Only what I read doesn’t match up. I haven’t seen any unexpected ads on the machine. The reg key that was reported, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\schedulingagent, points to C:\WINDOWS\System32\mstask.exe and I can see that this file hasn’t been tampered with. I start looking for the other files that should be involved in n-Case, but can’t find them.

As I’m looking around, I notice that I’m kinda low on disk space though – only about 2GB free on a 120GB partition. Ok, let me delete some F1 races I recorded this summer…

…hey could that be the problem, low disk space…?

…so I free up 30GB in a few minutes, reboot, and – fancy that – all seems ok.

Lessons learned – 1) having a recent backup helps preventing panic, 2) don’t assume the worst, 3) don’t save old F1 races when you know that you won’t watch them more than once…

This posting is provided “AS IS” with no warranties, and confers no rights.

Comments (2)

  1. Typhoon says:

    Make you wonder about windows Security, its internet/network footprint, I am assuming that you are running WIndows XP SP 2 with security enhancements. I have the same problem at home from time to time. I use Spybot Search and Destroy version 1.3 with updates and Ad-Aware SE V.1.05 with latest definitions, after Service pack 2 It is better specifially with the stuff spybot finds as they enhanced the widnows firewall but more needs done. I do feel for you but in a way I think that you now see the frustration that users of Windows XP even those with Service Pack 2 all patches and updates feel. My Imagine that times about 1000 for people with no security firewall/antivirus ect. I recently took off 700 pieces of Adware (using Ad-Aware) and over 130 pieces of Spyware (Spybot Search & Destroy). I installed Sp 2 turned on his firewall and showed them how to use windows Update 5 and conviced him to pay for automatic updates for his antivirus and now they are down to about 12 or so pieces a week with most being tracking cookies. My point is We should not have to do all this work just so we can keep a clean and happy computer. We should turn off unnecessary services, lock them down when they are on. I was a beta tester for WIndows XP SP 2 and WIndows Update 5 these are steps in the right direction but are not the total solution.

    My 2 cents.

    Tom Stack

    Windows Upate 5, XP SP 2, Norton 2005 beta tester.

  2. Honestly, I’m not worried about Windows security. With the Windows firewall on and my patches and virus signatures up to date, I feel pretty safe. I know that there are threats out there, but I’ve been getting by without getting any virus or other malware at all for the last couple of years.

    Then again, I don’t install just any software and my browsing habits aren’t too interesting. I also started running as non-admin earlier this year. Maybe this has helped too…

    That said, I’m not trying to say that users who have get struck by virus or spyware only have themselves to blame. I don’t think anybody at Microsoft would say that.

    As you say, SP2 and WU5 are indeed significant imporovements, and more are coming. In the mean time, all we can do is try and educate* people so they can avoid problems and help** fixing those who still get hit.

    * Handy links and info about spyware:

    ** Free virus & security phone support, in several countries: