[chadh]

I got one the other day: a rootkit, that is, not a human condition.  I've been advised to reformat and reinstall.  That sounds like the smart thing to do, as long as I can find my XP disc!

Anyway, this whole experience really makes me ponder the sorts of things that motivate people.

First, we have those people who build the rootkits.  I understand that some of them are designed and distributed to aid in various profitable criminal activities.  But it seems that a bunch of them exist for no reason other than to piss people off.  Moreover, these little programs seem really clever.  Why on earth would anybody pour such time, energy and creativity into something that achieves so little?  It makes no sense.

But in the midst of this ordeal, I also encounter the opposite face of humanity.  I find a forum populated with a bunch of techie types who volunteer ridiculous amounts of time solely to solve problems for strangers like me.  That might be even crazier than spending time designing rootkits!

Anyway, if you ever find yourself foundering in a sea of malware, and know not where to turn, I'd encourage you to check out the forum at http://www.whatthetech.com.  The people seem to be like our own hard working and generous forum administrators and facilitators (whom I appreciate even more now), except that their long hours of effort support a community that can't possibly offer them anything valuable in return.  I suspect they feel that this might be the closest a modern computer geek can get to becoming a superhero.

Any advice you can offer about reinstalling my harddrive would be greatly appreciated.  I've decided I'd like to strip as much useless stuff away as possible.  I'll be reinstalling Windows XP (professional edition).  I'll need to choose sensible anti-virus and firewall software, as McAfee was a huge pain in the backside.  Obviously, EAC and Squeezecenter will go back on, and some photo processing stuff, and MS office (professional edition).  I'll use Firefox as a browser.  And I guess I'll probably get around to installing SKYPE, so I can chat with my family in Australia.

Chad

[Philistine]

Chad,

I had a problem with XP hogging 21Gb on my laptop, and spent weeks trying to get it slimmed down with no sucess.
My laptop had mutilple email accounts in Outlook 2003 (POP3 and IMAP) and it was critical not to lose any of the business related correspondance I had.  What I did was buy a new internal HD, and also use a third external HD.  I mirrored the original HD on the new laptop HD - this ensured I had everything intact, and backed up my emails on the external HD, and used the new HD as the principle for my laptop.  When I was confident that the new laptop HD was robust (ran it for a few months) I then reformatted the original laptop HD and reinstallled XP, all the software, saved files and backed up emails from the external HD.  I ran the old refreshed HD for another couple of months and when I was sure I had everything I needed I mirrored this on the new laptop HP, this is now my principle HD and the original HD has become an external backup.

My approach was inelegant, time consuming, required patience and anal - but it worked for me.

Good luck!   

[WGH]

Sounds like you got good advise, once a rogue program gets into the MBR (master boot record) the only way to really be sure it is gone is a reformat.

I have a lot of XP tune-up tips saved, I'll gather them into a package you can download.

I have great trust in what Scot Finnie writes, last year he pick NOD32 and Online Armour as the best antivirus and firewall programs. I have used NOD32 for a couple of years and like it a lot.

link: Eset’s Nod32 2.7: Best Antivirus Product of 2007

link: The Best Firewall Software of 2008: Online Armor

Performance tip: XP Pro really likes 2 GB ram, you will notice the speed increase.

Wayne

[WGH]

Reinstalling XP - Part 1

One of the most time consuming parts about reinstalling Windows XP is installing the three service packs. An installation can be simplified with a little preparation by making a slipstreamed installation disk. Fred Langa recently explained what this means in the latest Windows Secrets newsletter.

You can get articles like the one below for about $1 a month by subscribing to Windows Secrets:
http://windowssecrets.com/

Slipstreaming simplifies Windows reinstalls By Fred Langa

It's not difficult to update your Windows Setup CDs to make your next OS reinstallation a breeze.

Creating a custom setup CD that's fully prepatched with Windows updates and service packs is easier than you may think.

Reader Bill Beadenkopf makes a good point in his response to the item in my Dec. 4 column on using the XP Setup CD to reformat your hard drive:

"If you have patched and updated your OS, and those patches are not included on your Setup CD, then you will have to reapply all of those patches. Reinstalling the operating system from the original CD will restore the PC to its original, unpatched condition. It may be possible to obtain an updated CD from the manufacturer. For a small fee, Microsoft will supply service packs on CD."

You're right, Bill. But there's a way around the out-of-date Setup CD. Good thing, too, especially with an older OS such as XP. If you do a reinstall with the original XP Setup CD, you then must reinstall not only the original OS but also as many as three separate service packs, along with a lengthy list of "optional" patches and updates. This can easily add hours to the already-lengthy setup process. What a pain!

You can avoid this reinstallation hassle by using a process called "slipstreaming." And to top it off, doing so is free.

In slipstreaming, you create a new custom setup CD that combines the files on your original retail Setup CD with the files comprising the most recent service pack. This hybrid CD is 100% legitimate and will work exactly as your original one did, even to the point of using your original 25-character product key.

Unlike the Setup CD that shipped with your system, the slipstreamed disc will be up-to-date, prepatched, and current to the latest service pack. When you use a slipstreamed CD to set up a PC, the new installation will be up-to-date — or very nearly so — from the moment the refreshed copy of Windows first boots.

Creating a slipstreamed setup CD used to be a deep-geek exercise done only by OEMs and IT departments. The tools and techniques have improved in recent years, however, and many sites now offer complete point-and-click instructions that make slipstreaming relatively simple.

There still can be many steps to the process, but no single step is very difficult; almost anyone with intermediate PC experience can slipstream a setup CD with minimum difficulty. (As with so many things, the first time is the hardest.)

Paul Thurrott's Windows Supersite has great info on many tech topics, including slipstreaming for XP. Paul's XP SP3 slipstream instructions appear on this page, which also has links to instructions for slipstreaming earlier versions of XP, if you need them.

Microsoft was supposed to simplify the slipstreaming process for Vista, but that didn't work out quite as the company had planned. Right now, the officially sanctioned Vista slipstream method involves using Microsoft's Automated Installation Kit (AIK) for Windows Vista SP1 and Windows Server 2008 (download page). The program is free but is a huge 1.4GB in size. Also, it's not particularly easy to use because it was designed for mass deployments of Windows on a huge, corporate scale.

Fortunately, a clever programmer named Dino Nuhagic has produced a kind of front end for AIK called vLite (more info), which stands for "Vista Lite." Dino's original idea was to let you preconfigure a personal Vista setup by preventing unneeded components and services from being installed in the first place, giving you a stripped-down "lite" (or at least "lite-r") version of Vista than the standard model. The tool also lets you place patches and updates on the new setup CD. In effect, this creates a slipstreamed version.

If the vLite option interests you, there's a handy step-by-step overview on an Obelisk blog post that describes how to use the program to slipstream Vista. Read the cautions on that blog before you start; the instructions it provides won't work for every possible Vista setup variant, but they'll work in most normal cases.

BTW, in case you're wondering why it's called "slipstreaming," it's because vendors once used this technique as a way of stealthily delivering unannounced patches and updates. They'd quietly change the master files at their CD duplicating plant and, without fanfare or other announcement, would simply begin producing a slightly different version of their product. This let the vendor correct problems without attracting publicity.

So why call it "slipstreaming?" In your mind's eye, picture dropping new code into the imaginary wake of a rapidly "moving" software product — into its slipstream, as it were.

Building your own updated setup CD isn't really slipstreaming in that sense of the word. Still, everyone refers to the process as "slipstreaming," and now you know why.

Links:

Use XP Setup CD to reformat your hard drive

Automated Installation Kit (AIK) for Windows Vista SP1 and Windows Server 2008

nLite - a tool for customizing the Windows XP installation before actually installing it

Slipstreaming Windows XP by Paul Thurrott - How to slipstream SP3 with links to SP1 and SP2 instructions

[WGH]

Reinstalling XP - Part 2

Fresh installs of Windows XP can be confusing and the finished product is a bloated, slow OS. Luckily Maximum PC has figured out how to make this agonizing process fun and exciting again. After fine tuning your computer will be a nimble, lightning fast killing machine and purr like a cheetah.

Give Windows XP a Clean Start
10 easy steps on how to reinstall Windows XP

Put XP on a Diet
Get rid of unnecessary start-up programs, services, and overall bloat.

Energize XP
Transform Windows into a faster, stronger, leaner operating system.

[chadh]

Thanks so much for that, Wayne.  I'm totally clueless about these things, and simple, direct instructions make things easy for me.

What will make it more difficult is that I can't work out where I put the XP disk.

Chad

[randytsuch]

Check this out for advice to get rid of malware, without formatting and reinstalling

http://forums.majorgeeks.com/showthread.php?t=35407

Also, check out this program
http://www.sandboxie.com

It creates a "sandbox", which is a segregated area, so if you pick up malware, it does not infect your pc, it will only infect the sandbox.

Randy

[JohnR]

I'm somewhat intrigued to know what you mean when you say you got a rootkit - ? Were you hacked, or installed something from somewhere?

[chadh]

I'm somewhat intrigued to know what you mean when you say you got a rootkit - ? Were you hacked, or installed something from somewhere?

John, remember I'm swimming in foreign waters here, so I'm really just guessing how best to use the jargon.  But my understanding is that some sort of remote access trojan was installed on my computer at some stage.  Whether this was the result of someone visiting the wrong website or opening the wrong email attachment I'm not sure.  Whether any real hacking occurred subsequently is another issue.  I suspect not:  I only observed weird porn appear on my desktop from nowhere and all of my internet activity suddenly was redirected to the wrong place.

Chad

Chad

[ecramer]

I'm somewhat intrigued to know what you mean when you say you got a rootkit - ? Were you hacked, or installed something from somewhere?

Well i looked it up to find out what it was now i like to know how you managed to get it  

[richidoo]

You can clean that off without reinstalling windows. You just got hijacked.  Some of them can be tricky to conquer. Try to figure out the name of the infection (new applications installed, or maybe running in the process list) so you can google it to find how to kill it. The hijacked website can give you a clue, google that site URL with "hijack."

Try running the basic cleaners first, like Spybot - Search & Destroy, and Malwarebytes Anti Malware

Be patient you will get it. PM if you want some help. I used to do it for hire. I stopped when my hair started falling out    Can be very frustrating.

[chadh]

richidoo,

Thanks for the offer!  You're very generous.

The guy I've been talking to at whatthetech.com has also told me that he's happy to help me clean things off the computer.  But he's not prepared to guarantee that everything ends up completely fixed.  I think he feels it's pretty easy to rid myself of the infection (actually, I think that's been done).  But it becomes harder to know what damage has been done while someone had access to the computer and, without reinstall, I might never know that the system is operating properly. 

I had Spybot -S & D and MBAM on the pc, and neither of them were able to fix things.  MBAM found a vundo trojan, but every time it cleaned it off, the trojan would return.  As it turned out, this trojan was more of a symptom than the cause of my problems.  The people at whatthetech.com had me run combofix which pretty quickly identified that there was rootkit activity and expelled a series of files related to a rootkit identified as Service_TDSSSERV.SYS.

The program prevented me from visiting websites that might help me solve the problem, it prevented me installing various pieces of software that might help, it prevented me from updating anti-virus software, it prevented me from updating java.  I don't know that there's any way to determine how much was changed on my pc, nor how those things were changed.

What's more, I have no idea when the program was installed, nor from which website it came.  I suspect it happened when my father-in-law was using the pc on new year's eve, but that might just be perfectly natural anti-in-law-sentiment.  For all I know, my pc has been spamming "best BDSM porn" all over the internet for months.  (If so, my apologies to anybody who received it and didn't want it, and to anybody who missed out but was hoping for a Christmas delivery).

I understand that the guy helping me from whatthetech.com has every incentive to be somewhat pessimistic about the chances of recovery without a reinstall.  So if you REALLY think that, with very high probability, everything will be okay without doing it, then I'd love to hear it.  But I'd hate to think that laziness on my part might end up leaving a TCP port open (or some similarly easily overlooked issue) that would allow the same thing to happen again next month.

Chad

[WGH]

Thanks so much for that, Wayne.  I'm totally clueless about these things, and simple, direct instructions make things easy for me.

You are welcome Chad, glad to help.

I only observed weird porn appear on my desktop from nowhere and all of my internet activity suddenly was redirected to the wrong place.

This sounds like a corrupted/changed Hosts file. The file should have only one entry:
127.0.0.1 localhost
Yours probably has been changed by the trojan which then redirects your browser to the porn sites.
Unfortunately until you get rid of the trojan simply editing the Hosts file will not solve your problem because it will be re-written by the trojan.

Webroot Spysweeper may solve your problem without an  XP re-install, I use it to be sure my system is clean.
http://www.webroot.com/En_US/consumer-products-spysweeper.html
They have a free scanner too.

Wayne

[richidoo]

I used to resort to nuking the drive for everything. I have not needed to do so for many years.

You can set Winders firewall back to default easy enough: Control Panel > Windows Firewall > Advanced Tab > Default Settings > Restore Defaults button

You can run system file checker in Windows to look for corrupt or missing files in the OS. So don't worry about the condition of windows, just get rid of the virus.

Here is a thread that might be useful about your virus:
http://www.computing.net/answers/security/cant-remove-tdsservsys/24081.html
It's from 2 weeks ago, so if you can't find your own way with these tips, you could ask this guy jabuck to help you.

[WGH]

The people at whatthetech.com had me run combofix which pretty quickly identified that there was rootkit activity and expelled a series of files related to a rootkit identified as Service_TDSSSERV.SYS.

Getting rid of the rootkit may involve editing the registry and replacing files, since you are admittedly clueless there is a chance you will do even more damage by accidentally changing the wrong registry entry.

You are right, the only way to really be sure the trojan is gone is a reinstall.

Wayne

[WGH]

Here is a thread that might be useful about your virus:
http://www.computing.net/answers/security/cant-remove-tdsservsys/24081.html
It's from 2 weeks ago, so if you can't find your own way with these tips, you could ask this guy jabuck to help you.

Yikes, a complete install with the all the service packs may be a quicker fix than messing with this solution.

That said, it all depends how much stuff is on your computer, I would try it because it would take me a week to re-install all the programs I use and fine tune the OS.

Wayne

[Philistine]

If you can clean out your system with what Wayne has posted then this is the lowest cost and most efficient route to go.
Thanks for posting these Wayne - wish I had access to some of these a few months ago!

My problem was different to yours, no website redirects etc, a reinstall didn't work and I finished up having to reformat and then reinstall.  What it has given me is a cleaner faster running computer and I was forced to get rid of all the rubbish that had accumulated over 3 years.  If you have to go down this path the decreased cost of external and internal hard drives make it less expensive as an option, and you finish up with the hard wear to implement a future robust backup strategy.  I'm not trying to promote my solution, just trying to take the fear out of it if you have to do this.  I'm sure the whatthetech guy can help you if you have to go down this route.

    

[chadh]

Here is a thread that might be useful about your virus:
http://www.computing.net/answers/security/cant-remove-tdsservsys/24081.html
It's from 2 weeks ago, so if you can't find your own way with these tips, you could ask this guy jabuck to help you.

Thanks!  Most of the stuff listed on that thread is essentially what I've already done.

My thread from the whatthetech forum is here:  http://forums.whatthetech.com/trojan_vundo_trouble_t98576.html

Chad

[richidoo]

I would get rid of McAfee before trying the removal apps again.