Short Answer: Use the free tool Autoruns to stop malware running at startup, then scan and remove with AVG etc.

Slightly longer one: Having had many people request my services to rid their computers of all kinds of malware – viruses, worms, spyware etc – I have developed a simple toolkit and method for removing them, for systems that you can actually boot up, at least.

The weakness of malware is that they are not very dangerous if they are simply on your system somewhere, they obviously have to be executed. This is most likely to initially be the user themselves, but after that, there are many areas in the registry which control what programs, services and .dll files are to be loaded at the start-up of the system.

My most invaluable (what a very strange word, by the way – like extraordinary) tool when combating malware is Autoruns. Autoruns is written by some guys at SysInternals. It is a tool for listing, deleting and disabling all items that run when Windows starts up. This includes executables, shortcuts, Browser Helper Object .dlls, drivers etc.

Scroll through the Autoruns list and look for items which are not digitally signed at all (the publisher column is blank), and for ones with suspicious names like random numbers and letters. If you find one with no publisher which you are not sure about, just type its process name into google and see what you find. You can simply uncheck items you don’t want, and if this breaks your computer you can always return to Autoruns in safe mode and re-check them again.

It would be smart to double check tsnp2std.exe is legitimate, as it does have a digitally signed publisher

I was tasked with removing viruses from my friends computer recently. There was some particularly annoying malware present that I couldn’t find inAutoruns, and AVG Free 8 did not detect it either. When I would try to browse to certain URL’s like support.microsoft.com, or windowsupdate.microsoft.com, (on IE and Firefox 3, but not Chrome) the browser would redirect to 127.0.0.1 and fail. The system32 Hosts file was not the culprit either.

Sufficiently disappointed in AVG for not finding this rogue piece of code in my system, I looked for other free tools to try scanning with. I would recommend Adaware as a great free tool for removing spyware, except that it did not find this Malware program.

Finally, my saviour came in the form of another miraculous free software product, Malwarebyte’s Anti-Malware. I would highly recommend installing this product along with AVG Free. Malwarebyte’s program does not run on start-up, so it doesn’t take additional system resources. It would be a good idea to run this occasionally, in case AVG misses something nasty.

If you suspect that some Windows system files may be corrupted or missing, running the ’sfc /scannow’ will check all system files and replace them if needed. You will need your Windows install disc for this tool.

The Windows Vista install DVD is also very adept at repairing a Windows installation. You may need to use this option if you cannot even boot into Safe Mode.

A couple of months ago I scored a free computer from one of my brother’s friends because it was broken. It’s some kind of Pentium 4 with 500MB of RAM. With the addition of one of my spare video cards, it was perfect for a backup gaming computer (well, games like Warcraft and BF2).

I had been hosting a couple of websites off my windows Vista computer and decided to move all the server stuff over to that extra computer. So I installed the Linux distro Ubuntu Server on it and moved the computer into my wardrobe, where I administer it from an SSH shell.

I had been hosting a cool website called Ampache, a PHP + MySQL solution that indexes all your music and lets you listen to it anywhere, from a browser (with a login). So the server was serving up the music that was located on my Vista machine, and accessing the music through Windows File Sharing. This was not ideal if I wanted to turn off the Vista computer or play around with OSX86. The hard drive I had in the linux computer was a 40GB, so along with the linux stuff taking up about 5GB, there wasn’t enough space to copy all my music onto it.

So I stuck a spare 30GB hard drive in the server and read up on Software Raid for Linux.

I decided to use the RAID specification called ‘linear’, which basically works by appending partitions together. When the first partition is filled, the next one is used seamlessly, with it all appearing as one partition to the system. But I couldn’t use the 40GB partition which had the Linux operating system on it, otherwise I would lose all the data on that one.

I found a distribution of Linux on DistroWatch.com called ‘Parted Magic’. It’s about 50MB and just contains the tools required to partition your hard drives however you want. I resized the Linux partition to 8GB (non destructively) and used the remaining space for a secondary partition. Combined with the second hard drive and Software RAID, this would give me about 60GB – perfect storage on the server for my music.

Back in Linux now, the steps required for setting up Software RAID were surprisingly few.

1. Identify the partitions / hdds you will be using for the RAID device, i.e. find out their device names (/dev/sdb1 etc).
2. Backup your data
3. Run ‘cat /proc/mdstat‘ to check whether your kernel has RAID support. if the file is non existent, then either your kernel does not support RAID and you need to change it, or you need to load the kernel module. If typing ‘modprobe md‘ is successful, you have loaded the RAID kernel module. You will need to make sure this module is loaded on bootup, so add the ‘md’ module to your kernel startup file. This may be at /etc/modules.autoload, /etc/modules.autoload.d/, /etc/modules.conf or somewhere similar.
4. Install the mdadm tool by running ‘apt-get install mdadm‘ as root or superuser.
5. Depending on which type of RAID device you want to setup, refer to the Software RAID Howto for the specific command. Disregard talk of /dev/raidtab and mkraid, just use the mdadm tool. The command I used for a Linear RAID of 2 disks was: ‘mdadm --create --auto yes --verbose /dev/md0 --level=linear --raid-devices=2 /dev/sdb1 /dev/sda3‘
6. If that is successful, you will see something like ‘mdadm: chunk size defaults to 64K, mdadm: array /dev/md0 started.‘ This has created your RAID device at /dev/md0
7. Create ext3 filesystem with ‘/sbin/mkfs -t ext3 /dev/md0‘
8. Mount: ‘mkdir /mnt/raid && mount /dev/md0 /mnt/raid‘
9. Add entry to /etc/fstab

Excellent, a 60GB combined partition out of 2 hard drives. I could add more in the future if I want. All that was left was to create a SAMBA share, and then setup Synctoy 2.0 to sync my music to the server every night.

These instructions show how you can copy your entire Vista installation with the contents of its partition to another hard drive and sucessfully boot from it. This method uses only the tools found on the Vista Install DVD.

I tried this about a month ago and I tried so many things to fix it, I lost track of what processes actually caused it to work. So, after a few test runs thanks to VMWare, I have been able to pin down the steps required. Most procedures and commands are taken from the blog post and comments at http://geekswithblogs.net/lorint/archive/2006/12/07/100596.aspx. The reason I am re-writing someone else’s work is because their example was for Windows XP. I tried it for Vista Ultimate 32bit and it would not work. I had originally thought bootrec /fixboot solved the problem, but it appears I was wrong : )

1. It’s a good idea to run a program like CCleaner to get rid of any garbage files you don’t want to waste time duplicating first.
2. Stick the Vista DVD in your optical drive, shut down the computer, connect up your new hard drive and power her up.
3. You should be booting the Vista installation process. Select your language, then click Next, then Install. When the license terms come up, press SHIFT+F10 to bring up the command prompt.
4. Partition and format your new hard drive. Type DISKPART to bring up the relevant Microsoft tool. Use a variation of these commands. Make sure you identify which hard drive is which with LIST DISK
   • LIST DISK
   • SELECT DISK 1
   • LIST PARTITION
   • CREATE PARTITION PRIMARY
   • LIST PARTITION
   • SELECT PARTITION 1
   • ACTIVE
   • FORMAT QUICK
   • LIST VOLUME
5. Determine which partition is your old and which is your new one on the new hard drive with this tool. In my case it was C: and I: respectively.
6. Type exit to terminate DISKPART and type
   ROBOCOPY C:\ I:\ /e /efsraw /copyall /dcopy:t /r:0 /XJ
   replacing the first drive letter as the source and the second, the destination partition. This command could run for a couple of hours, it depends on the volume of data.
7. When that’s finished, exit the command prompt and turn off the computer. Disconnect the old hard drive. Start the PC up and boot from the Vista DVD again.
8. This time, select your language etc and on the next screen click ‘Repair your computer’
9. A dialog box will pop up saying ‘Scanning for Windows installations’, then it will report ‘Windows found problems with your computer’s startup options. Do you want to apply repairs and restart your computer?’. Click ‘Repair and restart’
10. Cross your fingers

When I installed Vista to try it out, I only created a 20GB partition for it. Now completely out of free space for that system drive, I wanted to copy the installation over to a 30GB hard drive (Wow, I know). A search on Google turned up a very promising result; Howto: Duplicate any Windows installation to a new hard disk using only a Vista DVD (!)

This was excellent because all the tools you need to copy a Vista (or XP I’m guessing) installation to another hard drive is included in the Vista install DVD. First, I booted up the Vista DVD and selected English for the language, then clicked Install (one reason this took so long is because it takes at least 5 minutes to go between these screens). Then Shift+F10 brought up a command prompt. Another way to do this is to click repair instead of install and go to the advanced tools.

A quick use of Diskpart allowed me to identify the correct hard drive. I followed the instructions and created a new active partition on the 30GB. I then ran the command

ROBOCOPY C:\ I:\ /e /efsraw /copyall /dcopy:t /r:0 /XJ

which proceeded to copy the whole contents of C drive, including hidden and system files to my bigger hard drive, I. I didn’t pay much attention to what the switches meant, but XJ helps by not copying certain Unix like shortcut/links present in user data.

When the copying finished, I restarted and made sure to boot from the 30GB. At first, a black screen the with word GRUB was all that happened. The hard drive had previously been used for Fedora 8, and the damn thing was still on there. So I booted back into the Vista DVD command prompt and ran the command ‘bootrec /fixmbr’ which had the Vista bootloader working again.

I restarted again. It had worked! But wait – not really. My 30GB had now been assigned drive H, while my original C drive had kept it’s original letter assignment. Hmm. My computer showed that C drive was still the system drive, so I had still booted into the old hard drive, and I was still out of free space.

Not having a very good knowledge of Windows’ startup processes then led me to miss the actual problem, and I proceeded to try and fix the problem with the registry. Disk management was not letting me change the drive letter assignment of the system drive, so I swapped around C and H drive in the registry key HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices.

Rebooting the system, I how had my bigger hard drive assigned drive C, but it was still not the drive that Vista was running on, as shown by a Windows icon now on drive H. I then tried changing system variables like SystemDrive, SystemRoot, etc. I had successfully changed these values back to C drive, but still Vista would boot from the old hard drive.

Then it occurred to me that it was a boot problem (finally). First I tried disconnecting my original drive. But then it wouldn’t boot at all! There was an error about Winload.exe being missing. I figured this was from all my registry fiddling. OK, so I plugged it back in and booted up, and found a free tool for editing the Vista boot loader (the name of the tool escapes me, but one I didn’t use is VistaBootPRO) The boot entry was set to drive H, so I changed it to C. Simple enough. But when doing this and disconnecting the old hard drive, I got the same boot failure due to missing system files.

I knew of a program to fix missing system files, SFC (system file checker). Running ’sfc /scannow’ in the Vista DVD command prompt yielded some strange error which lead me to believe you could only run the tool in an actual installation of Windows.

After some more googling, my hopes to get this working had been extended by a couple more ideas. I started the process again. I loaded the Vista DVD command prompt without my old SATA drive connected, so that the 30GB would appear as C drive to diskpart. Then I plugged the SATA drive in (hotplugging them works, but keep the power connected the whole time) and ran the ROBOCOPY tool again. This process took about an hour. Then I restarted the computer without the old hard drive plugged in as described by the link provided on that blog.

Unfortunately, this didn’t work either. I was still missing system files apparently. But my last idea was still untested. I went back into the Vista DVD command prompt, and typed the command ‘bootrec /fixboot’ and restarted again without the old hard drive.

Eureka! These many hours and I had accomplished an extra 10GB of system drive storage. But I think the learning experience was worth it.