Windows XP Service Startup issue

A number of services have recently started timing out when my PC is booting up - the main ones are DHCP, Windows Audio and Themes. I've just run a full malware scan and removed a few things but it's still happening.

You may recall I had a rootkit issue about six months ago. 

It was a nightmare.  I even fell into the trap of forcing my PC to start in safe mode- this particular virus had disabled safe mode altogether, which meant my computer wouldn't boot up at all.  I wound up having to boot from my Windows XP disc and do all manner of things.

It took three days, ten different programs, and some intensive manual tweaking to get things back to normal. 


Edited by Epignosis - May 27 2010 at 12:37

Dean wrote: It's possibly a rootkit (virus) that's attempting to take over those services. If it is, then you're stuffed - lots of apps claim to remove rootkits, but none of them do. You can try doing a system restore but that's unlikely to work either.

Epignosis wrote: You may recall I had a rootkit issue about six months ago.  It was a nightmare.  I even fell into the trap of forcing my PC to start in safe mode- this particular virus had disabled safe mode altogether, which meant my computer wouldn't boot up at all.  I wound up having to boot from my Windows XP disc and do all manner of things. It took three days, ten different programs, and some intensive manual tweaking to get things back to normal.

Epignosis wrote: chopper wrote: Epignosis wrote: You may recall I had a rootkit issue about six months ago.  It was a nightmare.  I even fell into the trap of forcing my PC to start in safe mode- this particular virus had disabled safe mode altogether, which meant my computer wouldn't boot up at all.  I wound up having to boot from my Windows XP disc and do all manner of things. It took three days, ten different programs, and some intensive manual tweaking to get things back to normal.  Thanks, I've just read that thread, you mentioned "I ran a program that took over seven hours just to scan both drives, and it caught myriad things I wouldn't have thought of" - what program was that? I'm pretty sure that was drweb-cureit. No guarantees of course, but this one and Malwarebytes Anti-malware proved to be the most effective.

Doctor Web just takes forever because it's slow, its detection rate isn't that great¹. But it's useful to have, and is the only effective way of removing the Mebroot trojan (nasty lil' bugger) I've found.

¹ http://www.virus.gr/portal/en/content/2009-08%2C-10-august-05-september

=F=


Edited by Falx - May 28 2010 at 07:41

chopper wrote: Thanks for the advise everyone. I'm going to try Dr Web at least (speed isn't really an issue, I'll just leave it running overnight if I have to).  Something else is also redirecting some of my web searches to another search engine so I need to get rid of that as well.   Quite why anyone thinks this is going to benefit them I don't know. If I want to go to a site for a reason and they divert elsewhere, I'm not going to think "Oh ok, I'll have a look here instead". Just  off will you.   Rant over.

Epignosis wrote: Dean wrote: chopper wrote: Thanks for the advise everyone. I'm going to try Dr Web at least (speed isn't really an issue, I'll just leave it running overnight if I have to).  Something else is also redirecting some of my web searches to another search engine so I need to get rid of that as well.   Quite why anyone thinks this is going to benefit them I don't know. If I want to go to a site for a reason and they divert elsewhere, I'm not going to think "Oh ok, I'll have a look here instead". Just  off will you.   Rant over.  stop!   This is what rootkits do! You are definitely infected and anything you send or recieve is suspect. The reasonn it shows on Themes and DHCP is because it patches itself into whatever is in your boot sequence (msconfig ->startup) - those fail because the patch failed, but other processes were patched and didn't fail,which is why your search is being redirected.   I don't trust av software to 100% remove a rootkit - most just remove the symptoms, which will return again sometime in the future - the only guaranteed safe recovery is reformat your harddrive and reinstall XP. You may be right Dean, but I've not had a single problem since November.  Granted it took three days, ten different programs, and screwing around in the registry among other things. Assuming there is still a rootkit problem somewhere on my hard drive, what would cause it to "return in force?"

Rootkits patch themselves into the operating system so they load before any antiviral software, to do this they attack the o/s at quite a low level and infect as much of it they can, if it has attached itself to a little used piece of the o/s it may be months before that is ever used, but once it is, out pops the virus. It could be anything, even just plugging a new piece of hardware could invoke an infected dll.

Bill Gates is evil and must be destroyed. 

Running Dr Web now, it's found another bit of the TDSS virus I thought I'd cleared.

James wrote: Have you got a HijackThis log?  I'm not sure if RootKits will show up on there though. I often use CCleaner to clear my Registry.  Of course, that won't really help your situation but it's a useful bit of software.

Rootkits are way over HijackThis's head, they normally live in c:\windows\system32\drivers and are loaded while the OS is booting. The only way to get rid of them is to pull the hard disk and scan it in another computer, or boot off a live CD (e.g. ERD Commander) and remove the file yourself, if you know where it is.

=F=