Rootkit Makes me a Better Windows User

At home this weekend, I had to re-install Windows 10 twice due to a particularly nasty malware (rootkit!). It came nicely bundled in and installation file I downloaded from Torrentula.

The rootkit was sophisticated. It prevented Malwarebytes from launching by running in the same memory address Malwarebytes runs in (I believe this is called stacks overflow, but someone more experienced could maybe fill me in here?) Meanwhile, Windows Defender kept finding malware and infections and prompted me to restart the computer after cleaning – which only meant all the infections mushroomed again as if nothing happened.

I decided then to just nuke everything and format my hard drives from the Windows Live CD setup screen. I don’t store crucial personal information I need on my C drive (for this reason among others) anyway.

Here are some interesting things I learned from reinstalling Windows 10 Pro:

  • Re-installing Windows 10 is very easy. In my experience, it takes less time than installing Mac OS. All you need is the Windows 10 Live CD ISO. Make sure you choose the “install Windows on a different computer” option in the Download Tool once you activate, to create a bootable USB drive. This installation media is smart. For my computer, it knew to ask for my Microsoft Live credentials; for a computer at work (another story) it didn’t even ask and “knew” it belongs to an institution*.
  • Windows 10 found my settings, such as my desktop wallpapers and color schemes, and restores them. These were probably saved to One Drive since I cleared my hard drive completely (including partitions) from the USB so now way it retrieved this information from there. As soon as I logged into my account during setup, Windows started with the same basic setting it had before the nuking.
  • Windows 10 creates a 500MB hidden partition (without a letter assigned) upon installation on the main C drive. Not sure what it’s for, probably for the sort of shit I just pulled off (anyone can fill me in on this?)
  • Cortana, One Drive, and whatever other mind tricks Microsoft is pulling are annoying. Even though I specified I don’t want Cortana, Windows’ express installation settings re-activate it. You have to chose “custom” during installation and uncheck everything again. One Drive requires a more sophisticated Group Policy change later on as well. These also help with Cortana. However, you need Windows Pro and up to have the group policy issues, otherwise you’re not admin enough for Microsoft and as a mere home user they think you must use One Drive and Cortana for your own good.
  • Windows 10 does have an imaging tool. First time I installed Windows on this machine I thought Windows backup and an image is the same thing… No! As a matter of fact, I don’t think I’ll bother with a whole system-wide backup anyway. Instead, I created a new image as soon as I finished initials setups (like display drivers, Google Chrome as default, etc.) and stored it elsewhere. Here’s how you get to Windows 10 imaging tool: Control panel (right click Windows logo) >  File History > System Image Backup.

I did mention I set up Windows twice. Why? Because after the first time, I only knew one of the apps I installed contained the rootkit… After the second time, I knew exactly which one was it… See? Sometimes you learn the hard way.

* Pro tip: if you order Windows PCs for school/work and you know they come with crapware from the manufacturer, do yourself a favor and wipe it clean with this tool. It’s faster than trying to uninstalling each one individually. Better yet, of course, if you have an image…