Spyware Nightmares

[Tom]

In a couple of instances now, I have reinstalled Windows XP on customer
machines which are heavily infected with spyware...so much so that the
machines ran excruciatingly slow and the tediousness of cleaning spyware and
viruses did not justify the time to try to disinfect...so I reinstalled
Windows. After installing Windows XP and then loading Norton AV and setting
the firewall, I reconnected the pc's to the internet (via ethernet, directly
to the modem supplied by Verizon DLS, without any router, and got inundated
with spyware and viruses immediately. What specific steps in reinstalling
Windows, getting Updates, installing Antivirus, etc. can I take to make sure
I do not lose all the benefits of a Windows reinstall as soon as I reconnect
to the modem?

Thanks in advance,

Tom

 

[Michael Jennings]

Looks to me like step 8 (see appended Pat Walters WU post).
She's got a stutter there - SP2 and aps are both step 8's.

Follow the steps carefully and in order.
Don't reinstall the spyware applications.

In a couple of instances now, I have reinstalled Windows XP on customer
machines which are heavily infected with spyware...so much so that the
machines ran excruciatingly slow and the tediousness of cleaning spyware and
viruses did not justify the time to try to disinfect...so I reinstalled
Windows. After installing Windows XP and then loading Norton AV and setting
the firewall, I reconnected the pc's to the internet (via ethernet, directly
to the modem supplied by Verizon DSL, without any router, and got inundated
with spyware and viruses immediately. What specific steps in reinstalling
Windows, getting Updates, installing Antivirus, etc. can I take to make sure
I do not lose all the benefits of a Windows reinstall as soon as I reconnect
to the modem?

Thanks in advance,

Tom


message news:[email protected]...

You have all of the software (including drivers), the product
keys, the high-speed connection, and a way to backup the hard
drive: WARNING - You will be formatting the hard drive in this
option, and losing all data that you did not backup.

1. Backup all of your data by burning it on CD or copying it
to another computer or hard drive that will not be
formatted.

2. Put in the Windows XP Home Operating System CD ( make sure
this is not Windows XP Plus)

3. Restart the machine

4. Press a key when it says "Press Any Key to boot from
CD..."

5. Format the drive and create a partition

6. Follow the prompts to create a new installation of the OS.

7. Once the OS installation is complete, DO NOT yet connect
to the Internet.

8. Now install any Windows XP Service Packs you have on CD (I
suggest you order this from the website if you do not have
it.)

8. Install the Applications that were on the machine before.

9. Now retrieve the data that you saved in step 1, and put it
in the appropriate folders on the new partition.

10. Now set up your Internet Connection.

11. Visit Windows Update, and download EVERY critical update.

12. Repeat step 11 and rebooting as required until complete.

<snip>

 

[Robin Walker [MVP]]

...so I reinstalled Windows. After installing Windows XP
and then loading Norton AV and setting the firewall, I reconnected
the pc's to the internet (via ethernet, directly to the modem
supplied by Verizon DLS, without any router, and got inundated with
spyware and viruses immediately. What specific steps in reinstalling
Windows, getting Updates, installing Antivirus, etc. can I take to
make sure I do not lose all the benefits of a Windows reinstall as
soon as I reconnect to the modem?

If you reformatted before installing Windows, that will have killed all the
previous malware. But if you did a re-install or repair install, then all
you did is refresh the system files, leaving all malware in place.

In general, if you re-install Windows XP, you will lose the benefit of any
Service Packs previously applied. You should try to have Service Pack 2 on
a CD-ROM, so that you can update Windows XP to Service Pack 2 before
allowing it to go online for the first time.

A freshly installed and unpatched Windows XP will usually become infected
within about 30 seconds of joining the internet: you do need Service Pack 2
first.

 

[Ron Chamberlin]

Hi Tom,
When you put an unpatched machine on the net, the clock before it gets
whacked is very short.
If you don't have an SP2 CD, you might consider going here
http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx
and ordering one. In my shop, we have a standing policy that unpatched
boxes don't go out 'there'.


Ron Chamberlin
MS-MVP

 

[Tom]

I had one XP Pro computer on which I reinstalled xp, then I patched bu
downloading all updates in my office, which is protected by a router. I
downloaded and installed SP2 and all was well. I turned on the Windows
firewall. I tested the computer and found no issues. Then I then took the pc
to the customer site and installed (he is connected directly to a DSL
modem), and immediately I got a ton of spyware. Should I be doing something
other than installing all the Windows Updates and turning on the firewall
before I hook up to a DSL modem?

Thanks,

Tom

 

[Michael Jennings]

Did you format the hard drive?

I had one XP Pro computer on which I reinstalled xp, then I patched up
downloading all updates in my office, which is protected by a router. I
downloaded and installed SP2 and all was well. I turned on the Windows
firewall. I tested the computer and found no issues. Then I then took the pc
to the customer site and installed (he is connected directly to a DSL
modem), and immediately I got a ton of spyware. Should I be doing something
other than installing all the Windows Updates and turning on the firewall
before I hook up to a DSL modem?

Thanks,

Tom

 

[Tom]

Yes, I deleted the partition, recreated it, then formatted it.

Did you format the hard drive?

 

[Michael Jennings]

Here's a quick fix - put Sygate personal firewall in.
Unlike the Windows firewall, Sygate looks both ways.
The spyware then needs user OK to call home.

That's a slovenly solution, so let's discover a better one.
How is it that you are sticking the spyware back in
so that it can call home? You changed bios so that
your boot is from the XP CD, correct? And then
told setup not to save anything - to format C: and
do a clean installation of Windows? OK so far?

 

[Tom]

I actually booted from the CD and went to recovery console. I did a
diskpart and deleted the one and only C: partition. Then I created a new
partition and formatted it in NTFS. Then I booted again from the CD and
went to Windows install.

Maybe I should have done the Windows Updates from a CD rather than get them
from the internet site after reinstalling Windows (although I did the
Windows Updates on my office network, which is protected by a dlink router
with nat and firewall built in). All seemed clean before I hooked up to the
customer's dsl modem.

 

[Michael Jennings]

OK so far.

I have an uncomfortable feeling that if you put a broadband
router between the computer and the DSL modem at the site,
you'll get the ton of spyware, but you might want to try it.
My DLink was $50. WalMart has slightly cheaper off-brand.

Robin said go sp2 from CD. Microsoft even pays the shipping:
To obtain Windows XP SP2 on CD, visit the following Microsoft Web site:

http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx

I think that spyware calling home is the reason that the
computer is discovered immediately, which would mean
that you're reinstalling it somehow, because your format was
a good one. Zero writing the drive wouldn't fix things if you're
inadvertantly sticking the spyware back in. Installing sp2
from a genuine Microsoft CD also would do no good.

Upgrading from the Windows firewall to an outbound
alerting firewall could identify the application. I suggested
Sygate. Zone Alarm and Kerio also have free firewalls.

Step 1 is to back up the data but not the applications.
After Windows is 100% updated, install the applications
from the original store bought CDs, known to be untainted
setup files, or fresh downloads. Then restore the data.
Did your customer furnish you with the CDs?
You used the Verizon CD for the DSL setup, right?

I actually booted from the CD and went to recovery console. I
did a diskpart and deleted the one and only C: partition. Then
I created a new partition and formatted it in NTFS. Then I
booted again from the CD and went to Windows install.

Maybe I should have done the Windows Updates from a CD rather
than get them from the internet site after reinstalling
Windows (although I did the Windows Updates on my office
network, which is protected by a dlink router with nat and
firewall built in). All seemed clean before I hooked up to the
customer's dsl modem.

Here's a quick fix - put Sygate personal firewall in. Unlike
the Windows firewall, Sygate looks both ways. The spyware
then needs user OK to call home.

That's a slovenly solution, so let's discover a better one.
How is it that you are sticking the spyware back in so that
it can call home? You changed bios so that your boot is from
the XP CD, correct? And then told setup not to save anything
- to format C: and do a clean installation of Windows? OK so
far?

Yes, I deleted the partition, recreated it, then formatted
it.

Did you format the hard drive?

I had one XP Pro computer on which I reinstalled xp, then
I patched up downloading all updates in my office, which
is protected by a router. I downloaded and installed SP2
and all was well. I turned on the Windows firewall. I
tested the computer and found no issues. Then I then took
the pc to the customer site and installed (he is connected
directly to a DSL modem), and immediately I got a ton of
spyware. Should I be doing something other than installing
all the Windows Updates and turning on the firewall before
I hook up to a DSL modem?

Thanks,

Tom


If you reformatted before installing Windows, that will
have killed all the previous malware. But if you did a
re-install or repair install, then all you did is refresh
the system files, leaving all malware in place.

In general, if you re-install Windows XP, you will lose
the benefit of any Service Packs previously applied. You
should try to have Service Pack 2 on a CD-ROM, so that
you can update Windows XP to Service Pack 2 before
allowing it to go online for the first time.

A freshly installed and unpatched Windows XP will usually
become infected within about 30 seconds of joining the
internet: you do need Service Pack 2 first.

-- Robin Walker [MVP Networking] (e-mail address removed)

...so I reinstalled Windows. After installing Windows XP
and then loading Norton AV and setting the firewall, I
reconnected the pc's to the internet (via ethernet,
directly to the modem supplied by Verizon DLS, without
any router, and got inundated with spyware and viruses
immediately. What specific steps in reinstalling
Windows, getting Updates, installing Antivirus, etc. can
I take to make sure I do not lose all the benefits of a
Windows reinstall as soon as I reconnect to the modem?