PC SWAT: How to clean up MS Win PC's with worms and stuff

Jerry Winegarden
Duke University OIT (ATS group)
Last revised 3/24/04

Duke University OIT has a large amount of experience with cleaning student PC's from nasty things such as the Blaster worm. August of 2003 was one such time. We successfully cleaned hundreds of machines within a couple of weeks. What did we do to win the war? We'll try to share our tricks.

The steps to take in cleaning up and securing PC's with MS Windows depends on the version of the OS. Win 98 and ME are much simpler than Win NT/2000/XP. There are a few steps that they have in common.

We produced a cleanup CD, with some utilities and several Windows updates to save download time (and in case the machine can not connect to the network). This saved time in most cases and even saved the day in a few. Most stuff we used is freely available. However, we installed and used McAfee Virus Scan, for which we have a campus site license. Use what you have available to you instead of McAfee (e.g. AVG or Trend Micro...)

Win98/ME

• If you HAVE successful Internet connection

  1. install/run Adaware
     (Google search for: adaware download)
     Remember manually get updates before you run scan.
  2. install/run Spybot Search and Destroy (Google search for: Spybot Search Destroy download)
  3. install/use McAfee Virus Scan (we have version on CD - it automatically seeks updates)
  4. install windows updates
     (from CD first, then with Internet Explorer)
     To use Internet Explorer to download/install Windows Updates:
     

     ==>Internet Explorer ==>Tools ==>Windows Updates
     ==>Scan for available updates ==>Install updates (all critical updates)
     Note:  you may have to re-boot your machine after a particular update
     so that the rest of the updates won't be performed until you do.
     Thus, you may have to keep doing the windows updates until there are
     no more "critical updates" left uninstalled.
     
     

• You do NOT have a successful Internet connection

  1. Use the cleanup cd: install/run Adaware, install/run Virus Scan, install Windows updates Note: you won't be able to get adaware updates or windows updates online because you don't have a working Internet connection yet. But install what you've got on the cleanup CD's. This may clear up what's keeping you from connecting.
  2. You may have to run LSPFIX.exe
  3. Download updated driver to another machine, put on floppy or CD, transfer to machine in question. Try re-installing ethernet card driver

Windows 2000/XP

1. adaware
   (Note: Adaware cleans Blaster worm. If one 2000 or XP box has it, they most likely ALL have it).
2. turn off Windows Messenger (use our .reg file script)
3. disable anonymous user file sharing (use our .reg file script)
4. windows updates from CD
5. install/use McAfee Virus Scan (we have version on CD - it automatically
6. live windows updates for the rest
7. you may have to run lspfix if a worm has messed with your TCP/IP installation
8. set password for user "administrator"
   Note: some pre-installations from Dell and others create an "administrative-privileged" user account, but don't prompt to set a password for the user named "administrator". In fact, when you list users, "administrator" won't even show up as existing, but believe me, it DOES! Worst of all, in this case, user "administrator" has NO PASSWORD (null password). That means that someone on another machine can, if they only know your machine's IP number, run ANY program via remote procedure call (RPC) on your machine as user administrator because they know the password (it's empty!). This is the DUMBEST THING EVER in the history of computers! YOU MUST FIX THIS! SET THE PASSWORD FOR ADMINISTRATOR! (Yes I do mean to YELL!) (Note: for once, this is NOT Microsoft's fault; if you install WinXP from the Microsoft installation CD, you will be prompted for administrator's passwordand it will be set.).
9. Note: there is a chance that a worm (or virus) has done damage to your system files. Cleaning up a worm or virus does NOT undo the damage they may have done to your system; it does make it stop trying to mess with other systems. In some cases, it may be required to RE-INSTALL Windows to be sure things are fixed if you have been cracked. With WinXP, instead of a complete re-install, you may be able to do a system restore, IF you can determine that there was a time when your system was free from the worm and you can find a restore checkpoint from that time.

Regular care and feeding to protect

• run BOTH Adaware and Spybot S&D every couple of weeks
  Remember to get updates before scanning/cleaning
• check for/install Windows updates every couple of weeks
  security updates plug holes to keep your machine from being cracked/hacked as they are discovered
• Make sure that your virus scanning program is successfully auto updating itself. (If it won't, you need a different program). If you bought your machine with Norton Anti-virus, you get autoupdates only for 6 months without paying more money!