I have become Mr. Clean, helping my friends and neighbors rid themselves of spyware and other oddities running unintentionally on their systems. I guess everybody needs a hobby, and mine is reformatting hard drives and making a machine usable once again. I thought I would share the steps that I take to get a system back to a somewhat virginal state.
The signs that your PC is out of your control are simple: a new splash screen or application that can't be removed by Window's Add/Remove program routine, or if you try to remove this software and it keeps returning after a reboot. Or a sluggish boot time, or new toolbars that appear at the top or bottom of the screen or inside Internet Explorer. In a few cases, I couldn't even bring up the Add/Remove dialog box, so far gone were these machines.
There are more talented people than I who can clean these machines up without having to revert to a major lobotomy, i.e., reformatting the drive completely. (See Michael Horowitz' page on spyware removal here.) Others, such as my colleague Dave Piscitello, have done a tremendous amount of research on fighting spyware. His page of resources is here:
For those of you that are curious what I do, read on.
If your client's machine is still able to boot, burn a CD with the data files that you want to keep. Or copy these files to a USB key drive. Make sure you look around the hard disk: some applications like to hide their own files in their C:\Programs directory. Windows Address Book (for those people that are foolish enough to use it) hides its data deep into the system – if your clients want their data, bring up Address Book and do a File | Export | to a .WAB file under My Documents and back it up with the rest of their stuff. You'll also need to record which applications the client has already installed, and make sure that you have the original software CDs and license keys to re-install these products. And you'll also need to record the user name and passwords for any ISP and email accounts that are on the machine.
The first step is to find the original XP "recovery" disk that came with the machine. If you don't have that, you'll have to purchase a new copy of XP. Next, you want to boot the machine from this CD (or from a Windows 98 boot floppy, if you don't have the XP CD or if your machine is so old that it can't boot from CDs). Usually, you have to press ALT-D, F2 or F12 or some other series of keys to keep the PC from booting directly from the hard disk. If you have more than one CD drive on the computer, use the topmost one.
If you are installing from the Win98 floppy, choose the command prompt option and run FDISK to remove the partition on the hard disk that contains XP. Some machines keep a small system partition of a few MB at the start of the disk – I generally don't mess with these. Then create two partitions – the one that you'll use for Windows, and another one of about 10 GB that will become the E: or F: drive, depending on how many CD drives you have on the system. You may need to reboot a few times here: just make sure that you can see the CD drive eventually. If your hard disk is smaller than 20 GB, make this second partition 5 GB.
If you don't have an XP CD, now is the time to go to the store and get one. You can continue to install Win98 on the machine, and then when that is done, continue to install XP on the C: partition.
If you are starting from the XP CD, follow my disk partitioning instructions above, and just make sure that you quick format the C: drive with NTFS. That second partition will contain a backup copy of your system when you are done, but you can leave it alone now. Choose Original installation (Advanced) when XP finally loads. Then XP will go through its motions, find whatever peripherals it can, and get the machine set up. When it is done, bring up the System Control Panel and examine the Device Manager to see which peripherals it still doesn't know about. Don't be alarmed if there are a couple of yellow question marks in the list.
At this point you need to format that second partition. Use FAT or FAT32 rather than NTFS. Let's call it the E: drive for now.
If you have the original CDs that came with the purchase of your system, you are generally in good shape here. If you can get a working network adapter and get out to the Internet, you can find the drivers for your peripherals on the manufacturer's Web sites. If you have a Dell or an IBM PC, you can also enter the tag number of the system on the company's support Web sites and track down what else came installed on the system. If all else fails, you might have to crack open the box and see what is inside it, and then hunt down those drivers.
The Dell product recovery CD contains compressed files that have the drivers for the various peripherals in your machine. The trick is decoding the file names and putting the right drivers on your hard disk, so you can run the Windows discovery wizard and get things set up. Put all these drivers on your E: drive (the second partition) so you can find them again if you have to rescue the machine in the future. For example, the built-in Intel Ethernet card on one Dell has the support file R28200.EXE – you run this program, it uncompresses all the drivers to your hard disk, and then you click on the Unknown network device in the Control Panel and it finds the network adapter. Some peripherals require special software to get completely setup, while others just need the special .INF driver files to be properly recognized.
Once you get all your peripherals setup properly, run Windows SP2 to update the machine. Why SP2? You might as well go with the most current stuff. You can download a copy of SP2 here from Microsoft's site:
You should then install the printer software, any other applications (such as Office) and bring up Word to activate Office while you are connected to the Internet. Now is a good time to copy all your data over from that CD you burned before you took the machine down to the bare metal. If you want to install AOL IM, please do so but don't check the boxes for installing its obnoxious Weather Bug and Wild Tangent applications – these are the source of many spyware infections.
At this point, your machine should be humming. The only thing left is to install the anti-virus software, but before you do that I install a product like Norton Ghost or some other disk imaging tool. Install the software to your E: drive so you'll be able to recover the machine in case someone hoses the main C: drive. You then want to make a backup copy of the C: partition and save it to the E: drive just in case your client messes up their machine again. Once you are done with the imaging, you can install the AV software and you should be all set. (If you image the PC with the AV software on it and have to re-image it, your subscription may be too old to be of any use.)
And that's it – your client will happy, because his or her machine will be running a lot faster, at least until the next time it gets infected. And with the image on the E: drive, you have a failsafe backup of all the software, operating system, and data files (at least at the time you did this install) in case something else goes awry. This sounds like a lot of work, but I have found the performance gains of having a clean machine are worth the trouble and numerous steps involved.
Entire contents copyright 2004 by David Strom, Inc.
David Strom, firstname.lastname@example.org, +1 (516) 562-7151
Web Informant is (r) registered trademark with the U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress
If you'd like to subscribe (issues are sent via email), please send an email to: