On a heavily infected machine, we do the following:
Go to Safe Mode
Download the following: AdAware, Spybot, MSAS (although this won't install
in Safe Mode), HijackThis, Process Explorer (from SysInternals), CWS and
AboutBuster.
Run Process Explorer, do a Ctrl-D to show sub-processes and then sort by
company. You can then see any DLL's hijacked into Explorer or any other
processes (warning: you really need to know what you're doing to be able to
tell what's bad and what's not). Kill all non-essential processes. There
won't be many as you're in Safe Mode. You may have to kill Explorer, but that
means you'll need a way to launch the programs you've downloaded without it
(we have a tool). This is usually beyond the layman. You should make note of
the DLL's hijacked into legit processes and delete them when the processes
are not running via the command prompt. Some DLL's have locked-down
permissions that need to be changed via the attrib and cacls commands.
Anyway, HJT will tell you what's really going on, but Adaware and Spybot
will get rid of most of the junk on the machine. With HJT, you can prevent
the rest of the stuff from loading at startup when you boot to Normal Mode.
There you can run MSAS to remove what the others missed.
While still in Safe Mode, run CWS and AboutBuster as well.
The biggest issues is when spyware installs as a Service or isntalls into
the Winlogon Notify key in the registry (or the AppInit_DLL). HJT will show
you these. The problem is that most laymen don't know what's legit and what's
not.
Anyway, if you're not comfortable doing any of the above, don't do it.
This is just an idea of what you're up against on a heavily-infected machine
and how to approach it.
