What I step people through here is a process of setting up a second computer for use as a recovery station. You will use imaging software, back up data, create logs, removing virues, trojans, spyware and malware. You should be familar with imaging software, the principals of virus software, trojans, spyware and malware. Knowledge of the registry and certain system files is assumed. If you can't readily find these files or navigate the registry, than you should work with more experienced personal if possible.
What this process will do is consistently recover systems that otherwise are a total loss. I am writing this because I have had a lot of requests over the years from techs for my process. I have used this process to recover systems to a usable state with dozens of viruses, bad boot records, damaged partition tables, backdoors, trojans, hundreds of spyware infections (not counting cookies) and umpteen thousands of infected files. This is not designed for systems that are servers and or systems that have only a light infection.
This process requires a dedicated secondary computer beyond the victim computer. This is strictly needed and if not available the system cannot be properly recovered. You do not need high end hardware, but I will make some hardware recommendations I have found useful over the years. I like Gigabyte brand motherboards because they have a dual BIOS. The secondary BIOS allows you to have the recovery system recover from a virus that would flash the BIOS (like the old Chernobyl virus).
It seems to work best if you have 512 MB of RAM. You don't need anything fast at all for a CPU, an old 600-700 MHz CPU will work just fine and is readily available at low cost. Beyond this hardware-wise I have found it very useful to have three removable IDE hard drive caddies and a CDRW. The hard drive caddies only cost about $20 apiece and are very handy for drive swapping.
I set up the primary master hard drive with the Operating System. I then set up the CDRW as the primary slave. This allows me to use the secondary IDE channel for a victim drive and a recovered data drive.
Before work starts on the victim drive, it is needed to prepare the recovery computer. I will first do a clean install, from a known good CD, of Windows XP (SP2). Windows 2000 can also work, but does not have built CD burning software for storing log files. I will update the Operating System with all patches and security updates needed. I make a base image with my imaging software at this point. I use Drive Image, but Ghost or Drive Works can work just as well. I make sure my image is sized to 733,000,000 bytes as this just barely fits on the standard 700 MB CD-ROM.
I also make sure the CD-ROM is bootable or have a bootable version of my drive imaging software available. Drive Image can use the CD in the 2002 version to boot and access the program. The particular imaging software used is largely not relevant. The important thing is that you have made a known good image of your system on read-only media and can boot read-only media to get to your image.
At this point you install your first anti-virus scanning program. Update your antivirus software. Once installed make options like deep scanning, heuristic scans and scanning within zip files are selected. If in doubt, if you have a scanning option, take it. Many anti-virus programs will not scan within these files. Make note of unscannable files - anything password protected will not be scanned and many viruses will take advantage of this. At this point, burn an image of the system with your first anti-virus software package installed, updated and configured.
At this point you will want to go back to your first image and restore it. Now install your second anti-virus software and configure as your first. Repeat this process for all four scanners. I have many times seen viruses make it through McAfee, Norton and Trend only to be caught by Computer Associates' scanner. There is no particular order; do them alphabetically if that helps keep them clear in your mind. I don't do five virus scanners as this is what I consider to be the point of diminishing returns.
The four virus scan program companies I presently use (yes I have licenses for them all) are: McAfee, Norton, Trend, and Computer Associates. I'm not religious on these four, and occasionally cycled one companies scan software out for another.
It might make sense to simply install multiple anti-virus scanners on one system to avoid extra imaging steps. Don't do this. Whilst the likes of McAfee and Norton once played well together, they no longer do. Nowadays they can often even refuse to install if the other is in place - with good reason. Amongst other things you can get false positives from files locked in quarantine from another scanner. If real-time protection is enabled they can cause significant system instability and your system may slow to a crawl. They can also prevent each other from working properly. CDs are cheap, your sanity is not.
Once you have finished this far you should have 5 sets of CDs in hand. One set for each scanner and one without any software installed at all. Now go back and restore your first image set. It is time to create a utility image with Spybot and AdAware. Be very careful with both as phonetically similar sounding domain names have been registered for both in the names of various spyware companies. They will offer you spyware removal software that will remove their competitor's spyware for you - leaving their own intact. The safest way to ensure you get both of these is to go to Download.com. This is run by CNET and they have free versions of both products that you can download from a known good source.
You'll have to manually search a number of locations to find whatever SpyBot and AdAware can miss. I will cover some locations to always look at later in the article. You should have a good familiarity with the Windows registry, services and standards DLLs. You also need to know the legitimate hotfixes and service packs. I have seen many spyware packages with installed names in the style of an official Microsoft hotfix. If you are ever in doubt, compare a known good system or look up the suspect file. Don't be afraid to punch the exact name of a suspect system file into Google. You'll quickly learn if it's spyware if you do.
If you are dealing with additional damage such as missing partitions or the like you may want to install some utilities to address these issues. For partitions I recommend PartitionMagic. It just plain works and Symantec had the good sense not to put it out to pasture when they bought Powerquest like they did with several Powerquest products. In my experience most utility suites like Norton Systemworks or System Mechanic bludgeon their way through things and can often do more harm than good and should be avoided.
Now if you are merely dealing with viruses and spyware gone mad, you will be ready to start your recovery process. Go ahead and make a sixth set of images like your first five.
Are you dealing with recovery of data that has been destroyed or a partition that has been wrongly formatted? I would recommend installing Ontrack's Easy Recovery Professional. Unfortunately only a business environment can afford their expensive license. If that doesnt work I would then try Winternals suite of software they call the "Administrator's Pack" - but be aware that this license is extremely expensive. At this point you need to ask yourself how much your data is worth. If you are in a business environment than they are both worth picking up for a shop license and installing. If you are not sure or unable to afford these products than I would suggest going to SourceForge and looking for open source software that can do these things. Many open source products work very well and are well worth trying.
Once these are installed you should make your sixth and final image set in the same standard as your first images. At this point you should have your recovery system setup and fully patched and secured. All antivirus and spyware software is up to date for today and everything has been burned to CD.
Physically disconnect the recovery computer yourself from the network and modem if you have one. Put the victim drive and first recovery drive in your computer and remove your OS drive. At this point you want to start by making an image of the victim drive before you do anything else. Don't do a disk to disk copy, it isn't exactly the same as what your victim drive has - and this can prove important.
Once this image is made remove the recovery drive and set it aside. You should now have only the victim drive and the OS drive in the system. Cold boot the recovery computer and restore your first image off of CD. From this point forward you are using read-only media and it doesn't matter if your system is infected. Even if your BIOS is infected at this point you can simply recover from your dual BIOS motherboard.
Run your first antivirus image against your victim drive. Always try to clean before deleting if the file is needed. Quarantine if you have to. What one anti-virus software program cannot clean another may. Burn all log files to CD. When one has finished give the recovery computer a cold boot and restore your next image. Once this image is restored repeat the earlier process for all four antivirus images.
You may want to then run the entire set of four scanners again if you had several thousand infected files. Surprisingly, this can be helpful even though there is nothing different with the images. If there are still important files that could not be cleaned afterwards consider them lost and a good impetus for frequent future backups. Delete any remaining infected files at this point, or burn them to CD if they are important enough for a later attempt at cleaning down the road. Regardless, remove them from the victim drive.
At this point you want to restore your utility image that has your spyware scanners on this. Treat spyware exactly like you would a virus. I consider it notable that most modern spyware has very similar behaviors to that of many viruses. Many spyware programs will disguise their names, hook into system calls like DLLs, bury themselves in recovery files, and otherwise find ways to reinstall themselves. Some will replace genuine Windows files with their own versions, requiring manual replacement of the compromised files. Keep in mind SpyBot and AdAware can pick up each others quarantined files, and don't consider this a problem if they do. They play well together where the anti-virus companies' products do not.
At this point you are ready for manual scans of problem points that can still be missed. This is where things can diverge. If you are recovering data and will reinstall the OS, than you don't need to go any further. Put your recover drive in the system and pick over the victim drive for all data that is desired. If you need to restore the victim drive to operational duty without formatting it and starting over, than read on.
Manually examine these locations in detail:
Hidden partitions (not always viewable ~ depends on software at your disposal)
System restore files and or folders. Many times I have seen hidden system restore partitions (such as Compaq's) infected with spyware.
System restore V:\System Volume Information ~ V: = Victim Drive
Roxio (now Norton) GoBack also bears scrutiny and scorn. This product is very problematic and should be avoided.
Registry locations: ~ If you don't know what you're doing here you don't belong here!
Check the RunServices and RunServices Once key locations in these same locations as well if you have these in your registry (depends on OS)
WIN.INI File - look for lines starting with "LOAD=" or "RUN="
Your start menu also has a startup folder. Look for anything here as well.
.BAT and .CMD Files can load things as well and tend to overlooked anymore since they don't seem to used much anymore outside of network logons. Look for any .CMD or .BAT file in the above locations and specifically for WINSTART.BAT under the Windows or WINNT folder.
Remove anything here that does not strictly belong. Challenge and don't be afraid to remove things (including hardware stuff), you can always remark things out and put them back if need be. This is not a comprehensive list of all ways to automatically load software, but will catch the most common. Feel free to google for methods beyond what I have presented.
Once done with all of the above you should now safely be able to look at other issues that require the drive to be in the system such as driver problems. Remember the point of all of this is not fixing everything - that isn't reasonable. The point is to create the environment where the system can now be safely fixed. As always, unless there is a strict need elsewise, it is best to take your data that can now safely recovered off of the victim drive and rebuild the victim computer from the ground up.
Permission to reproduce this document is given provided it is not altered or credit removed for its production.