Comment More info on using NTFS permissions (Score 4, Informative) 155
(I do all my perm editing from the command prompt using the CACLS utility that comes with XP)
1. Instead of having to create a bogus account and deny specific users, just use the command-line switch "/D Everyone" to do the same thing. By doing this you are explicity denying everyone access to that particular file, which gives the added benefit that Windows will not be able to start the process after a reboot! NOTE: Use this with caution! Please do NOT try to execute this command on, say, any files or directories needed for Windows to run!
2. Once you have found and edited the ACLs of the offending processes, reboot the machine. See if any other rogue processes start, and if so repeat step 1 on those.
3. All the registry entries used by the spyware will still be there, but since the reboot they can't run, i.e., you can now delete the reg entries without them coming back.
4. Once you are certain you have found and deleted all the malware entries in "Run", "RunOnce", the Startup folder, etc., re-edit the ACLS of all the malware files (you wrote them down, right?) so that you can delete them (easily done by granting Everyone Full Permission: "cacls
5. To get rid of bogus / malware Services, do the above and then find the Services reg key (HKLM\System\CurrentControlSet\Services) and look for the malware filenames (found by viewing the properties of the service in the Services applet). NOTE: Do NOT delete random keys here...that can be rather dangerous for the stability of the system! When in doubt, leave the entry. As long as the file is safely deleted using the above methods, it should not come back. This process is only to make the malware service disappear from the Services applet.
6. The last tip I have is to use a free utility from SysInternals called RegMon. It monitors the registry hives for any process making changes. Malware and spyware are seemingly *always* making changes, which means they will be rather easy to spot. Use the Filter option liberally to filter out generic Windows processes and other known good ones. By using this method, you may find malware processes accessing the registry that DO NOT SHOW UP in Task Manager or directory listings. While these files definitely exist, they are hooked into the OS in such a way that they hide their presence. You can neither find these files in Explorer, nor using "dir" in a command prompt...but CACLS will still operate on them! (I had to use this method to clean a laptop over the weekend...12 hours of cleaning, because the girl couldn't find her WinXP Home CD, and I didn't have one laying around--irritating, to say the least.)
Now for the usual disclaimer: I am a sysadmin, I know what I'm doing, and I'm responsible for what I screw up. I am NOT responsible for your screwups though, so please be VERY careful when using the above methods...you can really hose your system if done improperly. If you feel like this is a bit too tech for you, I highly recommend SpyBot S&D and TrendMicro's HouseCall. In fact, I used both of those on that laptop along with the above methods to clean the thing entirely.
Happy malware hunting!
