More often than not these days, the real tough buggers have randomly generated process names. Here's how I clean a machine: Tools required: Process Explorer(procexp) from http://www.sysinternals.com/ [sysinternals.com] autoruns.exe from the same, or hijackthis.exe from http://www.merijn.org/ [merijn.org] Any good virus scanner(McAfee's Enterprise scanner is decent. Use a simple scanner if possible, not a scanner/firewall/spam filter/personal servant. It will be generally be faster and simpler. Ad-Aware from http://www.lavasoft.de/ [lavasoft.de] LSPFix from http://www.cexx.org/lspfix.htm/ [cexx.org] Updated Stinger from McAfee http://vil.nai.com/vil/stinger/ [nai.com] Experience enough to know valid windows processes and files. Have all of this on a USB drive or CD. Will probably fit on a 64mb drive, unless your virus package is bulky. Boot to safe mode Start Task Manager or Proc Explorer and kill anything that doesn't look good, or everything that you know isn't part of windows. You could go to Control Panels:Admin Tools:Services and stop all services first, this will narrow the field. Run Stinger, just let it scan memory and running apps. Don't wait for it to do a full system scan. Run Ad-Aware, do the same. Just trying to ditch bad things that are actually running. If you've gotten this far in 15 minutes, the machine probably isn't in too bad of shape. Dump all temp files, c:\temp, c:\winnt(windows)\temp, c:\documents and settings\username\local settings\temp, c:\documents and settings\username\local settings\temporary internet items Update virus definitions and do a full scan. Latest SuperDAT from McAfee or Definitions from Symantec or whoever you use, should also be put on the USB drive or CD. So, virus scan didn't deal with it, or couldn't stop/remove it? This is where it gets tricky and completely manual. This is the point where most people give up, since you really need to know what should be where in Win2k/XP/2k3. I'm really not thinking of 95/98/Me, if those are hosed just wipe it clean and move to XP home for $99-199 Run HiJackthis and look for gremlins. This tool really requires an eye for what is supposed to be there, but pay special attention to startup objects and BHOs(Browser Helper Objects aka evil Internet Explorer plugins) Add/Remove programs. Go through it with the client. Anything they don't recognize, or know they don't need, ditch. This can be risky, since people forget, but compared to a reinstall . . . Now for the real manual part . . . Run lspfix and check for foreign entries. There are normally 2-4 LSP's present. I usually only do this if there are persistent network failures. Check Hosts file at c:\winnt(windows)\system32\drivers\etc\hosts There really should only be one entry in here, for 127.0.0.1 localhost. You may have already checked this with hijackthis Browse to c:\winnt(windows). Sort by date. On a default install, the file modify dates are going to be a long time ago. If you see anything from within the last few months, get suspicious. Ignore log/text files, but don't ignore those without an extension. Do the same for c:\winnt(windows)\system32 This can be a bit trickier, there are way more files in system32 than winnt(windows), but the same rule generally applies. Anything from the last 3-6 months is suspicious. Do the same for c:\program files Delete any empty folders that your previous uninstall didn't remove. You should have an idea what is supposed to be here, after doing Add/Remove programs, so hack and slash the folders that you don't think belong. In one of these deleting sprees you are sure to find something bad that won't let itself be deleted, usually a .dll that is registered and can't be removed. Never fear! Write down the .dll name. Bring up a command-prompt and run regsrv32 /U "path\to\dll\bad.dll" to try and unregister the dll. I like to change directory to the actual dll so I can skip the pathing with regsvr32. It's ok of the unregister fails. Now start Proc Explorer, go to the find menu, choose 'find dll' and type in the dll you need to remove. You'll likely find it linked to Explorer, Internet Explorer, or if you're unlucky, WinLogon. If it's either of the first two, kill the process. Alt-Tab back to the command prompt and delete the dll. Now restart the process. If something is hooked into Winlogon, it's a bit more complex and I'm not going into it. I can usually go through this whole process in about 2 hours for a thoroughly hosed machine. It takes a lot longer if you don't know what is supposed to be where and have to google everything to find o

http://developers.slashdot.org/article.pl?sid=04/01/09/1340223&mode=nested&tid=126&tid=156

http://slashdot.org/article.pl?sid=04/01/09/1338217&tid=