Section 2: Safe Mode is your friend
After you’ve shut down BartPE, ejected the CD, and started rebooting the PC, smack F8 repeatedly until you get to the boot menu. Choose Safe Mode (I wouldn’t choose the Safe Mode With Networking option, as the networking may be broken anyhow) Login as Administrator, not as a regular user. Since it’s in Safe Mode, this will work on XP Home and Pro.
Once logged in, now is a good time to copy your anti-virus/anti-spyware utilities over to the hard drive, unless they’re already there.
It’s probably best to start out running another virus scan, something that will also make corrections to the registry if needed as well. I like using Trend Micro Damage Cleanup (pattern file) for this. Think of it like an all-encompassing removal tool. Norton puts out 50,000 individual scanners, Trend Micro puts out one that gets them all. Be patient with TMDC. It does three passes. The first pass is the quickest and checks for the worst infections. The other two passes scan every file looking for viruses.
After the second pass of TMDC has started, go watch another movie, read part of a book, do a puzzle, or sit in a comfy chair and sip a beverage of your choice.
Just like with the ClamWin scan, when it has finished make sure to save a copy of the log and note what viruses were found.
Whew. After those two full virus scans, you’ve probably gotten the worst of the files that may be lurking around (there are never any absolutes…)
Now it’s time to install Ad-Aware. Before you run it, install an updated defs.ref file into the Ad-Aware directory. You’ll have to download this before you start (it’s on your regularly-updated-and-burned-to-a-cd-rw utilities CD, right?). Run Ad-Aware and let it scan all the way through. Remove whatever it finds, and you may want to make a note of the names of the malware it found.
Similarly, install and run Spybot Search & Destroy. They also have updated definitions that you can download separately.
That it for the automated tools are done, you can run HijackThis. Several malware packages target this gem specifically, so it’s a good idea to rename the executable before you run it. I like to rename it to hjt.exe or hijath.exe. It’s a good idea to only remove things here that you know are bad. If you have any doubt, post a log of the scan to one of the many boards dedicated to removing spyware, or look up as much as you can. The good news is that HJT does keep backups, but you can still mess up a PC if you use it improperly.
This is another good time to clean out the temporary files. You can do it manually ( cd %temp%; rd /s/q . ) or with a script.
Now for the bad news. Remember all those cool profiles setup on that PC for everyone that would ever touch it? Did your cat really need its own profile? Well, you need to re-run Ad-Aware, Spybot S&D, HijackThis, etc *in each and every profile* to be sure that all of the registry settings have been removed. You may not be able to log into every profile in safe mode, so get as much as you can.
It might be a good idea to have another look at the Windows and System32 directories. Check for anything that looks out of place.
At the end you can run special purpose utilities like LSPFix to remove malicious LSP entries, SPHJFix to get rid of the sp.html/se.dll hijacker, About Buster if SPHJFix didn’t help, ADS Spy to look for bad Alternate Data Streams, RootKitRevealer, and whatever else you can find to throw at the problem.