Malware infections

One of your users has a malware infection. Your antivirus program quarantined part of it, but it’s still hanging on, just beyond the reach of your two or three favorite antivirus/antispyware tools. Now what?

1. Connect the infected hard drive to a spare PC running Windows XP or Vista so you can freely access the file system.

2. Search the Windows directory for recently created/modified *.exe, *.com, *.dll, *.ocx, *.bat, *.dat, *.drv, *.sys, *.bin, *.scr files. Configure the search results to display the file’s publisher and version number.

Recently created or modified files which do not display a publisher are probably malware and should be disabled (by appending a different file extension, e.g. *.bad). Files that do have a legitimate publisher but were recently modified, are probably corrupt and can be replaced by an older (clean) copy displaying the same version number.

Lastly, run HijackThis to cleanup any remaining traces of infection.

I've used this method to remove malware missed by NOD32 and Spyware Doctor.