I'm asking this question to understand what do "you" do to cleanup an infected machine?

Considering the OS is Windows 2000 and above.

To start:

What do you believe in (ONLY WORKSTATION, NOT TALKING ABOUT CRITICAL SYSTEMS AND SERVERS. I'm only sticking to end user systems. These systems will never house critical data)

1. Clean the machine and continue using it?

Or

2. Reghost or rebuild the machine.

Consider the fact that you have around 5000 machines spread across the country, served by third party tech team with NO SLA set.

And

Scenario 2: Consider only 2 or 3 workstation.. That’s it.. However would you still clean it ?

I am also trying to get ideas so that I can write a cleanup guide for the community.



Here is what I usually do:

If it is a local machine :

1. Ensure system restore is OFF.

2. We use a BartPE cd with Kaspersky on it. This CD gets updated every morning. This is used to clean the machine. (For those who have never used Kaspersky on BartPE - it is same as complete AV suite with all features).

3. Just to be sure, we reboot in safe mode and use trend micro's sysclean with latest pattern file.

4. Use anti-rootkit by Trendmicro and f-secure.

5. Post cleanup machine is checked with sigverif and checked for any rouge services.


6. Use NSS by Symantec but this is not usually done.

7. Depending on what we found system may be rebuilt - incase of rootkits or trojans.

8. Change passwords and other credentials for the user.


Machine is patched if not already patched. Security logs are browsed through to see if it was an intrusion or just an automated piece of code that made through *due to unpatched machines*


Scenario 2 :

If it is a remote machine(none of our remote machines have CD/DVD ROM’S):

Same steps except using BartPE CD.

We use sysclean and pattern files, sent over netmeeting.


****

My personal opinion is never use an infected system because you never know the extent of damage. However this is not feasible in a domain environment where machines are spread across the country and ghosting is not possible every time.

Like I said I want to make a tutorial on how to clean an infected machine, so if you have any points please let me know.

I know IE or Firefox (browsers) can be used for scanning but then at that point of time machine is in normal mode and I prefer cleaning a machine in safe mode or through bootcd.