Im certain that something like this has happened to you. Youre at work/home/shopping and a friend/coworker/family-member asks/phones/sends-a-telegram to you basically stating: My computer is acting strangely, do you think I have a virus?
I had this happen this week so I asked: describe strange.
So they listed off some symptoms:
slow to boot
takes a while for the computer to catch up to what youre typing
cant get rid of this silly toolbar
password to (some service) is no longer working
Stop right there. I know what the problem is, youve got (fill-in-the-blank-banking/keylogging trojan,) so you need to rebuild you system.
Nows not a good time to do that. Is there anything else you can do?
Yes, but I dont recommend it.
What You Should Do
The correct response when suspecting a compromise like this on a non-enterprise device is to simply buy a new hardrive and an external enclosure for you old drive. Then install fresh, and migrate what you need from the old drive. Its time-consuming and a hassle (because people invariably install a bunch of things on their systems and forget passwords and license keys, etc.) But its the only way to be sure, and its non-enterprise equivalent to nuking-from-orbit.
What I Did
Becuase Im sensitive to the realities of life and the solution above does not fit all cases. I started off with a quick assessment of the device. Using Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx) the slow boot problem was pretty obvious-- there were at least 3 different anti-virus programs running on the system and competing for resources.
Since we agreed that we werent going to seek prosecution on this incident, just clean it up and get it working again, I just dove into ripping out all of free/demo AV programs, and some of the other bloatware introduced by the manufacturer.
That fixed the performance issues on the next reboot. But how do we keep the machine safe? We picked one AV solution. Im a fan of defense-in-depth, but multiple AV programs is no defense-in-depth, its width... or something... anyway its not good. I also recommend an up-to-date browser and if you use Firefox I really, really recommend NoScript(http://noscript.net/), and healthy dose of paranoia when it comes to clicking on things.
Was the System Compromised or Just Over-protected?
So Im still left wondering if the system had an undetected infection, so I dropped a Redline collection agent (http://www.mandiant.com/resources/download/redline/) on the box to pull a comprehensive memory analysis. Before I run the capture, I open the browser and go to my banks website and I put in bad username/password pair, and then run the capture.
Golly that takes a while to run (about 2 hours on a 4Gb system, creating 6.5Gb of data.)
After plodding through with Redline and Volatility I havent uncovered anything yet... yet.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.