This has been pretty much what my job entailed during the past four years, so I'll chime in with how we did it. We would first pull the harddrive from any machine that came in the office and attach it to a known-clean machine via a USB adapter with the appropriate PATA/SATA/laptop connector. We would scan that drive with our current AV of choice. Then we would do scans with Ad-Aware and usually some second spyware removal type of app. Before we pulled the drive from the USB, we would copy over the utilities we knew we would be using to further clean up the system once it was booted up. We normally took a quick manual look around the directory structure to see if there was anything overtly obvious to delete. Usually the first step upon bootup would be to run HiJack this and do a reboot. At that point the machine was normally stable enough to run through scans with any number of tools -- over the years we have used Spyware Doctor, Spyware Xterminator, Doctor Spyware Cleaner, AdAware, Spybot Search and Destroy, Spyware Blaster, Registry Mechanic, Super Anti-Spyware ... etc. We always used AdAware, Spybot Search and Destroy and Spyware Blaster. The last two would leave their "immunizations" behind and it seemed to help with our clients. After our spyware related scans we would throw software updates at the machine to bring it up to our current patch level. This usually meant "throw everything at it you can!" Before the machine would leave the office we did a full AV scan using whatever software the client had, or whatever software we had added because they had none. It was standard practice in all of this to run applications and do a bit of surfing to make sure the machine "seemed to be right" and figure out if it "felt like it was running like it was supposed to". The scans, and the MS updates took all our time. My boss always wanted the updates downloaded from the MS Update site rather than any automated means. This took time but did allow us to monitor the system to see if it was working properly. The only other slow-down would be if we were working on an old slow system. Give relatively up to date hardware the procedure (my boss insisted upon calling it a Code 11) would normally take up to 4-6 hours for everything. Jim
