Some of the newer stuff I have tangled with can embed itself rather nicely and avoid detection quite well (one I dealt with deleted the startup entry after launch (before I could run a scanner) and added itself again on shutdown).
Two options and you can combine ideas quite easily.
liveCD boot and test.
Linux and windows options here, bartpe is the usual windows suspect
bartpe: You will need a windows CD
http://nu2.nu/pebuilder/
bartpe plugins:
http://www.bootcd.us/BartPE_Plugins_Category/antivirus/
and linux:
http://www.raymond.cc/blog/archives/2008/0...otable-windows/ is a start, I tend to go in manual rather than automated though.
Option 2 is safe mode. Safe mode if you were unaware is a minimal version of windows that only loads a specific subset and will usually stop any bad code loading.
Press f8 when booting up (I usually start just after the bios has finished doing whatever) and you should get the option.
You can then proceed to doing whatever including the steps below:
Applicable to both.
AV scanners do have limited heuristics (detection of bad code not in the database) but I have never encountered a good one and obviously a database is not going to be 100% accurate. This means going manual is the way forward.
You have two options:
1. Use something like a sqaured hijack free (note all the various programs are on the page so make sure to get a sqaured hijack free rather than something else:
http://www.hijackfree.com/en/hijackfree/
2. I know I just rubbished heuristics but if you do not mind the odd false positive full packages like comodo
http://personalfirewall.comodo.com/ have the ability to tell you if something is trying to do something.
I also use a few things from the people behind spybot that are a bit more low end:
http://www.safer-networking.org/en/runalyzer/index.html
