If i can get into safemode, my first attack is to restore to a day about 5-7 days PRIOR to the date the malware got on. I can determine this date by date created on Icons on the desktop, files in windows\system32 or windows\temp and looking for suspicious files. I can ask the client, but the infection may have been put on their machine a couple of days prior and triggered on reboot.
If no safemode, bring out Ubuntu or Bart.... boot with it, move temp files to another location (one virus keeps the renamed program files in the temp directory, so deleting them could mean a reinstall of windows)
try to copy off onto a usb or external drives critical files in case the damage is too large, then you'll have them if you need to reformat the hard drive.
If I can get into safe mode and after I've restored, or after a boot isn't actively yammering at me with malware, try to install either superantispyware or malware bytes. Often a live malware prevents this, but it's worth a shotl
If that works, then microsoft security essentials (or update their antivirus, but hey, it let this sucker in! )
I like ESET Nod32 the best of all, it's stonewalled all the malware I've seen threaten it.
You may need CCLeaner or autoruns to see if suspicious stuff in startup, delete or make inactive.
I look at temp files / temp internet / system32 and files in the app directory for traces of bad guys. I usually try to set IE to purge internet files on closing, but that could prevent file recovery from temp internet cache, but that's really rare to run into.
Putting the hard drive in another machine and running antivirus can find some things, but it's a pain if you're not at home but at their place.
I don't spend more than 45 minutes onsite to see if system restore / quick removal of startup does it. Then run Ninite and ccleaner and windows updates. If that doesn't do it, back to the shop.
Best preventative: chrome, ninite to update all the runtimes, adobe reader, java, etc plus quicktime, skype, google earth, anything they already have on their machine. Look for older Java versions that didn't get removed, ditto shockwave/flash.
Look through installed programs to remove the know slime-ware/ adware.
I also ask about backup.... if none, and I have to work on it at home, backup docs/etc to my drive and burn DVD (include reasonable cost as part of fee)
