Before you begin, let us give you one piece of advice. DON'T PANIC!
You are not the first person this has happened to, and you certainly won't be the last!
The first step in recovering any system from a compromise is to physically remove any network
cables. The reason for this is that if a system is under external control, an attacker could be
monitoring what is happening on a machine and if they are aware of your actions could take drastic
action to conceal their actions, such as formatting a drive.
However, it should be noted, that if the network cable is unplugged you may lose information about
the attacker, you will not see active network connections. This of course is important if you wish to
trace the miscreants, however your site security contacts may have policies forcing a disconnection
after a break-in, and if your local CERT requests you remove the machine from the network you should
of course fully comply with their requests. Your local CERT team may also require you to report any
system break-in to them, for compliance purposes as well. Your local security policies should contain
information about any actions you need to take.
Next, you should take a notebook (a paper one, not electronic) as this will be used to take notes in.
Write down any important details about the system, starting with the time and date, the IP address
and name of the machine, the timezone that the machine's clock is set to, whether the clock was
accurate, patches that were installed on it, user accounts, how the problem was found, etc. If
anything during the course of your investigation seems pertinent, jot it down.
It will be a handy reference for the future.
It may be difficult to regain control of a seriously compromised Windows system which has so many
resource consuming programs running at start-up but simply restarting up in safe-mode will stop a
large number of Run key based malware loading at boot up, giving some control back to the user for
clean-up tasks.
One final point, your local security contact or CERT team will almost certainly be interested in your
findings. Very often an attacker will automate an attack, and will almost certainly be targeting other
machines in your network. Providing details to your security contacts will enable them to disseminate
your findings to other people who may be in a similar situation. And of course your findings may turn
up in here!