How do you find or spot malware? How do you fix it?

The procedure below can make your system crash or not boot at all. Malware sometimes renames and replaces existing files in such a way that incorrect removal could render your operating system useless. You have been warned.

If you have a good firewall that blocks outgoing communications, then you have a chance to catch malware as it is trying to get out. That doesn't mean it can catch everything. This is just one possible warning. There may be other unusual activity when malware is involved.

Run and examine the log file from HijackThis. The program was originally designed to combat the coolweb search hijacker, but it is a good tool that will read most of the possible run locations for other types of malware. Many forget about the win.ini and system.ini "run" sections that are still used for backward compatibility. Also there is the obvious start section in the regular start/programs/startup menu. Make notes on the full file paths and registry locations of any suspect files.

Research the file name(s) with Google. See if other people have identified the problem or if it is an actual program that belongs there. Sometimes this will turn up fix solutions and possible removal tools.

There are several tricks to short circuiting malware. Once you have it identified, reboot to the command prompt only. Not even safe mode and no networking. For safety, only change the name(s) of the suspected malware and add the new file name to your notes. Changing the name stops it from being executed automatically and leaves a chance to restore the file in case it breaks something and really wasn't malware.

Once you have the name(s) changed and you are sure it saved the changes, unplug the computer. Some malware checks to see if it is still in the registry among other things so that it can stay in your computer. By unplugging, you bypass any checks and prevent them from being written. The malware may even be running in the command prompt mode and we want to prevent it from doing anything.

Reboot your computer in normal mode. If you did your job right in the previous steps, the malware has been rendered harmless. Hit CTRL-ALT-DEL and check your running processes. If all is well, start/run/regedit and remove the entries from your registry from your notes. If HijackThis found them, you can simply run that and remove them that way.

The file(s) that you changed the name(s) on need to be moved to a safe location. put them in a temp directory and zip them with a descriptive name so you don't go opening them by accident. If no problems surface after a month, it is probably safe to delete the file.

All of the above assumes that your anti-virus and other anti-malware programs failed. Most of the better anti-virus programs have a mechanism to report malware that it didn't find. Send a copy off to them once your system is clean. You may have found a new variant that no one knows about yet. Usually, the next virus definition update will find your version and at that point let the anti-virus program put it in it's vault

There are even safer ways to remove malware using live CD's. The procedure is nearly the same except you don't boot the Windows command prompt at all. You boot the live CD and change file name(s) that way. An advantage of the live CD is you get a Linux GUI environment. This is also one possible way to recover if you change a file that is important to the operating system that prevents normal boot. If you have a Zip drive or other emergency recovery disk or flash drive, then you may be able to boot from that instead of a live CD and have more familiar Windows tools available.

Manually removing malware is generally not very difficult. It is just a matter of circumventing all the possible ways it might try to keep itself on the system.

Shadow Wolf

This is the best way:

Start the computer in safe mode with networking (press F8 repedetly on boot)

Then download and install Malwarebytes Anti-malware, update it, and run a full scan. Remove the malware it finds. Then restart your computer again and everything should be cleaned.