There are general 3 steps to removing malware which should be done in SAFE Mode. If you unsure about how to boot your windows into SAFE Mode only, when you first boot your computer before you see the Windows Logo press and hold down the F5 key and you will be given the option to boot your PC into a minimal boot configuration of the OS so you can do your investigation without being connected to the internet. Always remember to make a backup of your registry (use the system Restore checkpoint tool) before you do any of these changes.
Step 1. The first step is to stop the malware that is currently running and starting up automatically every time you login to windows. We need to stop and kill the process of it running and prevent it from starting up again.
There are 2 areas that are useful for checking what is "Starting up" and "Running". This is shown in the video tutorial below in more detail, but for reference these 2 areas are the System Configuration accessed using MSCONFIG and the Task Manager which is accessed by doing a CTRL+ALT+DEL.
Within these existing tools in Windows you can get the details on a suspicious EXE file starting up or a process running in the background hidden from view and disable it.
Step 2. Though you might be successful in disabling temporarily the malware from running by doing Step 1, this does not solve the problem long term because most malware (Spyware, trojans and viruses) can put them selves back and re-enable themselves once you reboot because the registry still has entries that reference them and start them up. This means that before you restart your computer and immediately after you have done step 1, you need to go into the windows REGISTRY (as shown in the video tutorial) and remove the references of the suspicious malware executables from there. The windows registry has specific area where you can specify programs to start automatically or associate themselves as something else or hide. Searching the registry for these references and deleting them ensure that they do not startup again. In the registry malware places itself in the startup here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Step 3. The last thing that you would do is delete the actual malware files. Once you have found the filenames and locations (based on our findings in the MSCONFIG and REGISTRY) you can navigate using Windows Explorer and delete the actual files from your hard drive. Though this is not 100% fool proof and malware files can make copies of themselves and duplicate themselves, removing as much as possible will in most cases break the cycle of allowing the malware to run. Some common areas where you will find Spyware , Trojans and Virus hiding are as follows:
C:\Documents and Settings\Administrator\Local Settings\Temp\ C:\windows\system32\ C:\WINDOWS\Prefetch
In these folders when you sort by date your files and folder you can see what has recently been touched, added or changed. Malware will try to discuse itself as a DLL file or an EXE file, usually they have odd file names with no real meaning and you can seach online for that file name to get details on its origine and if its a threat or not. Sometimes they try to take on filenames similar to actual real system files such as rundll32 . If you saw something called rundll33 then you know that for sure is a threat and should be deleted.