Here’s some generic advice about how to manually remove malware. The first line of attack is to run a boot time scan with avast!, and scans with Ewido and a-Squared.
Then run HijackThis! and look for suspicious entries:
http://www.bleepingcomputer.com/forums/tutorial42.html
Save a log file and analyse it here:
http://hijackthis.de/
You can submit unknown files to a multi-engine online scanner while viewing the results.
Unknown entries can be checked by Googling the file name.
Entries highlighted as nasty may not be- do some research before removing anything. Some ISP entries are classed as nasty. Do not assume that you can remove any such entries. Google the result first.
Fixing malware entries, rebooting into safe mode and deleting the file will sometimes remove the malware. Some malware is not removed so easily.
For malware in temp files:
Run Process Explorer and look for files starting from a temp file. (Click on each process to view details in the lower screen.)
http://www.sysinternals.com/Utilities/ProcessExplorer.html
Legitimate files do not normally start from temp files, but Google any processes found running from temp files. Malware files often have randomly generated names and will not come up on Google. It’s a pretty safe bet these are malware files.
If the process seems to have a random name, or is definitely identified as malware on Google, use Process Explorer to kill the process.
Use HijackThis! to identify the startup entry for the process and fix it. Reboot into safe mode and delete the file if you can find it. Alternatively, run CCleaner.
http://www.ccleaner.com/
CCleaner will stall if malware processes are running from temp files: If CCleaner completes its cleanup after you fix malware entries, it means the removal was successful.
Unsophisticated Trojans can often be removed in this way. Sometimes malware has two processes running so that one can protect the other, or uses other methods to protect itself.
If more than one malware process is found, Winpatrol has an option to kill multiple processes and delete malware files on reboot.
http://www.winpatrol.com/
If these methods don’t work, try to give us as much information as possible so we can suggest other ways of tackling the malware.
Give us the process name and the full location it is starting from
Try to submit the malware file to Jotti’s multi-engine online scanner to identify the malware that is at the root of the problem- You can submit files directly to Jotti from The HijackThis analysis, or here:
http://virusscan.jotti.org/
Good luck!