Most malware programs are caught at a ratio with a numerator of 3 or higher (ex. 13/67). In fact, I’ve never had a false-positive when the numerator is 3 or higher. When I see anything at that numerator or higher, I right-click it in Process Explorer, note the file location path, and kill the process if I don’t absolutely recognize and trust the program file.
Then I manually delete the files associated with the executable — but proceed at your own risk! Be forewarned: This is always a chance you might accidentally delete something you need for some application or driver to run. If you’re worried, rename the file instead. That’s enough to stop the malware program from re-launching using that same file. I will usually rename it to something with a file extension ending in “thisismalware” so that I’ll remember what I did if I see it again. Usually if I’m not sure if the file I want to delete is malicious, I’ll rename the file, wait a week and then delete the file when I’m more sure that I didn’t impact anything legitimate.
Occasionally, malware will “fight” with you and not let you kill the process. If so, repeat the process above, but go with Autoruns instead. Use Autoruns to unselect the program so that it won't load at startup. Reboot and run Process Explorer again. Usually, the malware program will not be running and you can delete it. If using Autoruns doesn’t work and the file is still fighting you, you’ll have to boot into Safe Mode, find the executable and then delete or rename it. I haven’t run into an executable in years that fought me beyond this step, but it’s possible. If this happens, use VirusTotal to identify what antivirus products detect the target file as malicious, download it, and then run on your computer to get rid of the file. Heck, you might want this to be your first eradication step if you aren’t comfortable with manually killing and deleting files.
Put a shortcut to Process Explorer on your desktop. Always “Run as Administrator. I usually right-click the executable (not the desktop shortcut), choose Properties, then the Compatibility tab, select Change Settings for All Users, and then choose Run this program as an administrator. Make sure to run the 64-bit version if you run a 64-bit version of Windows. That is very common these days. I recommend that everyone download and run Process Explorer or Autoruns at least once a week. If that's too much, at least be sure to run it if your computer exhibits suspicious behavior.
Caveat emptor: No malware detection works every time
To be clear, even this detection method is not perfect. Certain malware can escape this sort of detection, although for now, it's rare. Of course, in the future, malware writers could go out of their way to escape the clutches of Process Explorer or Autoruns. That’s not true yet, so the above method is one of the best protection methods you can use.
Sign up for CIO Asia eNewsletters.