Sysinternals Suite. Using Procmon for finding malware. The scenario is: you know you are infected, because you’ve identified a process associate with a malware, but you can’t figure out how that given process is getting launched.
A variation of this is: you kill the process, remove the executable but it reappears after a given amount of time / after reboot / etc. A great tool to help you identify the source of the problems is Process Monitor (or Procmon for short) from Microsoft (formerly Sysinternals). The Undocumented Functions by NTinternals.