Malware Detection and Removal - Version 2

Many best known malware detection and removal processes focus on using automatic processes to detect and remove the adware, spyware, trojans, viruses, and worms from your computer. There are many tools - some are free, others are not - that will automatically detect, and remove, malware. Here is a sample list of the many available products.


For endless hours of discussions about the merits of each (and many complementary and competitive products), see the Alt.Comp.Virus and Alt.Privacy.Spyware forums.

The way most of these tools work is:

  • You update a malware signature database on your computer, identifying each known malware.
  • You scan each file on your computer.

    • Each file is examined against the malware database.
    • If something is found, which matches an entry in the database, it is removed.


Simple, right? But there are several problems with this procedure.

  1. It requires an up to date malware signature database on your computer, before the process is started.
  2. It is prone to false negatives - if the database isn't up to date, malware might not be detected.
  3. It is prone to false positives - sometimes you remove something that should not be removed.
  4. Because of the false positive threat, you have a quarantine area - anything removed is not really deleted, it is simply moved to an area on the computer by the malware scanner. To recover something mistakenly removed, you must run the malware scanner again, and have it intentionally replaced.
  5. It requires intensive scanning of each file on the computer. The more files in your system, times the larger the signature databases, equals long scanning times. This discourages frequent and regular scans. Malware that matures, and propogates, between scanning cycles is uncontrolled.

There has to be a better way. So let's try one. Here are three possible tools.

  1. HijackFree.
  2. HijackThis.
  3. Silent Runners.


  • Scan the computer for active signatures of all processes - good and bad. Look at all active processes, and at the various databases in your system that control processes, and present you with a log.
  • You can scan the log by hand, and look for obvious entries.
  • You can submit a HijackThis log to any of dozens of expert forums, where real human experts will examine your log and offer legitimate advice.
  • You can submit a HijackThis log to any of several online services, that will check it against their databases.
  • HijackFree will analyse its log for you, against the online SysInfo databases, and present you with a nice GUI display.
  • If any suspicious entries are found, you locate the file, that's suspicious, on your computer.
  • You copy the suspicious files to any of a couple online file scanning services. Those services run the file thru a dozen different malware scanners, doing an intensive analysis. If the file contains any malware - trojan, virus, worm - it should be detected by at least one of the engines.
  • Any file that contains malware, that fits a known entry in an online database, is immediately identified to you. You compare the findings from each of the scanning engines, from the log displayed.
  • Any file containing unknown malware is further analysed, and entries are made to add to the online databases.
  • You can get instructions on removing the malware found, by querying an online database of instructions, provided by the vendor of the online scanner that identified the malware.
  • When you identify specific malware on your computer, continue with an intensive whole computer malware analysis.

There are several advantages to this approach.

  1. Scanning is by known malware traces, not by individual file. This is a much quicker process, which makes it more likely to be used regularly.
  2. The log analysis databases are online, which makes it likely that you'll start from more up to date information.
  3. The online file analysis services provide multiple malware scanners. Scanners specifically sensitive to adware, spyware, trojans, viruses, and worms will be used, complementing each other, to analyse any suspicious file.
  4. When heuristic analysis of a suspicious file indicates malware, but it's not known malware, deeper analysis of your submitted malware can be done by the operators of the online scanning engines. The results of the deeper analysis can be fed back into the online malware databases. The next person with your malware will benefit from your participation. Everybody benefits from this collaboration.

You're welcome to continue using the current, well known strategy of individual file heuristic and signature based analyses, if you wish. But if you're serious about the security of your computers, you'll want to complement that strategy with whole computer scanning.

0 comments: