Security

10 ways to detect computer malware

In the ongoing war against malware threats, you need tools that will baseline your system, detect vulnerabilities, and remove existing malware.

In the ongoing war against malware threats, you need tools that will baseline your system, detect vulnerabilities, and remove existing malware.


Cybercriminals are putting forth every effort to make malware difficult to detect. Successfully, I might add. Ever optimistic, I thought I would have a go at providing information on how to make their job a little tougher.

Note: This article is also available as a download, which includes both a PDF and a PowerPoint version of this information.

Baselining is an important reference

Knowing exactly what is running on a computer is paramount to learning what shouldn't be. Creating a reference baseline is the best way I've found to accomplish this. Let's look at three applications that do just that.

1: Microsoft Process Explorer (formerly Sysinternals)

Process Explorer provides an excellent way to determine what processes are running on a computer. It also describes the function of each process.

More important, you can use Process Explorer to create a baseline of the running processes used by the computer when it's operating correctly. If for some reason the computer starts behaving poorly, run Process Explorer again and compare the scans. Any differences will be good places to start looking for malware.

2: Trend Micro's HiJackThis

HiJackThis is Process Explorer on steroids, making the application somewhat daunting to those of us not completely familiar with operating systems. Still, running HiJackThis before having malware problems creates a great reference baseline, making it easy to spot changes.

If it's too late to run a baseline scan, do not fear. Several Web sites offer online applications that will automatically analyze the log file from HiJackThis, pointing out possible conflicts. Two that I use are HiJackThis.de Security and NetworkTechs.com. If you would rather have trained experts help, I would recommend WindowSecurity.com's HiJackThis forum.

3: Kaspersky's GetSystemInfo

Kaspersky has an application similar to HiJackThis called GetSystemInfo. I like the fact that Kaspersky has an online parser. Just upload the log file and the parser will point out any disparities.

GetSystemInfo, like the other scanners, is a good way to keep track of what's on the computer, and if need be, it can help find any malware that happens to sneak in.

Be careful: As I alluded to earlier, removing processes suggested by the scanners is not for the faint of heart. It requires in-depth knowledge of operating systems or being able to compare before and after scans.

Next, I'd like to discuss two vulnerability scanners.

It's simple: No vulnerabilities, no malware

Anti-malware includes any program that combats malware, whether it's real-time protection or detection and removal of existing malware. Vulnerability scanners proactively detect vulnerabilities so that malware can't gain a foothold. I'd rather update applications than chase malware any day.

4: Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) is a vulnerability scanner that detects insecure configuration settings and checks all installed Microsoft products for missing security updates. I recommend using MBSA when upper management needs convincing. Making a case for needing a vulnerability scanner is sometimes easier if the product is from the OEM.

5: Secunia inspection scanners

Secunia's scanners are similar to MBSA when it comes to Microsoft products. But unlike MBSA, Secunia products also scan hundreds of third-party applications, which gives Secunia a distinct advantage.

All the Secunia scanners, online and client-side, have an intuitive way of determining what is wrong and how to rectify it. They usually offer a link to the application's Web page, where the update can be downloaded.

Not always simple

Remember when I said, "It's simple: No vulnerabilities, no malware"? Well, it's not exactly that easy. It would be, except for those nasty things called zero-day exploits and zero-day viruses. That's where antivirus applications come into play, especially if they use heuristics.

6: Antivirus programs

Lately, antivirus software is getting little respect. Like everyone, I get frustrated when my antivirus program misses malcode that other scanners mange to find. Still, I would not run a computer without antivirus. It's too risky. I subscribe to the layered approach when it comes to security.

Choosing the correct antivirus application is personal. Comments come fast and furious when someone asks TechRepublic members which one is the best. A majority feel that any of the free versions are fine for nonbusiness use. I use Avast or Comodo on Windows machines.

Anti-malware enforcers

The next class of anti-malware is capable of both detecting and removing malware. I'm sure you are wondering why not just use these from the start. I wish it was that simple.

Scanners use signature files and heuristics to detect malware. Malware developers know all about each and can morph their code, which then nullifies signature files and confuses heuristics. That's why malware scanners aren't the cure-all answer. Maybe someday.

More caution: I want to emphasize that you need to be careful when picking malware scanners. The bad guys like to disguise malware (antivirus 2009) as a malware scanner, claiming it will solve all your problems. All four of the scanners I have chosen are recommended by experts.

7: Microsoft's Malicious Software Removal Tool

Malicious Software Removal Tool (MSRT) is a good general malware removal tool, simply because Microsoft should know whether the scanned code is theirs or not. Three things I like about MSRT are:

  • The scan and removal process is automated.
  • Windows Update keeps the signature file database current automatically.
  • It has the advantage of being an OEM product, thus it's less intrusive and more likely to be accepted by management.

8: SUPERAntiSpyware

SUPERAntiSpyware is another general purpose scanner that does a good job of detecting and removing most malware. I have used it on several occasions and found it to be more than adequate.

A number of TechRepublic members have mentioned to me that SUPERAntiSpyware was the only scanner they found capable of completely removing antivirus 2009 (malware).

9: Malwarebyte's Anti-Malware

Malwarebytes Anti-Malware (MBAM) malware scanner was the most successful of the four I tested. I was first introduced to it by world-renowned malware expert Dr. Jose Nazario of Arbor Networks. For a detailed explanation of how MBAM works, refer to my post Malware scanners: MBAM is best of breed.

Still, MBAM does not catch everything. As I pointed out in the MBAM article, it misses some of the more sophisticated malware, especially rootkits. When that happens, I turn to the next malware scanner.

10: GMER

In Rootkits: Is removing them even possible?, I explained why it's hard to find rootkit malware. Fortunately, GMER is one of the best when it comes to detecting and removing rootkits -- enough so that it's recommended by Dr. Nazario.

Final thoughts

Using the above anti-malware techniques will go a long way in making it tough for malware developers, especially if you:

  • Make sure all software on your computer is up to date.
  • Run a baseline scan and save the log file. (You may need it later.)
  • Scan for malware on a regular basis, since sophisticated malware runs quietly.

For additional information, see The 10 faces of computer malware.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

155 comments
arridesoft.seo
arridesoft.seo

I these all points is enough to detect detect computer malware but is these will give a good support in future or for all kind of malware problem. I am offering a latest and higher upgraded software that will secure and maintain all kind of computer errors and increase the computer capacity. Arride PC Optimizer (http://www.arridepcoptimizer.com/) is the name of that ultimate software that is available in market for the reasonable prices...

reviewsgirl
reviewsgirl

I have been a long time user of SAS but recently my friends got infected with data recovery virus and SAS hard difficulties attempting to remove it. I would try Spyware Doc w/ AV or MBAM. Also, thanks for all the insight on this thread!

ERitzman
ERitzman

I have had the privileged in many of my job positions of being tauted as the "Virus/Malware King" in terms of removal. I personally find that in 95% of cases I can accomplish the necessary job of removing malware and viruses from machines that have known infections by utilizing the following tools. * Spybot S&D - Prioform has many tools available, and I like SB's ability to identify root triggers and many other Start-up triggers through the "Advanced Tools". It's not too aggressive yet gives a great baseline. * CCleaner - not only is this a great Registry Cleaner, it allows me to quickly find "other" associated registry references (often hidden) after I have identified & removed registry entries based off of my findings through SD. * As mentioned SysInternals - Process Explorer allows me to see into the processes running and identify potential exploits that may have corrupted them. The most annoying malware I've found (such as Antivirus 2010 exploit that hijacks .exe files) can be easily identified with these tools, and removed safely. In few instances a simple deletion of the users profile resolves the malware issue until further troubleshooting can continue. As a side note - I've only had 3 systems in my 15 year career I had to "reimage" as a result of virus/malware attack.

Puddy_tat
Puddy_tat

Very nice article and I love kaspersky ;)

derek
derek

This list has better tools on it than the second list minus ComboFix... I still think malwarebytes and SAS are the top of the line due to the definitions updates....

jmgarvin
jmgarvin

Too many people don't even know what they have, let alone what is vulnerable. You need to have a discovery scanner of some kind to at least get a starting point. Too many machines are rogue or just unknown, so you need to be able to find them...THEN scan them.

wangning100
wangning100

very well,howerer,can you write something about how to detect computer malware without tools.

kellj
kellj

Interesting that when I opened this page my McAfee Viruscan showed a trojan "JS/Exploit-Packed.c.gen" in file "polls-js-packed.js" .....

hisb79
hisb79

When I loaded this article McAfee pops up an On-Access Scan Message with the following: Script execution blocked Script executed by firefox.exe Detected As: JS/Exploit-Packed.c.gen Detection Type: Trojan

billk
billk

For antivirus 2009 (malware) and rootkits, excellent tool.

steve.yates
steve.yates

Or, Just get a Mac. Not that they're perfect, but a good bit of the way there. Sure, you still have to update them. There's a lot of hype no doubt. But as a Mac convert of 18 months now, the honest truth is that I spend almost no time debugging PC-style security issues and malware, don't burn countless CPU cycles running all this junk, performance is high and stays high (after 18 months, PCs always slow down), and my computer has now become a tool serving me instead of the other way around.

Toymaster70
Toymaster70

Michael- good article. Personally, I have had great success completely removing antivirus 2009 and antivirus 2010 with aSquared Dave

ejhonda
ejhonda

If we could get people to run this on their home computers AND update the software identified as being in need of patching, the Internet world would be a much better place.

?/\/\?|???\/???
?/\/\?|???\/???

...I'd wager that it is still accurate to refer to it as Sysinternals' Process Explorer, despite Microsoft's purchase of Winternals / Sysinternals in 2006.

yoshiko1
yoshiko1

Thanks Micheal for valuable information. Nissan UD Used Trucks

cquirke
cquirke

Prevention includes patching, firewall and "goalie of last resort" antivirus, but also user skills that are facilitated by safe UI (e.g. don't hide files or faile name extensions) and risk management so that software doesn't automatically take risks ahead of the users' intentions. Suspect malware when there's an unexpected increase in outgoing Internet traffic, and malware should be excluded as an early step when troubleshooting any ill-defined problem. A lack of charactaristic malware symptoms (slowdown, fake errors etc.) doesn't exclude the presence of malware. I prefer formal detection methods that don't run the tests from the infected system, and usually use Bart PE DVDRs as my management platform. In contrast, the "easy" approach of using online scanners seems crazy; you're reaching the "scanning site" through possibly spoofed DNS, then allowing that site to drop and run code that looks at all your files? Hmm. Detection involves both scanning a la blacklist, and checking of integration points a la HiJackThis et al. Everyone has their favorites there, and I'd mention Nirsoft's tools as a way of broadening the scope of your search. Management of malware may be done formally or informally. The first is safer, at the risk of breaking system bootability (the OS cannot "defend itself" against such changes, and there's no System Restore safety net). The second runs the risk of malware subverting the process, but allows Undo via System Restore or the quarantine facility of your scanners. A key part of management is isolating the systems you are cleaning, and preventing malware spread from what you haven't cleaned, to what you have. That also loops back to prevention; how did this malware get in, and are we sure that entry opportunity is now closed?

ipl_001
ipl_001

Another very good article Michael! Thanks for permission to translate it into French! G?rard from Paris, France

strimble
strimble

I use three apps that have worked for me EVERY time. CCleaner to remove all the temp crap and allow the scans to run faster. Malwarebytes to scan and clean the infections. Then I install Microsoft Security Essentials to prevent future attacks. These have worked great for me and and I can clean a computer and have them running again in less than 30 minutes. Plus they're all free.

Michael Kassner
Michael Kassner

I picked this list, the members wanted me to add the next 10. I am just glad to provide information about as many applications as I can, so users are able to make an informed decision.

Michael Kassner
Michael Kassner

I want to make sure I'm following you. Are you referring to scanners like numbers one through five above in the article? Or is a discovery scanner something else?

Michael Jay
Michael Jay

you could utilize a Crystal Ball, or an 8 Ball. Tools are the way to go unless you have a very large amount of time to be the tool and know every line of your registry and services by heart. I will opt for the tools and Michael has presented some of the best. Thanks Michael.

Michael Kassner
Michael Kassner

I had to think about that for a bit. There is a good chance that it might become an article. But for now, if you are using Microsoft products, I would suggest making absolutely sure that the computer is up-to-date with regards to the operating system and every application. Next you need to get a good idea of what should be running on your computer. I would suggest using System Information for that. Start/Programs/Accessories/System Tools/System Information. Pay special attention to Software Environment. Get familiar with what drivers, connections, running tasks, services and so on. That way if some unusual process or service show up you will know it. I am curious as to why you want to do this without any tools.

Michael Kassner
Michael Kassner

Does have scripts, but I have not sen any alerts from my scanners. Can you post the alert and scanner log, please.

Michael Kassner
Michael Kassner

But, can you convince me that it's better than HijackThis? As you mentioned, I also would prefer one that has their own help center.

Michael Kassner
Michael Kassner

Lots of members are saying that. I am putting it in the next post. Thanks.

ultimitloozer
ultimitloozer

...as "everyone" has a Mac, malware writers will be targeting it instead of the PC. More users/machines = bigger target.

Michael Kassner
Michael Kassner

It is my quest to get as many people as possible aware of that.

Ocie3
Ocie3

Personally, I've started referring to it as "Microsoft Process Explorer (by Sysinternals)". :-)

Michael Kassner
Michael Kassner

I know Mark so you are right. I just didn't want to confuse anyone.

Michael Kassner
Michael Kassner

I hope its useful and that malware avoids your computers.

Greenknight_z
Greenknight_z

A boot disc is the ultimate cleaning tool, I agree. For those who might find building a Bart PE onerous, I suggest The Ultimate Boot CD for Windows: http://www.ubcd4win.com/index.htm It's Bart's PE preconfigured with a nice collection of tools, can also be used on DVDR or a USB stick, and easily customized.

hisb79
hisb79

Hi Michael, McAfee seem to have released an update today (2/Sep/09)that produces false positives. This will be fixed in the next release. Thanks.

Altiris_Grunt
Altiris_Grunt

To me, each of these tools have their strong points. I like to have a number of trusted tools in my tool-kit, so I can compare test results.

Neon Samurai
Neon Samurai

Any machine with a network connection is part of the same big target. The real concern is success rates. If I get hit a couple of hundred times a day but it all bounces off my system; no worries. In that way, I'd assume my Apple machines where already targets along with anything else connected. Screw both of the characters in those white background commercials. I'll stick with a platform who's core development goals are stability and security.

Michael Kassner
Michael Kassner

You get the latest signature files on the disc? Do you have to rebuild each time?

Michael Jay
Michael Jay

your research saves us folks in the field a lot of time.

Michael Kassner
Michael Kassner

You scared me for a second. TechRepublic is golden in my world.

Neon Samurai
Neon Samurai

They may be a little harder to find but one used to be able to buy network routers with a modem in them. Normally, they will keep the modem link open or dial out to your ISP when one of the LAN machines tries to access a non-local URL. If you can find one from linksys or similar, it may remove the need for your local machine to make the ISP dialup connection.

Michael Kassner
Michael Kassner

I never hear about the problems with LiveCDs, so I think I'm doing something wrong. Thanks for the link too.

Greenknight_z
Greenknight_z

I can't actually get online from the live CD myself - I'm on dialup, and it won't work with my modem. I got it to recognize the modem, but get an error when I try to connect. Gave up on that, I just rebuild once a week or so. Your problem is more likely to be fixable, I'm sure you're on newer hardware than I am. The UBCD4Win forum can be helpful.

Michael Kassner
Michael Kassner

I had some issues with that, I guess the LiveCD didn't have the right network drivers.

Greenknight_z
Greenknight_z

You can update the signatures when you run the disc, and use them for that session, but they won't be saved to the disc - to do that,you have to rebuild. It doesn't take all that long to build, but downloading all those updates can take a while if you don't have a real fast Internet connection.

Editor's Picks