Advanced Malware and Virus Removal

How to detect viruses and malware when your current antivirus doesn't cut it.

Using a virus scanner or anti malware suite may work well in 99% of cases. In the other 1% of cases however this approach may not yield such useful results. The reason for this is rooted in the design of antivirus applications. These antivirus applications typically scan for 'signatures' in all of your files and determine whether the file is infected or not. This approach is dependent on the virus in question appearing and being identified by the antivirus manufacturer so that they can add its signature to the database.

In some cases the virus or malware you get may not be recognised by your antivirus, or any antivirus for that matter. In this case it may be necessary to use other techniques to try to figure out if you have a virus. The first step you might take is to examine the network access light on your router. After rebooting your computer examine the access light corresponding to the computer you think might be infected. If you are familiar with the routine access patterns of your router you may be able to tell if your computer is constantly looking for network access. This method isn't foolproof and can lead to a number of false positives if for example windows update is running in the background but it may prove useful nonetheless.

The second option you may have is to use a series of software tools from Microsoft called Sysinternals. The three main tools of use in this suite are TCPview, Autoruns and Process Explorer. Each allows you to analyse a different part of your operating systems functionality to determine whether you are running any undesirable processes. Please note that this is too short of an article to be comprehensive and is mainly targeted towards those with more advanced computer skills.

The first tool in the kit is Process Explorer. This allows you to examine the processes running on your PC at a given time and analyse factors such as signature verification, company name, description, the icon etc. It also allows you to selectively highlight entries based on certain parameters e.g. you can highlight processes that run from packed images in purple - packing viruses is a trick frequently employed to hide virus signatures from scanners.

The next tool on the list is 'Autoruns'. Autoruns allows you to examine which processes are being run at startup and also allows you to figure out which registry keys are being used to launch a particular program. You can use it to ascertain which programs are being started at bootup but have not been signed by Microsoft for example. Combined with process explorer you may be able to figure out what processes are active on your system and how they are being started.

The last tool on the list is TCPview. This particular tool allows you to analyse which processes are using your network connections. In addition to listing programs it lists the source and the destination for the connection and can link to process explorer to help you figure out more about the process that is implementing the connection.