Spybot suggestion
It seems that many malware attacks change the Registry.
Would this scheme make any sense?
Save a copy of the registry. When a registry change is detected by Spybot and accepted save it again. When the Spybot scan runs, compare the current registry with the saved copy, report any differences which may indicate malware and offer the option to restore the saved copy.

Frank C.