A Windows infection shows up in many ways: strange system behavior such as excessive, unexplained activity; odd warning; or that aggressive popup you can’t remove. Sometimes the infection is more subtle: It feels like Windows or installed apps just aren’t working as they should. Or maybe the system seems to be working fine, but you’d still like to verify that malware hasn’t taken hold and is working silently in the background.
Whatever the signs, experienced Windows users typically resort to one or more anti-malware scanners/cleaners. Unfortunately, it can be far easier to detect malware than to remove it. Thoroughly cleaning a system might require the use of multiple AV products, multiple scan/clean cycles, and even Linux-based tools running outside Windows.
Best AV practices also include proactive planning — preparing for infections, rather than scrambling for the right malware cleaner after the fact. With just a little work — literally a few minutes — you can equip yourself with the tools needed to rid a PC of most malware or verify that a system isn’t actually infected.
Last week, I covered AV tools from Microsoft in the Top Story, “Microsoft’s six free desktop security tools.” This article adds a selection of third-party tools, a dozen of the best-regarded and most popular anti-malware cleanup tools currently available. All these tools find and eliminate common worms, viruses, and Trojans. Some also target hard-to-find and hard-to-remove rootkits and bootkits — malware that hides deep in the system, in some cases launching even before the OS and full-time anti-malware tools boot.
I’ve run all these tools on my XP, Vista, Windows 7, and Windows 8 PCs — and I use many of them regularly. But this is far from a definitive list; there are hundreds of other anti-malware applications available. That’s good, because no single AV app works on all Windows systems all the time. Feel free to explore other options via your favorite search engine and download sites.
It’s not the lack of AV tools that results in malware infections; it’s the lack of application by users!
Most Windows users know they should run some sort of full-time anti-malware software. Malware authors are clever programmers and depend on staying one step ahead of AV developers. On-demand scanners are a second line of defense. Use them if your full-time scanner fails or when you wish to verify that a PC is malware-free. (It’s like getting a second medical opinion.)
On-demand scanners are typically quick to download and easy to run. Usually self-contained (i.e., operating independently of your full-time AV tool), they might detect and remove malware your regular scanner missed. On-demand scanners are active only when specifically launched, so they rarely conflict with full-time scanners. In other words, you don’t need to disable your full-time scanner to run an on-demand scanner/cleaner. If you strongly suspect an infection and one on-demand tool doesn’t work, run others from different AV companies.
Here are my recommendations for free on-demand AV tools:
- Trend Micro’s HouseCall (site) has been around for years and has earned an excellent reputation. It’s available in a 32-bit version for XP and in both 32-bit and 64-bit versions for Vista, Win7, and Win8.HouseCall, shown in Figure 1, is known for its speed, making it an excellent choice for routine use. I use HouseCall often on my PCs for quickly verifying that a system is malware-free. Its Settings link offers three levels of scans: Quick, Full, or Custom.
Figure 1. HouseCall is exceptionally simple and quick — ideal for routine malware-checking and cleanups.
- ESET’s Online Scanner (site) is another tool with a long pedigree and a well-deserved reputation for excellence. It’s not particularly fast, but it is nicely configurable. For example, the scanner’s Advanced settings let you select which drives to scan — even remote networked drives. It will also scan inside archives (e.g., .zip files), which not all scanners can do. You can select the depth of the scan, such as looking for potentially unwanted and/or unsafe applications.ESET’s scanner (Figure 2) runs on all current versions of Windows (XP through Win 8) and comes in both 32- and 64-bit flavors. Unlike its competitors, it’s also available in two versions based on your choice of browser. If you download Online Scanner via Internet Explorer, you’ll get an in-browser, ActiveX version. Downloading the scanner with another browser (e.g., Chrome or Firefox) installs a non-ActiveX version that runs outside the browser. Both versions work identically.
Figure 2. ESET’s Online Scanner is exceptionally configurable and comes in both a browser-based and a standalone version (shown).
When something’s gone wrong with a system and it needs a deep scan to determine whether it’s infected, I run Online Scanner overnight with all options enabled.
- I covered the Microsoft Safety Scanner in last week’s Top Story. But it’s worth mentioning again because it’s fast, free, and easy to use. Safety Scanner (Figure 3) finds and removes both malicious software and potentially unwanted software. It’s compatible with XP, Vista, Win7, and Win8. You’ll find both 32- and 64-bit versions on its info/download page.
Figure 3. Microsoft’s extremely simple-to-use Safety Scanner checks for a variety of viruses and other malware.
- McAfee’s Stinger (site) scans for about 5,000 common types of malware — and for those often difficult-to-remove rootkits. It offers Quick (see Figure 4), Full, and Custom scans, and McAfee updates the tool several times a week so the download is always reasonably current. (Many on-demand scanners must go through an update cycle immediately after installing or launching the app.)
Figure 4. The easy-to-use McAfee Stinger targets rootkits, along with many other types of malware.
If these relatively simple, on-demand scanners/cleaners don’t work, or if an infection has crippled Windows, it’s time to roll out the big guns.
Some malware — rootkits, for example — is especially adept at playing hide-and-seek with AV apps, making them especially difficult to detect and remove. Infections have been known to actually disable full-time AV scanners — and even Windows Update.
The solution is a self-contained, self-booting system scanner that operates entirely outside Windows.
These tools are typically offered as downloadable .iso files used to create bootable CD, DVD, or flash drives — commonly called rescue discs — that contain both an operating system and a malware scanner.
When you start and run a PC from a rescue disc, everything on your system’s hard drive(s) — Windows, applications, your data files — remains inactive, unused, and for the most part unlocked to the disc-based scanner. That makes it considerably harder for malware to hide itself and considerably easier for an AV scanner to look for suspect code. There’s also no chance that the rescue-disk scanner will conflict with any other installed anti-malware software.
The drawback with rescue discs is their setup. Unlike the download-and-run simplicity of the on-demand scanners mentioned above, you have to build a rescue disc before you can use it. That typically means downloading the .iso file and burning it to media. Assuming you have an optical drive, Windows 7 and 8 can create bootable CDs and DVDs natively (more MS info); Vista and XP need a little help from a third-party CD/DVD burning app such as Free ISO Burner (site).
Next, your system must be configured to boot from the rescue disc. You might have to press a specific key during power-up or change BIOS settings. The PC’s owner manual or the vendor’s website should have the information you need.
Here are three free, self-booting rescue discs to consider:
- The Kaspersky Rescue Disk (info/download) is my favorite standalone, self-booting cleaning tool. Although it’s Linux-based, you don’t have to know anything about Linux — everything is preconfigured as a complete, ready-to-run, point-and-click, Windows-like environment, as shown in Figure 5. It’s about as easy as can be.
Figure 5. Linux-based, the Kaspersky Rescue Disk is a polished disk-scanning and recovery tool with a familiar graphical interface.
Removing some malware requires a more specialized tool. Kaspersky’s Utilities page has downloadable malware-removal tools for specific viruses.
- F-Secure’s Rescue CD (site) is at the other end of the usability spectrum. It’s a Linux-based tool with a minimalistic, DOS-style text interface (see Figure 6). It’s not point-and-click; you navigate with arrow-key and keystroke entries.
Figure 6. F-Secure’s Rescue CD has a simple, text-based interface.
The lack of a graphical interface might be jarring for some Windows users, but Rescue CD’s extremely simple, compatible, and robust. With minimal graphics support and no mouse support, Rescue CD should operate on just about any hardware, including very old or otherwise hardware-constrained PCs.
- Windows Defender Offline (WDO) in last week’s Top Story, so I’ll be brief here. WDO falls in between the Kaspersky and F-Secure tools: It’s more polished than F-Secure’s Rescue CD but doesn’t offer a complete GUI operating environment like Kaspersky’s Rescue Disk.In operation, WDO is a near-clone of Microsoft Security Essentials or the Win8 version of Windows Defender (see Figure 7) — and it targets a similar range of malicious and potentially unwanted software.
Figure 7. Windows Defender Offline is effectively a bootable, standalone version of Microsoft Security Essentials and Win8′s Windows Defender.
You’ll find free 32- and 64-bit versions of WDO for all current Windows versions (XP through Win 8) on its info/download page.
A few other free, self-booting cleaning tools worth noting:
- AVG Rescue CD (site) is a general-purpose, Linux-based, rescue/scan/repair CD with a solid reputation.
- Bitdefender Rescue CD (site) offers excellent instructions and additional free tools to assist in creating a bootable CD/DVD or flash drive.
- Avira AntiVir Rescue CD (site) is available either as a standard .iso file or as an .exe version that can automatically create a burnable CD or DVD for you.
If an AV scan finds malware on your system, it’s an indication that your current full-time, anti-malware defenses might not be up to the job. (However, as already noted, no AV product will catch all malware for all time.) You can switch to another full-time scanner/cleaner: the Feb. 16, 2012, Top Story, “Is your free AV tool a ‘resource pig?’,” mentions several, or you can do a search online. What’s more, you can add a second full-time scanner that will be compatible with the AV product you’re currently using.
- Malwarebytes’ Anti-Malware (free; site) is an excellent anti-malware utility that scans your system on demand — or on whatever schedule you choose. A hybrid tool, Malwarebytes installs like a standard Windows application and is specifically designed to coexist with other anti-malware tools. A Pro version (U.S. $25) offers additional real-time protection not available in the free version. I use the Pro version along with Microsoft Security Essentials on my own primary PC.
- Safer Networking’s Spybot Search & Destroy (basic version is free for home use; advanced and commercial versions available; site) is another hybrid tool that you can leave running for ongoing, secondary protection.
Your choice: 16 known-good options. There are hundreds of anti-malware tools available — both paid and free. The products in this story, along with the Microsoft tools discussed in last week’s Top Story, should give you all the information you need to keep or remove malware from your system(s) — or from PCs you (sometimes reluctantly) support!
The target: Malware, as Microsoft defines it
Microsoft divides malware into two broad loosely defined terms: malicious software and potentially unwanted software. The first category covers mostly self-replicating Trojans, viruses, worms, and similar code that infects your PC (typically for some evil purpose) and then seeks to infect other PCs.
The second category — potentially unwanted software — includes undesirable (and often hidden) apps such as spyware that surreptitiously tracks you, keyloggers that capture everything you type, and adware that force-feeds you popup ads. The somewhat clumsy phrase “potentially unwanted” is meant to suggest that you might not want the software if you knew what it really did.
These two categories aren’t precisely mutually exclusive. For example, some potentially unwanted spyware is also self-propagating, like a virus. What’s more, Microsoft sometimes uses the terms interchangeably. Still, these two categories will help you understand the main purposes of Microsoft’s security tools.
The Microsoft Malicious Software Removal Tool
What it is: Microsoft’s Malicious Software Removal Tool (MSRT; more info) is a basic antivirus program. It comes in all current versions of Windows — XP, Vista, Windows 7, and Windows 8. When you install Windows, MSRT is enabled by default.
What it does: MSRT automatically removes malicious software (viruses, worms, etc.) that, based on Microsoft’s internal research, is considered especially prevalent and dangerous to Windows users. MSRT currently targets about 200 of the most common malware types. You’ll find a list of them on the MSRT download page.
How it works: Windows Update automatically refreshes MSRT once a month (it’s always KB 890830), usually on the second Tuesday (aka Patch Tuesday). After updating, MSRT automatically runs, scanning your PC once and removing any active malware infections it finds. No user intervention is required.
One scan a month isn’t especially good malware protection, but you can also run MSRT manually any time you wish (see Figure 1). Simply enter mrt.exe in the XP/Vista/Win7 Start menu Search box or Win8′s Search window and press Enter. Once open, MSRT gives you a choice of quick, full, or custom scans. As you’d expect, the full scan is the most thorough.
Figure 1. The Malicious Software Removal Tool is built into your copy of Windows, and provides basic protection against a selection of common malware threats.
Important to know: MSRT is a strictly post-infection tool. It detects and removes malicious software from already-infected computers — and only if the malware is active and running at the time of the scan. But as MSRT Support article 890830 clearly states, the list of malware it detects represents only “a small subset of all the malicious software that exists today.”
MSRT can’t prevent new malware infections. It also doesn’t target potentially unwanted software (again: spyware, adware, etc.).
Bottom line: MSRT is a “better than nothing” anti-malware tool. There’s no real downside to keeping it on your system — its footprint is small, its impact on system operations is negligible, and it can serve as a kind of last-ditch defense against some very common malware types, should they somehow make it into your system.
But you certainly shouldn’t depend on MSRT as your only or primary defense against malicious software; it’s an incomplete anti-malware solution.
Windows Defender (XP, Vista, Win7 version)
What it is: Windows Defender is a basic tool for guarding against potentially unwanted software. Windows Defender is installed by default in Vista and Win7, and it’s a free download for XP.
What it does: Windows Defender provides always-on, real-time protection against spyware, adware, keyloggers, and so on. It self-updates and runs automatically.
How it works: Windows Defender continually monitors your PC’s files and browsing activity. When it detects potentially unwanted software, it opens a dialog box and lets you decide whether to proceed with the installation. (For more information, see the related Microsoft support article or TechNet’s Windows Defender Guide.)
You can also trigger Windows Defender (shown in Figure 2) manually whenever you want to scan your PC for spyware and other potentially unwanted software, as a Defender support article explains.
Figure 2. Windows Defender for XP, Vista, and Win7 offers real-time protection against adware, spyware, and similar potentially unwanted software.
Important to know: Windows Defender doesn’t detect or remove viruses, worms, and similar malicious software.
Bottom line: Windows Defender complements Microsoft’s Malicious Software Removal Tool. And just like MSRT, it’s better than nothing. Together, MSRT and Defender are a sort of last line of defense — potentially helpful if no other anti-malware tools are active. Fortunately, superior tools are readily available (see next sections).
The all-in-one Microsoft Security Essentials
What it is: Microsoft Security Essentials is Microsoft’s all-in-one, consumer-security tool. It targets both types of malware — malicious software and potentially unwanted software. It’s a free download (site) for XP, Vista, and Windows 7.
What it does: MSE provides always-on, real-time protection for your PC. It detects and removes a wide range of malware. It’s also highly automated, operating with little or no user intervention (see Figure 3).
Figure 3. Operating almost entirely automatically, Microsoft Security Essentials (MSE) provides real-time protection against malware and potentially unwanted software.
How it works: By default, MSE runs continuously in the background whenever your system is on. It updates itself every day. Along with its real-time protection, it also runs scheduled scans of your PC’s memory and files. If you use its default settings, MSE requires almost no user input. But it’s also highly configurable, should you want to change its standard routines.
Important to know: MSE must be manually installed; it’s not built into any version of Windows. On MSE’s MS Download Center page, you’ll find 32- and 64-bit versions for XP, Vista, and Win7.
Typically, to avoid conflicts between AV products, a PC should run only one real-time, anti-malware/anti-spyware tool at a time. In other words, you can run MSE or Windows Defender, but not both at the same time. In fact, when MSE is installed, it disables Windows Defender.
In a similar vein, if you’re running some other always-on, anti-malware tool, you should disable or uninstall that tool before installing MSE. (MSE can’t disable non-Microsoft AV scanners.)
MSE’s principal weakness? It’s not especially adept at guarding against user error, as detailed in the April 7, 2011, Top Story, “LizaM*n infection: a blow-by-blow account.” If you click past security warnings raised by Windows, your browser, and/or MSE itself, MSE will step aside and let malware install. Moreover, based on recent antivirus testing, MSE is currently not among the top-performing AV products.
All of which means that MSE is not the ideal choice for casual or inexperienced Windows users, who are often more easily tricked into installing malware.
In addition to the aforementioned Top Story, Windows Secrets has extensively covered MSE — including its advantages and deficits — in previous issues. Use these links if you’d like to read more:
- “The 120-day Microsoft security suite test drive,” May 6, 2010, Top Story
- “Security Essentials test drive — month 6,” Sept. 16, 2010, LangaList Plus
- “Two great security tools get free updates,” Jan. 13, 2011, Top Story
- “Is your free AV tool a ‘resource pig?’,” Feb. 16, 2012, Top Story
- “MS Security Essentials: Poor showing in new test,” Dec. 20, 2012, LangaList Plus
Bottom Line: In the right hands — primarily experienced Windows users — MSE is a fine, free security tool. I use it on my XP, Vista, and Win7 machines, and I’ve never run into trouble with an infection.
Windows Defender: Win8′s built-in security tool
What it is: Microsoft has a long history of confusing product names. In this case, the Win8 version of Windows Defender is nothing like the original Windows Defender for XP, Vista, and Win7. It is, in fact, effectively a renamed version of Microsoft Security Essentials.
What it does: In Microsoft’s own words, the Win8 version of “Windows Defender provides the same level of protection against malware as Microsoft Security Essentials.”
How it works: Win8 Defender is virtually identical to MSE in both appearance (see Figure 4) and function.
Figure 4. Despite its name, Win8′s built-in Windows Defender is really just a renamed and minimally altered version of Microsoft Security Essentials.
Important to know: Unlike MSE, Win8 Defender is built into the OS — so there’s nothing to download or install.
Bottom Line: Because Win8 Defender is really a rebranded version of MSE, I don’t recommend it for novices and inexperienced users. But it’s probably fine for anyone who takes the entire process of PC security seriously. I use it on my Win8 systems.
Two special-purpose cleanup tools
No software is perfect — that includes all anti-malware tools, from all vendors. Should your AV product fail and your system become infected, you need a powerful cleanup tool to find and remove the malware.
It’s also good practice to verify that Windows is truly free of malware — even if your full-time scanner appears to be working — by periodically running an AV tool that operates completely on its own.
Microsoft offers two such special-purpose, cleanup/verification tools. Microsoft Safety Scanner is exceptionally simple to use — just click and run. Windows Defender Offline is harder to use, but it employs the best possible techniques for detecting malware hidden at even the deepest levels of your system.
Microsoft Safety Scanner is a Windows security utility that thoroughly scans your PC (see Figure 5) to find and remove both malicious and potentially unwanted software. A standalone application, it’s active only when it’s actually running a system scan. (It’s not constantly on in the background.) That lets it coexist peacefully with whatever full-time anti-malware software you’re using.
Figure 5. Microsoft Safety Scanner works independently of your other security tools and can clean an infected system — or verify that no malware is present.
Microsoft Safety Scanner is compatible with all current Windows versions: XP, Vista, Win7, and Win8. Its info/download page includes 32- and 64-bit versions.
Safety Scanner is extremely easy to use; simply download and launch it, and then select whether you want a quick, full, or custom scan. At the end of the scanning process, you’ll get a report of what Safety Scanner found and removed.
Windows Defender Offline (WDO) is Microsoft’s most powerful anti-malware tool for consumers. It’s a self-contained, downloadable utility that operates completely outside Windows. After you’ve downloaded and launched WDO, it steps you through the process of creating bootable media (CD, DVD, flash drive, etc.) and installing the WDO files. You then restart the PC with the bootable disc/drive.
Because WDO is both operating system and AV scanner, neither the Windows installed on the system hard drive nor any other software is active. Everything on the hard drive is effectively inert. This lets WDO detect malware that is in one way or another well hidden in the Windows system. Because it’s completely standalone, WDO can’t conflict with other security tools you normally use.
WDO targets a wide range of malicious and potentially unwanted software. In operation, it looks and functions almost exactly like Microsoft Security Essentials or the Win8 version of Windows Defender.
If WDO has a weakness, it’s in the task of creating the WDO media. If your system is having difficulty running because of an infection, you’ll need either a working system to build the WDO media or you’ll need to have media you created before the infection (in which case you might not have the latest virus signatures). If you have only one PC, I recommend putting the latest version of WDO on a flash drive once a month or so.
You’ll find both 32- and 64-bit versions of WDO for all current Windows versions (XP through Win8) on its info/download page.
Putting it all together
The following table (Figure 6) is your one-stop reference for Microsoft’s six desktop security tools. It concisely summarizes which Windows versions they’re for, which kinds of malware they target, and whether they’re for prevention or cleanup/verification.
Take your pick: they’re all free!
By Fred Langa from Windows Secrets (www.windowssecrets.com )