One of the tricks used by malware is to prevent anti-malware tools from working. There are a variety of techniques involved, most of which rely on the fact that Windows is running, that opened files cannot be deleted, and that the malware itself is actually a program running on the machine.
The solution is not to run Windows, not to have any files open, and not to have the malware itself running.
In other words, the solution is to boot from a CD, DVD, or USB disk containing a stand-alone anti-malware tool.
Booting from “something else”
In years past, booting from a CD was a relatively simple operation: locate the setting in your computer’s BIOS that controlled the boot order, and adjust it to ensure that the optical drive was examined before the computer’s hard disk. If bootable media was found there , then the computer would boot from that instead of the operating system on the hard disk.
With the advent of UEFI – the more secure BIOS replacement – the concept remains similar. The UEFI needs to be instructed to check the optical drive, or USB ports, before checking the hard drive at boot time.
While the steps to changing the BIOS were always unique to each machine or manufacturer, UEFI has made the process even more complex.
How do I boot from CD/DVD/USB in Windows 8? has an overview of the process at a high level (for both Windows 8 and 10 UEFI-based systems), but the bottom line is, you need to determine exactly how to boot from something other than the computer’s hard drive from your computer manufacturer or documentation. (How do I boot from CD/DVD? has the equivalent discussion for BIOS-based systems running Windows prior to Windows 8).
The key aspect of any of these tools is that they will boot from something other than your hard disk in order to bypass the effects of running your infected copy of Windows or the malware itself.
If you have an anti-malware tool already installed, check that product’s documentation and/or website. You may have a stand-alone version available that will probably be more familiar to you, and may be more current or full-featured than some of these free alternatives.
However, if you suspect your existing anti-malware tool didn’t catch something, you may want to try a different tool.
There are several other free stand-alone anti-malware tools:
These are all free downloads you burn to CD or DVD. Then you boot from that to run the anti-malware software.
Which to use? Conventional wisdom is: all of them. It’s to be expected that some tools catch malware other tools miss; it’s the nature of the fight against malware.
More practically, having one or two of your favorites “on call” – meaning you’ll know where to get them and perhaps have some experience running them – is typically enough. You’ll want to download and create the CD when you need it, not before, so it’s as up to date as possible.
Microsoft’s Windows Defender Offline
Missing from the list above is Microsoft’s own offering, Windows Defender Offline. I generally recommend trying it first, but changes in how it’s been distributed has made that a more complex recommendation.
- Windows 7 (and prior): Download Windows Defender Offline from the Microsoft website. Basically you can treat it exactly like any of the other alternatives listed above: burn it to a CD and then boot from that CD. My article Windows Defender Offline – Scan Your Computer for Malware Without Booting Windows has more details.
- Windows 8: Windows Defender Offline is, apparently, not available. Use one of the third-party alternatives listed above.
- Windows 10: Windows Defender Offline is included as part of the operating system. See Windows Defender Offline in Windows 10 for details.
As always, prevention and having backups are alternatives that are, honestly, more effective and easier in the long term than trying to clean up an infection and hoping you got it all. However, sometimes the practical reality is that you need to do your best to clean and scan a possibly infected machine.
Offline tools are another alternative to be aware of and keep in your toolkit.