Any effective anti-virus program does a good job protecting from viruses, worms, Trojans and basic malware, but they often lack detection of seriously dangerous malware that is able to hide itself from Windows and therefore avoid detection.
This guide lists recommended free anti-malware and anti-rootkit utilities for Windows. While none of these provides real-time protection, their detection and removal capabilities are superb.
If using terms "antivirus" and "antimalware" confuses you, read this article about how viruses differ from other malware.
Must-have: Malwarebytes Anti-Malware Free version 2
Often abbreviated to "MBAM", free edition of Malwarebytes Anti-Malware has a very good detection and removal rate. It does have a paid version that includes real-time scanning, scheduling and some other enhancements, but let's keep our protection free, shall we?
Version 2 with revamped user interface was released in March, 2014.
With frequent updates to detection library and the program itself, Malwarebytes Anti-Malware is a must-have among malware scanners. It works perfectly both in Safe Mode and while Windows is running normally.
Tutorials for version 1.7 of MBAM are also still available:
- Install Malwarebytes Anti-Malware
- Configure Malwarebytes Anti-Malware
- Malwarebytes Anti-Malware on-demand scan
TDSSKiller is a free tool that cleans most known rootkits. It supports all Windows versions from XP to 8.1, and it should be used before anti-virus and anti-malware scans. The program runs both in Windows normal and Safe Mode.
The utility is frequently updated, so downloading it right before using is required for best detection and removal rate.
If all anti-virus and anti-malware scans fail, ComboFix will probably catch and remove the nasty malware.
Sadly, ComboFix does not work in Windows 8.1. See TDSSKiller and RKill instead.
RKill is not a malware remover per se: it detects and stops malware processes and services, clears malware-related Registry entries/modifications and searches for missing digital signatures in essential system files. RKill will not delete files, including those related to malware.
The main purpose of RKill is to stop malware from blocking anti-virus and anti-malware tools. After running the quick scan with it, your virus/malware scanner should be able to detect and remove the nasty trojans, rootkits, etc that prevented your security software from working properly.
Always run full security scans with your AV and AM tools after RKill detects something.
Rkill is updated pretty often, so you should always download a fresh copy from BleepingComputer.com.
Just click the Download now @BleepingComputer button and save the file (do not run it yet!) to a folder you can locate quickly (Desktop, Downloads or Documents folder are good examples).
If the file gets deleted, then malware knows about it and you should save the program with a different name. Click the Download Now iExplorer.exe or Download Now Rkill.com button instead.
Now launch the downloaded file. If nothing happens for a minute, rename the file to something you like (right-click and Rename; keyboard shortcut is F2), such as GreatGame.exe or JustDidMyTaxes.com - but make sure the file has extension .exe or .com.
As usual, User Account Control wakes up in Windows Vista and later. Click Continue or Yes. In Windows XP security dialog, click Run.
RKill runs in black Command Prompt window and its scan takes usually less than five minutes.
First, it checks for malware-related services. If something is found and stopped here, you certainly need to run a full anti-virus (for example, with avast! Free Antivirus, Microsoft Security Essentials or Windows Defender) and anti-malware scan later.
In second step, RKill looks for infected processes. In the example below, heuristics (noted as [WD-HEUR]) marked a legitimate webcam app as suspicious and stopped it. As no files are deleted, the software will be fine. In case of detections, a full AV and AM scan is required.
Third step of the scan finds and removes unwanted modifications in Registry. If anything is detected, full security scan is a must.
Last steps are miscellanous checks, Windows Service Integrity and Missing Digital Signatures.
If you have other anti-virus software installed, then all messages about Windows Defender being disabled can be safely ignored. Windows Defender is always stopped in all Windows versions after you install some third-party AV program or Microsoft Security Essentials.
In case system files with missing digital signatures are found ([NoSig] for no signature, and [Pos Repl] for possibly replaced), you should use System File Checker for restoring the damaged items.
As usual, full security scans are necessary after something has been detected in these steps.
After the scan is complete, click OK in the RKill Finished dialog. A full log file opens in Notepad, read its contents before closing it.
Now the most important step: do not reboot your computer until you have performed full security scans! If you restart your PC without scanning, malware will be active again.
Always remember to update your anti-virus and anti-malware software before running a scan.
If your computer restarts by itself or shows the dreaded BSOD (Blue Screen of Death) during RKill scan, start Windows in Safe Mode first. If the problem continues, you need to analyze crash dumps with free WhoCrashed. This small tool gives understandable explanations and solutions for crash causes.
The reboots are not always malware-related, it might be some outdated device driver or software instead. Running System File Checker (link provided above) can be also helpful here.