Software to run when your antivirus solution fails
Running up to date antivirus software on your system is one of the best protections against threats that you encounter locally or on the Internet. While it is highly recommended, it does not offer 100% protection regardless of which programs you are using to protect your computer and its data.
New threats appear on a daily basis and your computer may be vulnerable to them until your antivirus software gets updated to detect and remove these new threats. While heuristics may detect unknown threats, it does not have a 100% detection rate either.
What this means is that your computer may get infected by malware even if you are running antivirus software on it.
If you suspect that something is not right, or know that you are infected but cannot get rid of the infection, you may need to run specialized tools that help you in this regard.
The following lists links to programs that you can run in this case.
These scanners run beside your resident security setup. You basically download the products, run them once on your system to see if they find anything, have them remove malware they find, and remove them again from your system or keep them on it for future use.
Malwarebytes Anti-Malware Free - The program gets lots of recommendations here on the site and elsewhere, and deservedly so. You do not really need to configure anything before you run it. Just make sure you select full system scan to scan all files and processes of the PC.
Dr. Web CureIt - Another on demand scanner that you do not need to install at all. Just run it after you have downloaded it to give your system a thorough scan. Note that you need to accept the sending of anonymous statistics in the free version.
On-demand scanners are your first line of defense against unknown threats that may have slipped past your resident security setup, but they may come up short sometimes too. That's when you bring out specialized tools.
ComboFix - The program scans your computer for malware traces and attempts to clean infections when found automatically. Make sure you close all open program windows before you run the program. The program attempts to create a system restore point before it starts the scan, and will disconnect the computer from the Internet during it.
A log file is generated in the end that you can use to analyze potential threats. Several help forums exist that you can visit to ask questions about certain findings in the report.
RKill - The program has been designed to unload malware processes that run on the Windows system. It will only do that and not run any disinfection or removal operation. The idea behind it is to remove processes so that your resident antivirus solution can remove them from the system.
RogueKiller - This versatile program can detect and remove malicious processes from your system. It handles so-called ransomware but also other threats such as DNS hijackers, Hosts file manipulations, some types of rootkits and other types of infections.
Kaspersky TDSSKiller -This anti-rootkit scanner detects known rootkits that may have been installed on your system. It is regularly updated to detect and remove new threats. Just click on the start scan button after you have downloaded and started it to scan your system for threats.
HiJack This - The program scans critical system locations for traces of malware and displays a report in the end that you need to analyze.
McAfee RootkitRemover - Another standalone program to scan and remove rootkits on a PC.
Panda Anti-Rootkit - Scans for and cleans rootkits running on a system.
RootkitRevealer - Advanced tool by SysInternals / Microsoft to detect rootkits on a Windows system.
TrendMicro Rootkit Buster - A standalone anti-rootkit program.
Have a favorite program that is not on this list? Feel free to leave a comment below to share it with everyone else. The following products have been mentioned in the comments.
- Comodo Cleaning Essentials - Scan, detect and remove malicious software.
- Emsisoft Emergency Toolkit - A collection of programs to scan PCs for malware and clean infected PCs.
- Gmer - Anti-Rootkit Software
- Hitman Pro - Anti-Malware program that checks for all forms of malware.
- Panda Cloud Cleaner
- Spybot Search and Destroy -
- SuperAntiSpyware - A second opinion scanner.
- Vipre Rescue - Can be run in safe mode to disinfect infected Windows PCs.
Comodo Cleaning Essentials and Hitman Pro is what I mostly use.
Vipre Rescue is designed to run in safe mode.
Hitman Pro is what I use on an daily basis in addition to my regular AV (G Data)
Gmer is what I use.
Emsisoft Emergency Kit is another decent scanner
Although KIS never fails and does an excellent job protecting my systems, I occasionally run SuperAntiSpyware, which does a thorough scan in a bit over one minute and occasionally finds the odd Adware and Spyware, but not too often, as I am very careful which web sites I visit!
Considering that KIS has an Anti-Rootkit included in it’s Suite, I don’t have any need for any of the ones mentioned in the article!
Adwcleaner and Junkware removal tool are worth mention against adware / hijackers, though there are some better commercial programs in my opinion.
Hitman Pro with its kickstarter USB is quite interesting when you can’t access PC. Though in some cases antivirus CD like Kaspersky Rescue Disc might be required.
Sadly, half of these are download links from “download.com” — so installing an anti-malware program is guaranteed to install malware… and screw with your browser home page/search engines/etc.
Malwarebytes is not authorized by Bitdefender and Kaspersky makes a warning
I recommend Elistara, is very good for removing Trojans and malware that are not detected by antivirus.
After reading this article I decided to give Combofix a chance. BIG ERROR!!
BEWARE!. it deleted (without asking permission) complete clean folders! jpg, txt, etc! (Fortunately it copies and renames them into a quarantine folder)
I would not recommend this app at all! stay away from it.
Indeed, Combofix should only be used under expert supervision. It is too powerful a to be left in the hands of n00bs.
Martin, I’m rather surprised you did write such an article. It’s rather Gross’ ;-)
Do you mean gross like in shocking, or the German word Gross, or something completely different. I’m somewhat puzzled by the word choice ;)
I am a former trainee analyst for one of the ASAP forums (http://malwareremoval.com/forum/viewtopic.php?f=201&t=61852#.UgC3gJLDCc0) that help out in malware removing.
There’s like a blaring huge statement when you run Combofix that it should not be used by an average user without supervision of an analyst/expert. Also, sUBs, the creator, stresses this point.
It’s powerful, and it can destroy your computer if used wrongly.
More like in Melanie…
I see. So you think it is too generic of an article? I do like those articles for two main reasons: first, the great comments that add a lot to it, even tools that I never heard of before. And second, as an overview for users who never really looked into this too much but want to now.
I have found Spybot-Search and Destroy to be great.I really don’t wont to try anything else since I installed it.
Spybot is a very classical one. I’m not sure it’s very good for detection.
Admitted by Bitdefender, not by Kaspersky.
The old version is better (1.6.2). I don’t like the new one, currently 2.1, not clear (I am not the only one of my opinion).
Pierre, You are right about Spybot being a classic. I have found it to be very good a detection and cleaning up spyware and virus’s. Also you you are 100% right about version 1.6.2 being better,I tried to download the new one 2.1 but it would not install so I’m glad I did not after reading what you wrote about it.
I agree with the fact that Combofix should only be used under expert supervision or carefully.
Well… this is what I read lot of time.
By the way, thanks for your work and your site well organized:)
Really great roundup Martin. Well written.
Panda Cloud Cleaner is a good option too!!
I boot possibly infected machines into Trinity Rescue Disc and from there run a variety of AVs (AVG works) — as long as you have an active network connection, it’ll update the AV database and scan the entire drive; this takes awhile, but you know it’s complete because the entire system is off-line.
Why go to all the trouble if you decide you are infected? You should have and maintain a pristine image of your system and your data backed up at least daily if not real time.
Restoring a perfectly clean up-to-date image of your system takes about 20 minutes. Getting your up-to-date data backups back on it about 10 minutes.
Trying to find and eliminate all malware that might be on your system will take longer than that and you can never be sure you got it all.
If you don’t know what a pristine image is – it’s a technique of making up-to-date images that have never been in the wild.
It obviously is the only option if you do not have backups or system images. But even if you do, you may want to find out more about the infection, for instance to find out how it landed on your PC, or what effects it may have had.
Absolutely true. Everyone using Windows should have and maintain a pristine image. If one of my Windows systems becomes infected…the first thing I do is image that infected system before I do anything else. Imaging is simple and I use Macrium Reflect with and external hard drive.
Then you can do anything you like to investigate if you wish, try cleaning etc. and have no worries about messing up or borking your system beyond recovery. Once you are satisfied, dump it and load your pristine image and be done with it.
If you don’t have an image, it is still wise to make an image of your infected machine in case your cleaning attempts screws it up beyond the ability to boot or recover.
Avast Antivirus Free, Malwarebytes Anti-Malware Free, Kaspersky Virus Removal Tool… And if everything goes wrong… ComboFix (always works fine for me). Great article Martin.
I’ve been using ScanSpyware since Windows 2000 so it’s definitely a veteran program. I’m surprised after all these years it’s still one of the most effective on-demand scanners for spyware/malware removal that I know of. You can always download an updated pest database from their site on another computer if an infected computer cannot access the internet.