The Cleanest Malware Scan

Michael Gersten wants to be absolutely sure malware can't interfere with his security scan.

No matter how good your security software, and how well you keep it up to date, there's always that nagging doubt: "What if some malicious program is interfering with my antivirus, protecting itself while hurting me?"

That's a legitimate question, and it's one of the reasons I frequently recommend that people use a second malware scanner to supplement their main antivirus program (see One or Two Anti-Malware Programs? for details). But even that suggestion involves running a program already installed on your PC (and thus, possibly compromised), while something evil may be running in memory.

I'm going to recommend two ways to scan for infection in a clean environment. Pick which makes the most sense to you, or--if you're really paranoid--use both.

Windows Safe Mode and a Portable Scanner
Only the minimum, basic code loads when you boot Windows into Safe Mode. It's a good bet your malware infection won't be running in this environment.

On a safe computer, download the SUPERAntiSpyware Portable Scanner and save it to a flash drive. This self-contained malware program (in the form of a DOS .com executable file with a Windows user interface) gets updated regularly, so you can assume the version you just downloaded is up-to-date.

Then boot the suspect PC into Safe Mode. Press F5 just before Windows starts loading (it may take a few tries to get the timing right), and select Safe Mode from the resulting menu. If you don't see a Safe Mode option, press F8.

Once the PC is booted, insert the flash drive. Unlike Windows' normal mode, nothing automatic happens when

you plug in a drive, but if you select Start then Computer (or My Computer) the drive will very likely be there. Open it, double-click the program file with a name that starts with SAS and ends with .COM. Once the program is up, click Scan your Computer.

It's possible that your PC won't see a flash drive in Safe Mode--some do, some don't. If yours falls into the second category, boot it normally, then copy the SAS...COM file onto your desktop. Then boot into Safe Mode and run the scanner.

Boot from a Live CD
If Safe Mode doesn't seem quite safe enough, you can skip Windows, altogether. To do so, on a safe computer download the F-Secure Rescue CD.

This "CD" comes in the form of an .iso file (which itself comes inside a compressed .zip file). It's important that you run the .iso file in a program that knows what to do with it; merely copying the file to a CD will not have the desired effect. When you double-click the .iso file, there's a good chance that some program on the computer will automatically load and ask for a CD-R onto which it can burn the file's contents. If that doesn't happen, download and install ISO Recorder.

Once the disc is complete, place that disc in the PC you wish to scan and boot your PC off the CD. It will boot a text-based version of Linux. Using a wizard, F-Secure will update its database over the Internet, then scan your PC.

At least, it can do that if it can find the Internet. Linux may not have access to any special drivers for your networking hardware, and certainly won't have your WiFi password. Your chances of getting through are greatly enhanced if you use ethernet.

If you can't get an Internet connection, there's a workaround: On a healthy computer, you can download the latest update and put it onto a flash drive. The F-Secure Rescue CD manual (a .pdf in the .zip file) explains how.

But the F-Secure Rescue CD comes with a very serious warning. If it has to alter Windows system files to clean your system, it may render Windows unbootable. That's something to consider before you decide to take this route.

Add your comments to this article below. If you have other tech questions, email them to me at answer@pcworld.com, or post them to a community of helpful folks on the PCW Answer Line forum.

Subscribe to the Security Watch Newsletter

Comments