A standard recommended procedure you often see from the virus removal instruction is to update your anti-virus system and do a full scan afterward. But in reality, you often are limited to that practice because your internet and most of the active programs have been taken over by the virus. You rarely have the chance to go online to even find the right information. Therefore, a better approach would be to boot to a clean system and perform a full scan of the infected drive. To Windows system, it means to boot to a WinPE, a tiny portable version of Windows, from either bootable CD-Rom or USB drive.
There are many 3rd party software that offers such software built on a WinPE image, including the software giant itself. It’s Microsoft Defender Offline, used to be called Microsoft Standalone Sweeper, is a recovery tool that can help you start an infected PC in a clean state and perform an offline scan to help and remove the rootkits and other advanced malware. It seems to be the simplest tool by far to build and use, which overcome the most difficult part to prepare an offline virus scan and remover, building the bootable WinPE image. To start, simply go to their website and download the appropriate version of the program based on your system, either 64-bit or 32-bit, and launch it.
As you can see, you have three options to build a bootable media, blank CD/DVD, USB drive, and a standalone ISO file. You can choose one of them depending on what kind of system you are planning to use. I created one in ISO format so that I can use it to boot from in my VMs. It takes a few minutes to finish the process of building the image. Once it’s done, you can use it to boot your infected machine to start the sweeping step. Because it’s built based on the Windows 7 image, you will see the Windows 7 logo flying on your screen first before it launches the program.
The Anti-virus and Anti-spyware definition files will be automatically updated during the launch if you have internet access available on the computer. Or you can update later from the help menu. The tool runs like another anti-virus program, offering 3 basic scan options, Quick Scan, Full Scan, and Custom Scan. When performing a scan, make sure to include the ones that you suspect are virus/spyware infected.
As always, performing a full scan usually takes quite a bit time to finish, depending on how big the drive contains.
Even though it’s a pretty good and effective offline virus sweeper, there are still good chances that some of the tough malware can not be removed. By then, you can either try another offline removers or start backing up your data and rebuilding your system from scratch, which is often what I suggested anyway. There is always a better idea having your system equipped not to be infected in the first place.
Also, note that Microsoft Defender Offline is not a replacement for a full antivirus solution providing ongoing protection; it is meant to be used in situations where you cannot start your PC due to a virus or other malware infection.