Windows Defender redux

Windows Defender to the rescue

Windows Defender offline

There's malware and then there's really nasty malware, the sort that blocks your antivirus program, hijacks your internet connection and reinfects your computer on each reboot.

When you're confronted with really nasty malware, such as a rootkit hiding itself from detection deep within Windows, your typical antivirus software may well be stymied in trying to disinfect your system.

It's almost impossible to deal with such malware from within Windows itself, but if you can examine your Windows system from the outside, you have a greater chance of detecting the problem and cleaning your system.

Article continues below

Enter Windows Defender Offline (WDO). This new, free tool from Microsoft loads directly from a CD or USB drive and lets you scan your system while Windows is 'switched off'. The Offline in the title doesn't refer to being disconnected from the internet; rather, it indicates that Windows itself is offline.


Don't get WDO confused with Windows Defender. Microsoft has a seemingly unbreakable habit of giving almost identical names to different products.

In this case, the latter is an anti-spyware tool built into Windows Vista and Windows 7. If you install a copy of the more recent (and highly recommended) Microsoft Security Essentials (MSE), MSE disables Windows Defender and takes over its functions. You can get a copy of MSE free from here.

Windows Defender/MSE and WDO are complementary: the former guard your system during normal everyday operation, while the latter is used in emergencies when your system is compromised despite the best efforts of your antivirus software.


To use WDO, you need two computers: the one that's infected plus a clean PC to download the latest version of WDO.

You should avoid downloading WDO to an infected PC, as that can spread the infection to WDO itself.

Although you can download a copy of WDO at any time so you have it on hand, it's best to grab a copy of the very latest version so you have both the most recent scanning engine and an up-to-date database of virus signatures.

There are two versions of WDO: one for 32-bit and one for 64-bit computers.

You need to download the correct version for the infected computer. You can use WDO on infected computers running Windows XP with Service Pack 3, Vista, 7 and 8 Developer Preview/Consumer Preview).

To prepare WDO for use:

1. Download mssstool32.exe (32-bit version) or mssstool64.exe (64-bit version) onto a clean computer. You can get this from here.

2. Run mssstool.exe. This will guide you through installing WDO onto a CD, DVD or USB drive and making that disc or drive bootable. Note that installing it onto a USB drive will erase the existing contents of the drive. There's also an option to create an .iso file, which is useful for installing the program on a virtual drive.


Once you've created a WDO boot device, here's how to use it on an infected system.

1. Switch the infected machine off.

2. Insert the CD, DVD or USB drive into the computer and then turn it on, booting from that device (if you don't know how to make that device bootable, check the FAQ on Microsoft's WDO download site).

3. If it's been a while since you created the WDO device, click the Update tab to download the latest spyware definitions.

4. Select the type of scan you want to run: quick, full or custom. It's best to run a full scan, but that can take many hours on a loaded system, so you may want to start with a quick scan and then follow it up with a full scan if problems persist.

5. If WDO finds infections, you'll have the option to remove, quarantine or ignore each one. Remove is the safest option.