If you are reading this with a machine that is already misbehaving — browser homepage hijacked, fans spinning loud on idle, files renamed with an unknown extension — cleanup is a separate job from prevention, and the tool that protects you from infection in the first place is usually not the right one to undo it. This guide ranks the eight tools that the r/techsupport, r/antivirus and r/ransomware threads keep returning to in 2026, plus the rescue-media and second-opinion options for severe cases.
Every pick below lists an internal review or vendor link, current pricing, a short rationale, and what to use it for. Three editorial decisions worth flagging up front: Microsoft Defender stays in the recommended stack as the real-time layer (free, AV-TEST 18/18 for nine consecutive cycles); Kaspersky's engine is excellent but US customers cannot purchase it after the September 2024 BIS Final Determination, so we moved it out of the main ranking into a dedicated section (we do not give legal advice on the scope of the determination — consult Kaspersky’s current US availability page); and rescue media now gets its own H2 because BitLocker-encrypted laptops and Secure Boot have changed how that workflow runs.
Best Malware Removal Tools — at a Glance
This page is about cleanup. If a machine is already compromised — browser hijacked, ransom note on desktop, strange processes, family member clicked the thing — you do not need another "best antivirus" article. You need tools built to rip out what is already inside. Real-time antivirus prevents; removal tools remediate. The distinction matters because products optimized for one are rarely best at the other.
Short verdict for 2026: Malwarebytes Premium remains the default recommendation for active cleanup across r/techsupport, r/Malware, and r/antivirus in 2026 — it won AVLab's Product of the Year 2026 for consumer protection, and the 7-day ransomware rollback is still the most-cited differentiator when volunteers triage infected machines on Reddit. Emsisoft Anti-Malware Home earns second place for its dual-engine detection and the genuinely useful library of 30+ free ransomware decryptors hosted on emsisoft.com. HitmanPro stays the go-to second-opinion cloud scanner. For users who have not been hit yet and want to prevent infection in the first place, Bitdefender Total Security (AV-Comparatives 2025 Gold Advanced Threat Protection) and ESET HOME Security Essential (NOD32 engine, neutral jurisdiction) sit at the top of the detection charts in 2026. Kaspersky's engine matches them on raw lab scores but US customers cannot purchase it after the September 2024 BIS Final Determination (we do not give legal advice on the scope of the determination — consult Kaspersky’s current US availability page).
Our 2026 top picks:
- Malwarebytes Premium — best overall cleanup; 7-day ransomware rollback; AVLab Product of the Year 2026. Full review →
- Emsisoft Anti-Malware Home — dual-engine (Bitdefender + Emsisoft), free ransomware decryptors for 30+ families. Full review →
- HitmanPro — Sophos-owned cloud second-opinion scanner; pairs with anything. Full review →
- Bitdefender Total Security — prevention-first; Gold ATP 2025. Full review →
- ESET Online Scanner — free, browser-launched, NOD32 engine, no install required — the second-opinion option when you cannot install another AV. Run scanner → · ESET review →
- Norton 360 — LifeLock + cleanup bundle for US users. Full review →
- Zemana AntiMalware — banking-focused second-opinion, anti-keylogger. Full review →
- AdwCleaner (free) — Malwarebytes-owned, narrow scope (PUPs, adware, hijacked browsers). Use as a companion to any paid AV.
Prevention vs Cleanup — Why It Is Not One Product
The antivirus industry markets "all-in-one protection," but the two jobs are genuinely different and the tools that excel at one tend to compromise at the other.
Prevention products (Bitdefender, Kaspersky, ESET, Microsoft Defender) run resident, intercept executables before they launch, use behavioral heuristics to block suspicious activity at execution time, and are measured on false-positive counts — a prevention engine that blocks legitimate software is worse than one that misses one edge-case sample. They are tuned conservatively and run all day.
Cleanup products (Malwarebytes, Emsisoft, HitmanPro, AdwCleaner) are tuned aggressively. They assume something bad is already resident, sweep deeper into less-common persistence locations (scheduled tasks, WMI subscriptions, browser-extension registry keys, LSA secrets), and accept more false positives in exchange for removing the thing you want gone. Running two active-protection engines at once causes conflicts; running a prevention engine plus an on-demand cleanup scanner is the pattern the community converged on years ago.
The community standard stack in 2026 (surfaced repeatedly on r/antivirus, r/techsupport, r/Windows11): Microsoft Defender for real-time + Malwarebytes Premium for on-demand cleanup. Or: Bitdefender/Kaspersky for real-time + HitmanPro or Emsisoft Emergency Kit as occasional second-opinion. The common thread is one prevention engine, one cleanup tool, not two of either. See our stack recommendations section below for specific combinations.
A third tier exists for severe cases. If the machine will not boot, ransomware is mid-encryption, or you find rootkit-style persistence that survives every reboot, neither prevention nor on-demand cleanup is enough — you boot the machine from external rescue media and clean it offline. We cover that workflow (BitLocker suspension, Secure Boot considerations, current vendor rescue images) in the Rescue Media for Severe Infections section below. The decision tree is straightforward: real-time AV is your everyday layer; on-demand specialists are your "something is wrong, scan it now" layer; rescue media is your "boot is broken or the AV cannot run" layer.
Top Picks — Quick Comparison
| Product | Best For | Price (current) | Signature Feature | Recent Award |
|---|---|---|---|---|
| Malwarebytes Premium | General cleanup + ransomware rollback | $44.99/yr (1 device) | 7-day ransomware rollback | AVLab Product of Year 2026 |
| Emsisoft Anti-Malware Home | Cleanup + free decryptors | $39.95/yr (1 device) | Dual engine; 30+ free decryptors | AV-TEST 18/18 Feb 2026 |
| HitmanPro | Second-opinion scans | $24.95/yr (1 device) | Cloud multi-engine; portable EXE | Sophos ownership since 2015 |
| Bitdefender Total Security | Prevention-first | $19.99 first year (5 dev) | Safepay, anti-exploit | AV-Comp 2025 Gold ATP |
| ESET Online Scanner | Specialist on-demand cleanup, no install | Free | NOD32 engine, browser-launched | AV-Comparatives 2025 Approved + Top Rated |
| Norton 360 Deluxe | Bundle (US) + cleanup | $39.99 first year (5 dev) | Power Eraser; LifeLock | AV-Comp 2025 Gold Real-World |
| Zemana AntiMalware | Banking, anti-keylogger | $21.99/yr (1 device) | Anti-keylogger engine | Independent Turkish vendor |
| AdwCleaner | PUPs, browser hijackers | Free | Narrow-scope, fast | Malwarebytes-owned since 2016 |
Detailed Picks
1. Malwarebytes Premium — Best Overall Cleanup
Malwarebytes is the default answer on r/techsupport when a volunteer walks a stranger through cleaning an infected machine. That is not marketing — it is lived workflow. The r/techsupport stickied guides and pinned automod responses for "my computer has a virus" point at Malwarebytes Free as the triage tool, with Premium recommended for ongoing protection.
What sets it apart in 2026:
- Ransomware Rollback (Premium): Malwarebytes keeps a 7-day shadow-cache of file changes. If ransomware encrypts your documents and Malwarebytes detects it, the client can revert affected files to pre-encryption state without paying the ransom. This is the single most-cited reason users upgrade from Free to Premium in r/Malware threads.
- AVLab Product of the Year 2026: AVLab's 2026 Advanced In-the-Wild Malware Test awarded Malwarebytes the consumer Product of the Year. This is a European independent test with a strong reputation for catching zero-day samples before signature databases update.
- Brute Force Protection and Exploit Protection: Blocks RDP brute-force attempts and shields commonly-exploited applications (browsers, Office, Adobe Reader) at the process level.
- Standalone or companion: Plays nicely with Microsoft Defender in the standard community-recommended stack. The real-time protection module can be disabled if you only want Malwarebytes as an on-demand scanner alongside another AV.
Price: $44.99/year for 1 device, $79.99 for 5 devices. Free tier available but without real-time protection or ransomware rollback.
Read the full Malwarebytes Premium review →
2. Emsisoft Anti-Malware Home — Dual-Engine + Free Decryptors
Emsisoft is the quieter pick that keeps showing up in r/ransomware incident threads because of their free decryptor library. As of 2026, Emsisoft publishes working decryptors for 30+ ransomware families — STOP/DJVU, Apocalypse, BadBlock, LambdaLocker, NoWay, and others — at no cost, no registration, downloadable as standalone tools. That alone earns goodwill in the ransomware-recovery community.
What sets it apart:
- Dual-engine detection: Bitdefender's engine plus Emsisoft's own signatures and behavioral module. This produces higher aggregate catch rates in third-party tests (AV-TEST Feb 2026: 18/18) at the cost of a slightly heavier footprint.
- Behavior Blocker: Monitors process behavior in real time and blocks patterns typical of ransomware (mass-file-encryption signatures, shadow-copy deletion, backup-tampering) independently of signatures.
- Emergency Kit (free portable): A no-install portable scanner useful for booting from USB on a machine too compromised to run an installer. Used by IT shops for first-triage.
- Decryptor library: If your files were hit by a known family, the free decryptor may recover them without paying. Emsisoft's team also engages with ongoing ransomware investigations; their blog posts document decryption breakthroughs regularly.
Price: $39.95/year for 1 device, $59.95 for 3 devices.
Read the full Emsisoft review →
3. HitmanPro — Cloud Second-Opinion Scanner
HitmanPro, owned by Sophos since 2015, is the canonical "second opinion" tool. It is designed to run alongside whatever primary AV you already use: the installer is ~12 MB, the scanner uploads file hashes to Sophos cloud servers which query multiple scan engines (Sophos, Bitdefender, Kaspersky historically) and return verdicts.
What sets it apart:
- Portable execution: The EXE can run without installation, from a USB drive or local folder, which matters when you are triaging a machine where installation itself might fail.
- 30-day full trial: Fully-functional scans are free for 30 days. If you do not use it often, you can re-scan occasionally within a new trial window. Beyond that, license is $24.95/year for 1 device.
- Light on system resources: Runs as an on-demand tool only — no resident service, no startup-impact overhead. Zero conflicts with other AV products because it does not hook drivers the way real-time engines do.
- HitmanPro.Alert: The companion product (separate purchase) adds exploit protection, keystroke encryption, and ransomware mitigation. If you want a resident tool, Alert is the offering; the base HitmanPro is for on-demand.
Read the full HitmanPro review →
4. Bitdefender Total Security — Prevention-First
Bitdefender is on this list despite being a prevention-first product because infections that never happen do not need cleanup. Bitdefender's 2025 performance was exceptional: Gold in Advanced Threat Protection at AV-Comparatives (Enterprise and Consumer), 18/18 at AV-TEST Feb 2026, and the lightest system impact of the top-5 paid products. For users looking to upgrade from Microsoft Defender to reduce cleanup events, Bitdefender is the most-recommended product on r/antivirus in 2026.
Cleanup-relevant features: Bitdefender Rescue Environment (boot into a clean partition to scan without malware interference), Ransomware Remediation (rollback of encrypted files), Safepay (hardened browser for banking). Price: $19.99 first year for Total Security covering 5 devices, renews at $89.99.
Read the full Bitdefender review →
5. ESET Online Scanner — Free, On-Demand, No Install
ESET Online Scanner is the option r/techsupport reaches for when someone needs to scan a suspect machine without installing yet another AV alongside the one already there. It is browser-launched, runs the NOD32 engine, downloads fresh signatures on every run, and removes itself when done. Free for personal use, no licence key, no account.
What it is good at: second-opinion verdicts on a machine you do not own (a friend's laptop, a relative's PC, a work device where you cannot install software), one-shot deep scans after a suspect download, and supplementing Microsoft Defender on lightly-managed Windows machines where you want a fresh engine perspective without a full subscription. Sandbox isolation, anti-stealth scan for rootkits, and on-demand-only behaviour mean no driver conflicts with whatever else is resident.
Where the limits are: Windows only (no Mac, no Linux, no mobile). No real-time protection — this is genuinely an on-demand scanner, not a hidden trial of a full AV. ESET's full consumer product line is sold as ESET HOME Security Essential (post-2024 rebrand) if you want resident protection from the same engine.
Pricing: Free.
Run ESET Online Scanner → Full ESET review →
6. Norton 360 — LifeLock + Cleanup Bundle (US)
Norton 360 Deluxe ($49.99 first year, 5 devices) won AV-Comparatives 2025 Gold for Real-World Protection and scored 18/18 at AV-TEST February 2026. Norton's Power Eraser tool (built into the product) is a dedicated aggressive scanner for removing stubborn infections. For US users whose threat model includes identity theft, the LifeLock bundle adds human identity-restoration specialists — a genuinely differentiated service.
The honest caveat is renewal pricing: Norton auto-renews at roughly 2.5× the first-year price. The fix (widely documented on the Norton Community forum): cancel auto-renew on day one, call retention for a discount, or let-lapse-and-repurchase. See our full review for the renewal playbook.
Read the full Norton 360 review →
7. Zemana AntiMalware — Banking + Anti-Keylogger
Zemana is a Turkish independent vendor that built a niche around anti-keylogger and banking-transaction protection. The on-demand AntiMalware scanner pairs well alongside a main AV for second-opinion scans, similar to HitmanPro. Zemana's differentiator is its pan-signature keylogger-detection engine, which surfaces low-profile info-stealers other products miss.
Price: $21.99/year for 1 device. Free trial available.
Read the full Zemana review →
8. AdwCleaner — Free Companion for PUPs
AdwCleaner is free, no-nonsense, and narrow-scope: it removes potentially-unwanted programs (PUPs), adware, browser hijackers, and toolbar junkware. Owned by Malwarebytes since 2016 but distributed free. Use it when a user reports "my browser is showing weird search results" or "random pop-ups started appearing" — it is often faster to resolve than a full Malwarebytes scan.
Workflow: download from malwarebytes.com/adwcleaner, run the EXE (no installation), click Scan, review findings, click Clean. Reboot. Done. Keeps a backup that can be restored if a false positive caused issues.
Ransomware-Specific Tools — Rollback, Decrypt, Recover
If the machine has been hit by ransomware specifically (file extensions changed, ransom note on desktop, Shadow Volume Copies deleted), the general cleanup tools above are only part of the answer. Dedicated ransomware tooling in 2026:
1. Malwarebytes Ransomware Rollback (if installed pre-infection). Premium clients maintain a 7-day rolling shadow-cache. If Malwarebytes detected and stopped the ransomware process, rollback can revert affected files without paying. Caveat: if the ransomware encrypted faster than Malwarebytes' rollback cache can reconstruct, or if files were on network shares Malwarebytes did not cache, rollback coverage is partial. Still the best built-in option among consumer AV products.
2. Emsisoft Decryptor Library. The Emsisoft decryptor page lists 30+ ransomware families where working decryption keys were recovered — through law-enforcement operations, vendor-side key leaks, or cryptographic weaknesses. If the ransom note matches one of these families (Apocalypse, BadBlock, STOP/DJVU's offline-ID variant, LambdaLocker, NoWay, Kirk, AutoLocky, etc.), decryption is free. r/ransomware moderators link here first on every "my files have .xxx extension" thread.
3. No More Ransom Project. The Europol/partner No More Ransom portal aggregates decryptors from Emsisoft, Kaspersky, Avast, Bitdefender, and others. The Crypto Sheriff tool lets users upload a ransom note and an encrypted file; the site attempts to identify the family and links to the corresponding decryptor if one exists.
4. Backup restoration (always the best answer). If you have offline or immutable backups, restore from backup. Do not pay ransoms when avoidable — payment funds the next attack and does not guarantee decryption. r/ransomware's wiki documents recovery rates from paid ransoms are lower than vendors advertise.
5. When to call professionals. Business-critical systems, any suspicion that the attackers exfiltrated data (double-extortion), or any regulated-data environment (HIPAA, PCI, GDPR) warrants professional incident response, not DIY cleanup. Coveware, Kroll, and Mandiant handle consumer cases occasionally but are priced for corporate engagements.
Rescue Media for Severe Infections
Three cases need rescue media: the machine will not boot, the AV will not install (because something resident is blocking it), or you suspect a rootkit / bootkit / firmware-level compromise that survives in-OS removal. Rescue media is a bootable USB stick or ISO with a Linux-based scanner that runs outside Windows entirely, so it can read the disk before any malicious driver loads.
Microsoft Defender Offline (built into Windows 10 and 11). Open Windows Security → Virus & threat protection → Scan options → Microsoft Defender Antivirus (offline scan). Windows reboots into the WinRE environment, runs Defender against the disk image, then boots normally. This is the path of least resistance — no USB, no download, no Secure Boot fight — and it works for the majority of "Defender keeps detecting the same thing on every scan" cases where the malware re-installs itself at user logon. For ongoing real-time protection once a machine is clean, see our best antivirus for Windows rankings.
Kaspersky Rescue Disk (free). Bootable Linux ISO with the Kaspersky engine, written to USB with Rufus or balenaEtcher. Signature updates download over Wi-Fi or wired Ethernet from inside the rescue environment. Free for everyone including US users (the US ban applies to Kaspersky's paid commercial products, not the standalone removal utilities). Mature, well-documented, the go-to choice for non-bootable Windows machines on r/techsupport.
ESET SysRescue Live (free). Linux-based ISO with the NOD32 engine. Updates signatures live, mounts NTFS / exFAT / FAT32 partitions, scans, removes, and offers file-level recovery for damaged data. Microsoft-signed shim for current Secure Boot platforms.
Bitdefender Rescue Environment. Bitdefender consumer products install a rescue-mode boot entry on the host: at boot, hold F8 / arrow keys for the Windows boot menu, pick "Bitdefender Rescue Environment," and Bitdefender boots into a minimal Linux environment with a full scanner. Works without external USB if Bitdefender is already installed; rescues itself from infections that prevent the in-Windows scan from running.
HitmanPro.Kickstart. A USB-based companion to HitmanPro that boots the infected machine's existing Windows install in a sandboxed environment so HitmanPro can scan it from a "clean" surface. Less Linux-flavoured than the others — useful when ransomware has locked the desktop with a lock-screen overlay but the OS still boots underneath.
BitLocker considerations. If the system drive is BitLocker-encrypted (default on most Windows 11 Home installations since 24H2, every Windows 11 Pro install with TPM 2.0, and every Windows 10 Pro install with a Microsoft account), the rescue image cannot read the disk without either the recovery key or BitLocker suspended in advance. Practical workflow: while Windows still boots, open elevated PowerShell and run manage-bde -protectors -disable C: to suspend BitLocker for one reboot, then boot the rescue media. After cleanup, re-enable with manage-bde -protectors -enable C:. If Windows will not boot at all, you will need the 48-digit recovery key — find it on your Microsoft account at aka.ms/myrecoverykey, in the BitLocker recovery key text file you (hopefully) saved, or printed in your Azure AD / Entra ID admin console for managed machines.
Secure Boot considerations. Modern Secure Boot only allows Microsoft-signed bootloaders. Kaspersky Rescue Disk, ESET SysRescue Live, and the Bitdefender Rescue Environment all ship with Microsoft-signed shim loaders and boot cleanly on default Secure Boot policy as of 2026. Older rescue ISOs (Avira Rescue System, last meaningful release 2017; F-Secure Rescue CD, discontinued) are not signed and require temporarily disabling Secure Boot in UEFI — possible but reduces your platform security posture, so re-enable immediately after the cleanup completes.
When to escalate beyond rescue media. Firmware infections (UEFI bootkits, ME compromises) cannot be cleaned with any of these tools — they are below the OS layer. If a rescue scan keeps finding the same persistence even after wipe-and-reinstall, you are looking at a hardware-level rebuild or a UEFI flash, not a software scan, and that is a professional incident-response conversation.
Second-Opinion Scanners — HitmanPro, Zemana, Emsisoft Emergency Kit
The "second-opinion scan" concept: your main AV is running, you want to confirm nothing slipped past. Second-opinion scanners are built for this — on-demand only, no driver hooks, no real-time conflicts with the main AV.
HitmanPro. Cloud multi-engine verdicts, 30-day free trial per install, ~12 MB installer. The standard recommendation on r/techsupport for "can you verify this machine is clean" after Malwarebytes has removed obvious threats.
Zemana AntiMalware. Similar role to HitmanPro with stronger anti-keylogger bias. Useful for users who do a lot of banking or have had credential-theft incidents.
Emsisoft Emergency Kit (free). A portable, no-install version of Emsisoft's engine. Runs from USB, does not require admin rights for basic scanning. The go-to for booting a compromised machine that will not install new software.
Kaspersky Virus Removal Tool (free, non-US). Standalone scanner from Kaspersky, updates independently, useful as a third opinion. Same US-availability caveat as the full Kaspersky product.
Microsoft Safety Scanner (free). Microsoft's standalone on-demand scanner, expires 10 days after download. Use as a Microsoft-engine sanity check if Defender is the primary AV.
What About Kaspersky Premium?
Kaspersky's engine has been one of the strongest in consumer AV for over a decade. AV-Comparatives 2025 Summary Report: Gold for Malware Protection (the raw file-scanning category), Gold for Anti-Tampering, Silver in multiple other categories. AV-TEST mobile, Stalkerware test, ATP — Kaspersky places near the top of every meaningful benchmark.
It is not in our main Top 8 ranking because of a procurement reality, not a quality concern. In June 2024 the US Department of Commerce issued a Final Determination under the Bureau of Industry and Security (BIS) prohibiting Kaspersky Lab from selling or providing software updates to US persons. The deadline for new sales was 20 July 2024; software updates and resigning of US subscriptions ceased 29 September 2024. Existing US subscriptions were migrated to UltraAV, a separate company, without consumer consent. Kaspersky paid commercial products are not available to US customers since the September 2024 BIS Final Determination. We do not give legal advice on the scope of the determination — consult Kaspersky’s current US availability page for guidance.
If you are outside the United States and your jurisdiction does not have equivalent restrictions (the UK, EU, Canada, Australia, and most of LATAM and APAC do not), Kaspersky Premium remains a legitimate top-tier choice for prevention. Pricing runs roughly $41.99 first year for three devices, $79.99 renewal, comparable to Bitdefender Total Security. Read our full Kaspersky Premium review for the detail.
The free Kaspersky utilities are different. The US Commerce Department determination targets paid commercial products and software-update infrastructure. The standalone, on-demand Kaspersky Virus Removal Tool and the bootable Kaspersky Rescue Disk are not sold — they are free utilities — and are legally available to US users for one-shot cleanup work. We mention them by name in the Second-Opinion Scanners and Rescue Media sections above. Using them is fine; subscribing to Kaspersky Premium from a US billing address is not.
If you are a non-US reader looking for a comparable engine, Bitdefender Total Security and ESET HOME Security Essential are the closest matches on detection quality, both with consumer-friendly pricing and no jurisdictional risk attached.
Stack Recommendations — What Actually Works
The community standard is layered but not overlapping. Here are three stacks that show up repeatedly on r/antivirus, r/techsupport, and r/Windows11 when users ask "what should I actually install."
Stack A: Free + one paid tool (budget, single Windows PC).
- Microsoft Defender (built-in, 18/18 AV-TEST)
- Malwarebytes Premium ($44.99/yr) — real-time off, on-demand scans weekly
- HitmanPro 30-day trial or ESET Online Scanner (free, no install) for occasional second opinion
Total cost: $44.99/yr. This is the most-upvoted recommendation on r/antivirus "what should I install on a new PC" threads throughout 2025-2026.
Stack B: Upgraded prevention + cleanup (small family, 3-5 devices).
- Bitdefender Total Security ($19.99 first year, 5 devices)
- Malwarebytes Premium free-tier for on-demand occasional use (no real-time to avoid driver conflicts)
Total cost: $19.99-$89.99/yr (depending on year one vs renewal).
Stack C: Bundle-first (US family, identity-theft concern).
- Norton 360 Deluxe or Advanced ($49.99-$99.99 first year, 5-10 devices)
- Malwarebytes Free as occasional second-opinion (no active-protection overlap)
What to avoid: running two real-time AV engines simultaneously (driver conflicts, performance collapse, unpredictable detection), installing multiple "system optimizer" or "PC tune-up" products (most are PUPs themselves), keeping expired trial versions of AV products on the machine (they stop updating but continue to claim real-time control).
Best Malware Removal by User Type
Ten common situations, ten matched picks. Use this as a quick lookup rather than reading the full guide top-to-bottom.
- Mild adware / browser hijacker on a family Windows PC → AdwCleaner (free, narrow-scope, one scan and done) + Microsoft Defender as the resident layer. The community standard "just clean my browser" combo.
- Active ransomware mid-encryption (files renaming right now) → Unplug network cable, force-power-off, boot from rescue media. If Malwarebytes Premium was already running and caught the process, attempt rollback before anything else.
- BitLocker-encrypted Windows that will not boot → ESET SysRescue Live or Kaspersky Rescue Disk + 48-digit BitLocker recovery key from your Microsoft account at aka.ms/myrecoverykey. No key, no scan.
- Banking trojan / keylogger suspected → Zemana AntiMalware (anti-keylogger module is its specialty) plus a credentials reset from a known-clean device. Do not type passwords on the suspect machine until cleanup is verified.
- Mac suspected malware (browser hijack, MacKeeper-style PUP, adware) → Malwarebytes for Mac (free tier covers on-demand) + Bitdefender Virus Scanner for Mac (free) as a second opinion. macOS XProtect handles most resident threats already.
- Android device showing pop-up ads outside any app → Bitdefender Mobile Security on-demand scan; if findings persist, back up to Google Drive, factory-reset, restore. Sideloaded APKs are the usual root cause — check the recently-installed apps list first.
- iPhone "showing pop-ups" → Almost certainly Safari-injected ad content, not a virus — iOS sandboxing prevents app-level infection in practice. Clear Safari history and website data; if you receive an Apple Threat Notification, follow Apple's specific instructions and enable iOS 26 Lockdown Mode.
- Rootkit / boot-sector / persistence that survives reboot → ESET SysRescue Live or Kaspersky Rescue Disk. HitmanPro.Kickstart if the desktop is locked but the OS still boots.
- Fileless malware / crypto miner (high CPU, no visible process, AV finds nothing) → Sysinternals Process Explorer + Autoruns (Microsoft, free) to identify the loader, then Emsisoft Emergency Kit for offline scanning. Fileless threats often hide in WMI subscriptions or scheduled tasks — AV-style file scans miss them.
- You are a US-based reader wanting the Kaspersky engine → Free Kaspersky Virus Removal Tool or bootable Kaspersky Rescue Disk are legal one-shot options. Paid Kaspersky Premium is not available to US billing addresses since the 2024 Commerce Department determination — substitute Bitdefender Total Security or ESET HOME Security Essential for the resident layer.
How We Test — Methodology
Ranking a cleanup tool is a different exercise from ranking a real-time AV. The major lab cycles (AV-TEST Windows, AV-Comparatives Real-World Protection, SE Labs Home Anti-Malware) measure prevention — can the engine block a malicious sample at execution — against a corpus of fresh-in-the-wild threats. They do not measure how well a tool removes an established infection, recovers ransomware-encrypted files, or coexists with a primary AV. So our weighting for this hub differs from our general antivirus hubs.
1. Independent specialist labs — 45%. AV-Comparatives Anti-Malware Protection Test (annual deep cleanup scenario), MRG Effitas 360 Assessment and Online Banking Browser Security tests, AVLab Cybersecurity Foundation In-the-Wild test (the source of the Malwarebytes 2026 Product of the Year signal), and SE Labs Endpoint Protection ratings where the product is tested. We weight these specialist tests heavier than general AV-TEST scores because they include cleanup and resilience-after-infection scenarios.
2. Hands-on cleanup verification — 25%. We ran Malwarebytes Premium, Emsisoft Anti-Malware Home, HitmanPro, ESET Online Scanner, and Bitdefender Total Security on a Windows 11 + BitLocker test rig with EICAR samples and behavioural ransomware simulators (we do not use live ransomware payloads). We measured cleanup completeness on persistence locations (scheduled tasks, WMI subscriptions, browser extensions), false-positive rate on the AppData binaries set, and recovery completeness after rollback engagement.
3. Feature scope & ransomware tooling — 15%. Rollback capability (Malwarebytes only among consumer products), decryptor library access (Emsisoft and No More Ransom partnership), portable / no-install option, free-tier capability, second-opinion-friendly architecture (no driver conflicts with primary AV), and rescue-media compatibility.
4. Pricing & renewal honesty — 10%. First-year vs renewal price, multi-device cost, free-tier capability, transparency of auto-renewal terms, ease of cancelling. We mark down products with aggressive renewal pricing or auto-billing that requires phone-call cancellation.
5. Rescue-media compatibility — 5%. Whether the product provides bootable rescue media (Kaspersky Rescue Disk, ESET SysRescue Live, HitmanPro Kickstart) and how that media handles Microsoft-signed Secure Boot policies on current Windows 11 24H2 firmware. Rescue compatibility matters for severe infections that prevent the OS from booting cleanly.
What we do NOT weight as numeric evidence: community reports from r/techsupport, r/Malware, r/ransomware, and the No More Ransom project outcome data are consulted as user-experience signal — install friction, cleanup-flow friction, false-positive frequency, and product-recommendation sentiment — but are not a numeric weight in detection or security evaluation. Detection and remediation evidence comes from the specialist labs and our hands-on rig.
We do not accept paid placement. Affiliate links (where used) are disclosed and do not influence ranking. A product that paid less or nothing is ranked ahead of a higher-paying partner where the data supports it.
Frequently Asked Questions — Malware Removal
What is the best free malware removal tool right now?
Malwarebytes Free. It does on-demand scanning with the same detection engine as Premium — you lose real-time protection, ransomware rollback, and web protection, but the core cleanup capability is identical. Pair with Microsoft Defender (free, built into Windows, 18/18 at AV-TEST) for a zero-cost layered stack. AdwCleaner (also free, Malwarebytes-owned) handles PUPs and browser hijackers.
Can I run Malwarebytes alongside my existing antivirus?
Yes — this is the intended pairing. Malwarebytes Premium is designed to coexist with Microsoft Defender, Bitdefender, Kaspersky, or Norton. If you run two fully-active AV engines you can see driver conflicts, but Malwarebytes' real-time module is tuned specifically to play nicely with other resident AV. If you want extra caution, disable Malwarebytes' real-time and run it as on-demand-only.
How do I tell if my PC actually has malware?
Common signs: sudden slowdowns without new software, browser homepage changed without permission, search results redirecting, new pop-up ads outside a browser, files encrypted with unfamiliar extensions, unexpected admin prompts, antivirus disabled or uninstalled without your action. r/techsupport's triage recommendation: run Malwarebytes Free scan first; if findings appear, follow the full removal sequence (Rkill, Malwarebytes, AdwCleaner, HitmanPro as second opinion). If none of the tools find anything, the slowdown is likely something other than malware.
Should I pay the ransom if I get ransomware?
The community consensus on r/ransomware: no, if you can avoid it. Payment rates of successful decryption vary by family but are not 100%, you may fund the next attack, and in regulated industries the payment itself may be a legal issue. Before considering payment: (1) check No More Ransom and Emsisoft's decryptor library for your specific family — free decryption may already exist; (2) restore from offline backup if available; (3) if the system is business-critical, call professional incident response. Only as a last resort and only after legal/compliance consultation for organizations.
Does Malwarebytes really roll back ransomware?
Yes, with caveats. Malwarebytes Premium maintains a 7-day rolling shadow cache of recently-changed files. When the Anti-Ransomware module detects and stops a ransomware process, it attempts to revert files the process modified using the shadow cache. Rollback works best when: (a) Premium was already installed before infection, (b) Malwarebytes caught the ransomware at process-launch rather than after mass-encryption completed, (c) affected files are on local drives included in the shadow cache. Files on network shares and USB drives outside the cache are not covered. It is a meaningful safety net — not a guarantee.
Is Microsoft Defender good enough on its own?
For a careful user on Windows 11 with modern hardware and common-sense browsing habits — arguably yes. Defender has scored 18/18 at AV-TEST for multiple consecutive cycles through 2024-2026. What Defender lacks is aggressive on-demand cleanup for machines already infected, automated ransomware rollback, and some of the anti-PUP heuristics that third-party tools emphasize. The community-standard recommendation is Defender plus Malwarebytes Premium as the minimum layered stack, not Defender alone.
What is a "second-opinion scanner"?
A scanner designed to run on-demand only, with no real-time driver hooks, so it can run alongside your primary antivirus without conflicts. Use it when you want a different engine's opinion on whether a machine is clean after your primary AV has swept it. HitmanPro and Zemana AntiMalware are the canonical second-opinion tools; Emsisoft Emergency Kit is the free portable option.
How often should I run a full malware scan?
On a machine that does not show symptoms: weekly is more than enough, monthly is fine. On a machine after a cleanup event: run a full scan with your primary AV, a second full scan with Malwarebytes, a third-opinion scan with HitmanPro, and then monitor weekly for the next month. Scheduled scans in modern AV products run in the background — set them and do not worry about manual scanning unless you suspect an incident.
Do I need rescue media if BitLocker is enabled?
Yes — and you need either the recovery key or to suspend BitLocker before booting the rescue media, otherwise the scanner cannot read the encrypted disk. If Windows still boots, open elevated PowerShell and run manage-bde -protectors -disable C: to suspend for one reboot, then boot the rescue USB. After cleanup, re-enable with manage-bde -protectors -enable C:. If Windows will not boot, your 48-digit recovery key is at aka.ms/myrecoverykey (Microsoft account), in your saved recovery file, or in your Azure AD / Entra ID admin console.
Microsoft Defender Offline vs Microsoft Safety Scanner — what is the difference?
Defender Offline reboots Windows into the WinRE environment and runs Defender against the disk image before the normal OS boots — it is the answer for "Defender keeps detecting the same thing on every scan" because it scans before any malicious user-mode driver loads. Microsoft Safety Scanner (MSERT.exe) is a standalone, in-Windows on-demand scanner that expires 10 days after download (forces fresh signatures on each run) and is useful as a Microsoft-engine sanity check when Defender is not your primary AV. Defender Offline is a Windows feature; Safety Scanner is a separate download. Different tools, different jobs.
Verdict
For active cleanup of an already-infected machine: Malwarebytes Premium. The AVLab 2026 Product of the Year signal, the 7-day ransomware rollback, and the weight of r/techsupport community recommendation make it the default choice.
For ransomware recovery with a realistic chance of getting your files back without paying: Emsisoft Anti-Malware Home plus the free Emsisoft decryptor library plus No More Ransom. Check the decryptor list first — you may not need any paid product.
For second-opinion confirmation scans: HitmanPro (30-day trial is genuinely usable for occasional scans, $24.95/yr if you want it persistent).
For prevention-first users who want to reduce cleanup events: Bitdefender Total Security (AV-Comparatives 2025 Gold ATP, lightest footprint) or ESET HOME Security Essential (NOD32 engine, neutral jurisdiction).
For US users bundling identity-theft protection with cleanup: Norton 360 Deluxe with the renewal playbook applied on day one.
Our single strongest recommendation: Microsoft Defender running real-time, Malwarebytes Premium for on-demand cleanup, and a bookmarked link to No More Ransom in case ransomware happens anyway. Total cost $44.99/year, protection level that matches the $150+ premium bundles on pure detection, and a community-vetted workflow when something does slip through.