Back in my Windows days
I always used anti-virus (mostly Clam) malware guard, and Startup Guard.
If the AV didn't catch something, the malware guard usually would.
if all else failed, SG would usually stop it from running.
The one time I was pwned and had to install and restore from scratch?
My sister sent me a CD of Trappist hymns she thought I'd like.
Put it in, hit play, system collapsed like a house of cards.
Seems the CD had a rootkit on it... Thanks Sony! >:P