How to Remove Malware from Windows: A Practical Step-by-Step Guide

Written by: Abigail Ivy
Published on:

How to remove malware from Windows

Malware on Windows can slow performance, hijack browser settings, steal data, or lock you out of files.

This guide explains how to remove malware from Windows using built-in tools, trusted security software, and a careful cleanup process that reduces the risk of reinfection.

What counts as malware on Windows?

Malware is a broad category that includes viruses, trojans, ransomware, spyware, adware, worms, and rootkits.

On Microsoft Windows, these threats often arrive through phishing emails, malicious downloads, fake software updates, compromised websites, or bundled installers.

Common warning signs include:

  • Unexpected pop-ups, browser redirects, or new toolbars
  • Slow startup, crashes, or high CPU and disk usage
  • Disabled security tools such as Microsoft Defender
  • Unknown programs starting automatically
  • File extensions changing or files becoming inaccessible
  • Unusual account activity or password reset alerts

What should you do first?

Before you start removal, disconnect the PC from the internet if you suspect active spyware, ransomware, or remote-access malware.

This limits data theft and can stop malware from downloading additional payloads.

Next, avoid logging into banking, email, or work accounts from the infected device until it is cleaned.

If possible, use another trusted device to change critical passwords and review recent account activity.

How to remove malware from Windows with built-in tools?

Windows includes security features that can remove many common threats without third-party software.

Microsoft Defender Antivirus is the first tool to use because it integrates with Windows Security and receives regular signature updates through Microsoft Update.

Run a Microsoft Defender scan

  1. Open Windows Security.
  2. Select Virus & threat protection.
  3. Choose Scan options.
  4. Run a Full scan first.
  5. If malware is suspected but not found, run a Microsoft Defender Offline scan.

A full scan checks installed files and running processes.

The offline scan restarts the computer and scans before most Windows services and malware can load, which helps against persistent threats such as rootkits and boot-level malware.

Use Safe Mode if malware blocks cleaning

If malware disables security tools, reboots the PC, or keeps reinstalling itself, boot into Safe Mode.

Safe Mode loads only essential drivers and services, which can make it easier to remove the infection manually or run antivirus scans.

To enter Safe Mode on modern Windows versions:

  1. Open Settings and go to System or Update & Security.
  2. Select Recovery.
  3. Under advanced startup, click Restart now.
  4. Choose Troubleshoot > Advanced options > Startup Settings.
  5. Restart and select Safe Mode or Safe Mode with Networking.

Should you use a second opinion malware scanner?

Yes.

Security vendors such as Malwarebytes, ESET, Bitdefender, and Kaspersky offer on-demand scanners that can detect threats missed by Microsoft Defender.

A second-opinion scan is useful for adware, browser hijackers, and potentially unwanted programs that may not always be classified as severe malware.

When using a third-party scanner, download it only from the official vendor website.

Avoid “free cleanup” utilities promoted by pop-ups or search ads, because fake antivirus tools are a common scam and may worsen the infection.

How do you manually remove suspicious programs and startup items?

After running scans, review installed applications and startup entries.

Malware and adware often hide in legitimate-looking program names or install as browser extensions and scheduled tasks.

Check these locations:

  • Settings > Apps > Installed apps for unknown software
  • Task Manager > Startup apps for unwanted launchers
  • Task Scheduler for suspicious scheduled tasks
  • Browser extensions for hijackers and adware

Uninstall software you do not recognize, but take care not to remove drivers or enterprise tools you need.

If a suspicious entry resists removal, note its name and location before deleting files so you can search reputable security forums or vendor documentation.

How do you clean browsers after malware infection?

Browser hijackers and adware frequently change the homepage, search engine, or new tab page.

They may also inject unwanted extensions into Google Chrome, Microsoft Edge, or Mozilla Firefox.

To clean browsers:

  • Remove unknown extensions and toolbars
  • Reset homepage and search settings
  • Clear browsing data and cached files
  • Check download settings and notification permissions
  • Review saved passwords if credential theft is suspected

If the browser keeps redirecting after cleanup, reset the browser to its default state.

This restores many core settings without deleting bookmarks in most modern browsers, though you should back up important data first.

When should you use System Restore or reinstall Windows?

If scans and manual cleanup fail, System Restore may roll Windows back to a point before the infection.

This can be effective for malware that altered system settings or installed with a recent software change, but it will not always remove deeply embedded threats.

A full reinstall is the most reliable option when dealing with ransomware, boot-sector malware, repeated reinfection, or signs of credential compromise.

Use Windows Recovery Environment or reinstall from trusted installation media, then restore personal files only after scanning them.

How do you protect files before restoring them?

Malware can hide in documents, archives, scripts, and installers.

Before copying files back to a cleaned PC, scan them with Microsoft Defender or another reputable antivirus solution.

Safer recovery practices include:

  • Back up only essential personal files such as documents, photos, and videos
  • Avoid restoring executable files, cracks, keygens, and unknown archives
  • Scan external drives before opening backup folders
  • Keep backups disconnected until you are ready to verify them

How do you prevent malware from coming back?

Prevention matters as much as cleanup.

Windows Security, Microsoft Edge SmartScreen, and regular updates already block many threats, but user habits remain the biggest factor in infection rates.

Best practices include:

  • Keep Windows Update and Microsoft Defender enabled
  • Install software only from trusted vendors and the Microsoft Store when appropriate
  • Use a standard user account for daily work when possible
  • Enable multi-factor authentication for email, banking, and cloud accounts
  • Be cautious with attachments, macros, and unexpected login prompts
  • Back up important files regularly to an offline or versioned backup

If you manage multiple devices, consider endpoint protection, centralized patching, and DNS filtering to reduce exposure across the network.

For home users, a mix of automatic updates, strong passwords, and careful download habits goes a long way.

What are the most common mistakes during malware removal?

Many infections persist because users skip a step or trust the wrong tool.

The most common mistakes are reinstalling software too quickly, ignoring browser hijackers, restoring infected backups, and changing passwords before the device is clean.

Another frequent error is assuming one scan is enough.

Some threats hide components in startup folders, scheduled tasks, or browser profiles, so a layered cleanup approach is more effective than a single quick scan.

When should you get professional help?

Seek professional support if you see signs of ransomware encryption, repeated account compromise, domain join issues, or a machine that cannot boot normally.

Businesses should involve an IT administrator or incident response team immediately, especially if regulated data, customer records, or intellectual property may be affected.

If you suspect identity theft, contact relevant financial institutions, freeze access where needed, and monitor credit accounts.

For home users, documenting what happened before and after cleanup can help identify how the infection entered the system and which accounts may need additional protection.