How to Remove Malware From Windows-Complete Step-by-Step Guide
How to Remove Malware From Windows (Complete Step-by-Step Guide)
If your Windows PC is running unusually slow, showing pop-ups you never asked for, redirecting your browser to strange sites, or behaving in ways that just feel off - there is a good chance malware is involved. And before you panic or consider wiping your entire system, know this: most malware infections, even fairly serious ones, are recoverable with the right approach.
Over the years, I have dealt with everything from simple adware on home computers to full-blown ransomware that encrypted an entire business's file server. The method I walk through here is the same process I use professionally, adapted so that anyone can follow it without needing a computer science degree.
This guide covers how to identify an infection, remove malware using both automated tools like Malwarebytes and manual techniques, deal with keyloggers, and handle the nightmare scenario of ransomware that has already encrypted your files.
Why Malware Gets Onto Windows PCs in the First Place
Understanding how malware arrives helps you avoid getting reinfected after you clean things up. The most common delivery methods I see in real support cases are:
Phishing emails with malicious attachments. A convincing invoice PDF or a shipping notification with a Word document macro. The user opens it, the macro runs, and something quietly installs itself. This is still the number one delivery method for everything from banking trojans to ransomware.
Drive-by downloads from compromised websites. You visit a legitimate-looking site - sometimes even a real site that has been hacked - and a browser exploit drops a payload silently. The user never clicks "download" at all.
Cracked or pirated software. I cannot count how many machines I have cleaned that had a keylogger bundled inside a pirated copy of Adobe Photoshop or a game crack. Whoever packaged that torrent added a little bonus.
Fake software updates. A pop-up claims your Flash Player or Java is out of date. You click "Update Now" and install a trojan. Legitimate software update prompts do not come from browser pop-ups.
USB drives. Still relevant, especially in workplaces. An infected thumb drive plugged into one machine can spread to others through AutoRun exploits or by silently copying itself to every connected device.
Common Symptoms of a Malware Infection
Not every malware infection is obvious. Some of the nastiest ones - keyloggers and credential stealers - are specifically designed to be invisible. That said, here are the warning signs that should put you on alert:
- System performance has dropped noticeably for no clear reason - CPU or memory is constantly spiked even when you have nothing open
- Browser homepage changed without your input, new toolbars appeared, or searches keep redirecting to unfamiliar engines
- Antivirus software was disabled or is showing errors and will not open
- You are seeing unexpected pop-up ads, even on the desktop outside of any browser
- Programs open and close on their own, or your mouse cursor moves without your input
- Files have strange new extensions (like .locked, .encrypted, or a random string of characters) - this is a strong indicator of ransomware
- You notice unfamiliar accounts in your email sent folder or social media posts you did not write
- Windows Defender or Windows Firewall keeps turning itself off
If you are seeing even two or three of these symptoms together, treat the machine as compromised and work through the steps below.
Step-by-Step Malware Removal for Windows
Step 1 - Disconnect From the Internet Immediately
Before you do anything else, disconnect the machine from the internet. Unplug the ethernet cable or turn off Wi-Fi from the physical switch if your laptop has one. If you only have a software option, do that.
This matters for two reasons. First, many malware variants phone home constantly - they receive updated instructions, download additional payloads, or exfiltrate your data while connected. Cutting the connection stops that. Second, if ransomware is in the process of encrypting files, disconnecting can sometimes slow or halt the process since some variants check in with a command server during encryption.
Step 2 - Boot Into Safe Mode With Networking
Safe Mode loads Windows with only the bare minimum drivers and services. Most malware cannot run in Safe Mode because the hooks it has embedded into normal Windows startup processes simply do not load. This is why running a scan in Safe Mode is far more effective than scanning while Windows is fully running.
To get there on Windows 10 or 11: Hold Shift and click Restart from the Start menu. When the blue recovery screen appears, go to Troubleshoot, then Advanced Options, then Startup Settings, and click Restart. When the system restarts and shows the numbered list, press 5 to boot into Safe Mode with Networking. You need networking enabled so you can download tools if necessary.
Step 3 - Download and Run Malwarebytes
Malwarebytes is the tool I recommend first in almost every case, and I have been recommending it for well over a decade. The free version is genuinely capable and does not require a subscription to run a thorough scan and remove what it finds.
Go to malwarebytes.com on a clean device if possible and download the installer to a USB drive, then transfer it. If your infected machine still has internet access in Safe Mode, you can download it directly. Install it, run a full Threat Scan (not a quick scan - a full one), and let it run to completion. On a heavily infected machine this can take 30 to 45 minutes.
When the scan finishes, quarantine everything it finds and restart the machine. Do not skip the restart - some removals are not finalized until after a reboot. After restarting, run the scan a second time. If the second scan comes back clean, you have cleared most common infections. If it keeps finding the same items repeatedly, the malware has a persistence mechanism you need to address manually.
Step 4 - Run a Second-Opinion Scanner
No single tool catches everything. After Malwarebytes, I always run one additional scanner from a different vendor. Two tools I trust for this purpose:
HitmanPro (by Sophos) - uses cloud-based detection and is excellent at catching rootkits and remnants that signature-based tools miss. The 30-day trial is enough to clean an infected machine at no cost.
ESET Online Scanner - a standalone, no-install scanner from one of the most respected names in endpoint security. Takes longer than Malwarebytes but has excellent detection rates for trojans and spyware.
Run either one of these after Malwarebytes and quarantine or delete anything they find.
Step 5 - Check for and Remove Keyloggers Manually
Keyloggers are particularly concerning because they sit silently in the background recording every keystroke - passwords, credit card numbers, private messages, everything. Malwarebytes catches many of them, but it is worth doing a manual check as well.
Open Task Manager (Ctrl + Shift + Esc) and look through the Processes tab carefully. Sort by CPU or memory usage. Look for processes with names that are random strings of letters, misspellings of legitimate Windows processes (like "svch0st.exe" with a zero instead of an "o"), or processes located in unusual folders like AppData or Temp. Right-click any suspicious process and choose "Open file location" - if it is sitting in a Temp folder or your Downloads folder, that is a red flag.
Also check your startup programs. Press Windows + R, type msconfig, go to the Startup tab (or open Task Manager and check the Startup tab in Windows 10/11). Disable anything you do not recognize. Keyloggers and other persistent malware almost always add themselves to startup.
Finally, check your browser extensions. Open each browser you use and review the installed extensions. Remove anything you do not remember installing. A browser extension with broad permissions to "read and change all data on websites" is essentially a keylogger for your web traffic if it is malicious.
Step 6 - Reset Your Passwords From a Clean Device
If you have any reason to believe a keylogger was present - or if the infection lasted more than a day or two before you caught it - assume your passwords are compromised. Change them from a different, clean device. Start with email, banking, and any account where a password reset link would be sent. Enable two-factor authentication on everything important while you are at it.
Do not change passwords from the infected machine until you are certain it is clean. Changing a password on a machine that still has an active keylogger just gives the attacker your new password.
Step 7 - Dealing With Ransomware and Encrypted Files
If ransomware has already encrypted your files, the situation is more complicated. Here is the honest picture:
Removing the ransomware itself is straightforward - Malwarebytes and similar tools will clean the active infection. The problem is that removing the malware does not decrypt your files. The encrypted data stays encrypted.
Your options, in order of preference:
Check for a decryptor. Visit nomoreransom.org - this is a legitimate project run jointly by Europol and several cybersecurity companies. Upload one of your encrypted files and the ransom note, and the site will attempt to identify the ransomware family and tell you if a free decryptor exists. For older ransomware variants like WannaCry, GandCrab, and several others, free decryptors are available. For newer, properly implemented ransomware, there may not be one.
Restore from backup. If you have a recent backup - whether on an external drive that was not connected during the attack, or in a cloud service like OneDrive or Backblaze - restore from there. This is the fastest and cleanest path to recovery and is the reason backup discipline exists.
Shadow Copy / Previous Versions. Windows creates Volume Shadow Copies by default. Ransomware usually deletes these, but not always. Right-click an encrypted folder, choose Properties, then the Previous Versions tab. If shadow copies exist, you may be able to restore files from there.
Wait. Law enforcement periodically seizes ransomware command servers and publishes the decryption keys. If your data is important but not time-critical, hold onto the encrypted files. A decryptor for your variant may be released in the future.
Do not pay the ransom unless you have exhausted every other option and the data is genuinely irreplaceable. There is no guarantee of getting a working decryptor, and payment funds further attacks.
Advanced Troubleshooting
Malware keeps coming back after removal. This usually means there is a dropper or loader hiding somewhere that reinstalls the main payload. Check scheduled tasks (open Task Scheduler and look for anything that runs frequently with a suspicious command), check the registry run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run), and look for rogue services in msconfig under the Services tab. If you tick "Hide all Microsoft services" first, anything remaining that looks suspicious warrants investigation.
Malwarebytes will not install or run. Some aggressive malware specifically targets security tools and prevents them from running. Try renaming the Malwarebytes installer to something random like "photo123.exe" before running it - this bypasses some of the more simplistic blocks. Alternatively, try Malwarebytes Chameleon, which is a tool specifically designed to install and run in the presence of active malware.
Windows Defender keeps getting disabled. This is a sign of an active infection with administrative-level access to your system. Some rootkits embed themselves at a level below Windows and are extremely difficult to remove from within the running operating system. In these cases, scanning the drive offline - booting from a Windows installation USB and using its built-in repair tools, or using a bootable antivirus like Kaspersky Rescue Disk - is more effective.
Nuclear option - reinstall Windows. If you cannot get a clean scan after all the above, or if the machine had full-access ransomware or a rootkit, a clean reinstall of Windows is sometimes the only reliable path to a truly clean system. Use the "Reset this PC" option with "Remove everything" selected, or better, boot from a Windows installation USB and do a fresh install. Save your personal files to an external drive first, scan them before copying them back, and reinstall all applications from original sources.
Comparison: Free vs. Paid Malware Removal Tools
| Tool | Cost | Scans & Removes | Real-Time Protection | Best For |
|---|---|---|---|---|
| Malwarebytes Free | Free | Yes | No | On-demand cleanup of existing infections |
| Malwarebytes Premium | Paid | Yes | Yes | Ongoing protection + removal |
| Windows Defender | Free (built-in) | Yes | Yes | Everyday baseline protection |
| HitmanPro | Free trial / Paid | Yes | No | Second-opinion, rootkit detection |
| ESET Online Scanner | Free | Yes | No | Deep one-time scan, no installation required |
| Kaspersky Rescue Disk | Free | Yes | No | Offline scanning when Windows cannot boot cleanly |
Prevention Tips to Avoid Future Infections
Keep Windows and all software updated. The vast majority of successful malware attacks exploit known vulnerabilities that already have patches available. WannaCry, the ransomware that shut down hospitals and organizations worldwide, exploited a Windows vulnerability that had been patched two months before the attack. The machines that got hit simply had not applied the update.
Use a password manager and enable two-factor authentication. Even if a keylogger does get your password, 2FA means the attacker cannot use it without also controlling your phone or email.
Back up regularly, and test your backups. The 3-2-1 rule: three copies of your data, on two different types of media, with one copy off-site or in the cloud. A backup you have never tested restoring from is not a reliable backup.
Be suspicious of unexpected email attachments and links. If an invoice arrived by email and you were not expecting one, call the sender before opening the attachment. If a link in an email seems off, go directly to the website by typing the address rather than clicking.
Do not run as an administrator for daily use. Create a standard user account for day-to-day work. Running as an administrator means any malware you accidentally execute also has administrator rights. A standard user account limits the damage most infections can do.
Use Windows Defender alongside Malwarebytes Free. Windows Defender is competent and improves significantly with each major Windows update. Running Malwarebytes Free alongside it for periodic on-demand scans covers gaps that real-time protection occasionally misses.
Malware infections range from mildly annoying adware all the way up to destructive ransomware that can encrypt years of work. The good news is that the removal process is systematic, and in the majority of cases, it works. Disconnect from the network, boot into Safe Mode, run Malwarebytes followed by a second-opinion scanner, check manually for keyloggers and suspicious startup entries, and reset your passwords from a clean device.
The steps in this guide cover the situations I encounter most frequently in real support work. If you follow them in order, you will resolve most infections without paying for professional recovery services or losing your data.
Going forward, the best protection is a combination of good habits - keeping software patched, backing up regularly, and being skeptical of unexpected emails - paired with Windows Defender for real-time coverage and occasional Malwarebytes scans to catch anything that slips through. That combination is free, reliable, and what most security professionals actually run on their own machines.
If you are still seeing symptoms after working through all of these steps, feel free to describe what you are experiencing in the comments below. The more detail you can share - what the malware scanner found, what the suspicious process was named, what your files look like - the more targeted the advice can be.
Frequently Asked Questions (FAQ)
Can malware survive a factory reset or Windows reinstall?
A standard Windows reset - particularly one that reformats the drive - eliminates virtually all malware. The exception is firmware-level rootkits, also called bootkits, which embed themselves in the UEFI firmware and can survive a full OS reinstall. These are rare and targeted, not something the average home user encounters. If you suspect a firmware infection, the manufacturer's firmware update tool may be able to overwrite it.
Is Malwarebytes free version good enough to remove malware?
Yes, for removal of an existing infection, the free version of Malwarebytes does everything the paid version does. The key difference is that the paid version adds real-time protection to block threats before they install. For cleaning an already-infected machine, free is sufficient.
How do I know if I have a keylogger installed?
Keyloggers are designed to be invisible, so you may not see obvious symptoms. The best approach is to run a full scan with Malwarebytes and a second scanner like ESET. Also audit your running processes in Task Manager and your startup programs for anything unfamiliar. If you have noticed unexplained account activity - emails you did not send, logins from unknown locations - treat that as a strong indicator.
Should I pay the ransom if ransomware encrypted my files?
As a general rule, no. Payment does not guarantee you will receive a working decryption key, and it funds future attacks. Check nomoreransom.org first for free decryptors, check your backups, and check Windows Shadow Copies before considering payment. If the data is truly irreplaceable and business-critical with no other option, that changes the calculation - but exhaust every alternative first.
Can malware spread from my PC to other devices on the same network?
Yes, certain malware types - particularly worms and some ransomware variants - actively scan the local network for other devices to infect. This is why disconnecting from the network early in the cleanup process matters, and why you should scan other devices on the same network even if they appear unaffected.
Will running Malwarebytes delete my personal files?
No. Malwarebytes targets malicious executables, scripts, registry entries, and infected system files. It does not touch your documents, photos, videos, or personal data. If it quarantines something you believe is legitimate, you can restore it from the quarantine before permanently deleting it.
My antivirus says it removed a virus but my PC still seems infected. What now?
This is common with more sophisticated infections. The antivirus removed what it could detect, but something else remains. Run Malwarebytes as a second scanner, then HitmanPro or ESET Online Scanner. Also manually check startup programs, scheduled tasks, and browser extensions. If the machine still behaves suspiciously after all that, an offline scan with Kaspersky Rescue Disk or a Windows reinstall is the next step.