How to Remove Malware From a Windows PC: Step-by-Step Cleanup Guide

Overview

Windows malware removal is easiest when you treat it as a sequence, not a single scan. A rushed cleanup often misses persistence mechanisms, leaves risky browser extensions in place, or restores a machine to use before accounts and credentials are secured. The safer approach is to contain first, inspect second, remove third, and recover last.

Before you start, keep one boundary in mind: no single tool catches everything. Microsoft’s Windows Malicious Software Removal Tool, or MSRT, is useful for removing certain widespread malware families after infection, but it is not a full antivirus product and does not replace one. Microsoft also positions it as a post-infection cleanup utility rather than ongoing protection. For broader offline or second-opinion scanning, Windows Defender Offline or Microsoft Safety Scanner are more appropriate options. That distinction matters because many users assume a single quick scan equals a clean system.

Use this checklist if your PC shows signs such as:

• Unexpected pop-ups, redirects, or browser search changes
• Security software disabled without your approval
• Unknown startup apps, scheduled tasks, or services
• High CPU, disk, or network usage with no clear cause
• Ransom notes, locked files, or unusual file extensions
• New admin accounts or login prompts you did not expect
• Payment, email, or cloud accounts reporting suspicious logins

If you suspect ransomware, active remote access, or data theft in a business setting, slow down. Evidence, logs, and account containment may matter more than immediate file deletion. In that case, isolate the endpoint and follow your incident response process before aggressive cleanup.

Core malware removal checklist

1. Disconnect the PC from the network if the threat appears active.
2. Do not sign in to banking, email, or admin accounts from the infected machine.
3. Document symptoms: screenshots, ransom note, process names, odd extensions, browser behavior.
4. Boot into Safe Mode only if normal mode is unstable or security tools will not run.
5. Run Microsoft Defender scan, then Defender Offline for deeper inspection.
6. Use a second-opinion scanner such as Microsoft Safety Scanner if needed.
7. Remove suspicious startup items, browser extensions, and recently installed unknown apps.
8. Install Windows and browser updates after scans are complete and stability returns.
9. Reset passwords from a clean device, starting with email and admin accounts.
10. Monitor for reinfection, and rebuild the PC if trust cannot be restored.

Checklist by scenario

This section breaks the process into common Windows malware situations so you can act without guessing.

Scenario 1: The PC is usable, but you suspect adware, spyware, or a trojan

This is the most common case: the system still boots and you can sign in, but behavior is off.

1. Disconnect from the internet if you see suspicious outbound traffic, pop-ups, or remote-control symptoms. If you only need to download tools, reconnect briefly from a trusted source and disconnect again.
2. Open Windows Security and check whether Microsoft Defender Antivirus is active. If another antivirus is installed, confirm it is legitimate and up to date rather than a rogue product.
3. Run a full antivirus scan. A quick scan is fine for triage, but a full scan is the better default during cleanup.
4. Run Microsoft Defender Offline if signs of persistence remain. Offline scanning helps when malware interferes with normal Windows processes.
5. Run MSRT or verify it has run through Windows Update. Remember that MSRT targets specific prevalent threats rather than broad coverage.
6. Use Microsoft Safety Scanner as a second opinion if the machine still behaves strangely after Defender findings are removed.
7. Review installed applications in Settings and uninstall anything unknown, newly installed, or clearly unwanted.
8. Inspect browser extensions in every browser you use. Remove anything you did not intentionally install.
9. Reset browser settings if your search engine, home page, notifications, or proxy settings were changed.
10. Reboot and rescan. If symptoms return immediately, assume persistence remains.

Good targets to inspect manually after scans:

• Startup apps in Task Manager or Settings
• Scheduled tasks
• Services with random names or unclear publishers
• Browser notification permissions and site exceptions
• Hosts file, proxy settings, and DNS changes

Scenario 2: The PC is unstable, security tools are blocked, or malware keeps coming back

When malware disables protection, kills scanners, or respawns after reboot, you need a more controlled workflow.

1. Isolate the system from Wi-Fi and Ethernet.
2. Boot into Safe Mode if normal mode is too unstable to scan. Safe Mode can reduce the number of malicious processes running, though not every threat is neutralized this way.
3. Run Defender Offline or another trusted offline-capable scanner.
4. Run a second scan after reboot in normal mode once stability improves.
5. Check for policy tampering, including disabled antivirus settings, blocked update services, or restricted admin tools.
6. Look for persistence through startup entries, Run keys, scheduled tasks, WMI-based persistence, and local user accounts you do not recognize.
7. Patch Windows and browsers once you are confident the scanner can stay active.

If a machine repeatedly disables Defender, changes exclusions on its own, or creates new admin-level persistence, stop assuming this is routine adware. At that point, a clean rebuild is often more trustworthy than repeated partial remediation.

Scenario 3: Browser hijacker or fake update malware

If the main symptom is constant redirects, fake search engines, coupon overlays, push spam, or prompts to install codecs and browser updates, the infection may be concentrated in the browser layer.

1. Export bookmarks if needed.
2. Remove suspicious extensions from Chrome, Edge, Firefox, and any Chromium-based browser on the system.
3. Review notification permissions and remove unknown sites.
4. Reset the affected browser to default settings.
5. Check shortcut targets to ensure the browser is not launching with malicious command-line arguments.
6. Review installed apps for bundled software, download assistants, “PDF tools,” and unknown system optimizers.
7. Run full and offline scans anyway, because browser hijackers sometimes arrive with additional payloads.

Do not stop after the browser looks normal. Some browser-focused malware also changes registry settings, scheduled tasks, or DNS configuration to reinstate itself later.

Scenario 4: Possible credential theft or spyware

If passwords changed unexpectedly, MFA prompts appeared without explanation, or your browser saved credentials were accessed, cleanup alone is not enough.

1. Use a clean device to reset passwords, starting with your primary email account, then password manager, admin accounts, banking, and cloud services.
2. Revoke active sessions where possible.
3. Rotate MFA methods if you suspect a device token or authenticator session was exposed.
4. Audit browser-stored passwords and assume anything saved locally may be compromised.
5. Check forwarding rules in email and unexpected app authorizations in Microsoft, Google, and other SaaS accounts.
6. Rescan the PC before signing back in.

For infostealer-type risk, many security teams prefer reimaging the endpoint rather than trusting malware removal alone. That is a sensible default if the PC handled admin credentials, production access, or financial accounts.

Scenario 5: Suspected ransomware

Ransomware is different because every reboot, login, or network reconnection can change the scope of damage.

1. Immediately disconnect the PC from all networks and removable storage.
2. Do not start deleting files or running random decrypt tools.
3. Preserve evidence: ransom note, file extensions, process names, timestamps, suspicious executables.
4. Check whether backups are intact from a separate clean system.
5. Escalate through your incident response path if this is a work device or the machine had access to shared storage.
6. Rebuild rather than “clean” if encryption or lateral movement is confirmed.

For ransomware, the decision is less about how to remove malware from a PC and more about how to restore trust and data safely.

What to double-check

Malware cleanup often appears complete before it actually is. These are the areas most likely to be missed.

Security tooling status

• Microsoft Defender or your chosen antivirus is enabled
• Definitions are current
• Tamper protection or equivalent self-protection is enabled if available
• No unexplained exclusions were added for folders, file types, or processes

Persistence locations

• Startup apps and startup folders
• Scheduled tasks
• Services and drivers
• Registry Run and RunOnce keys
• Local admin accounts and group membership

Network and browser settings

• Proxy settings are intentional
• DNS servers are expected for your environment
• Hosts file does not contain malicious redirects
• Browser search engine, homepage, and notification settings are normal

System integrity and updates

• Windows Update works
• Browsers update normally
• No critical business apps are broken by cleanup
• Restore points or backups exist before major changes going forward

Account security

• Email password changed from a clean device
• Admin and domain credentials rotated if used on the infected machine
• Unrecognized sign-ins reviewed
• MFA prompts and recovery methods audited

If you want stronger prevention after recovery, compare the tradeoffs in Free Antivirus vs Paid Antivirus: What You Actually Get in 2026 and a broader suite comparison in Microsoft Defender vs Bitdefender vs Norton: Which Protection Is Best?.

Common mistakes

Most failed malware removal efforts come down to a few repeatable errors.

• Treating MSRT like a full antivirus. Microsoft’s own position is clear: MSRT removes certain common threats after infection, but it does not replace antivirus protection.
• Running only one quick scan. A quick scan is triage, not closure. Use full or offline scans when symptoms are serious.
• Resetting passwords on the infected machine. If spyware or an infostealer is involved, you may hand over the new password immediately.
• Ignoring the browser. Extensions, notification abuse, and policy changes can keep the problem alive even after malware files are deleted.
• Cleaning the endpoint but not the accounts. Mailbox forwarding rules, stolen sessions, and cloud app authorizations can outlast the local infection.
• Reconnecting too early. An infected machine on the network can continue command-and-control traffic or touch mapped resources.
• Trusting the machine too soon. If a PC handled privileged credentials or shows signs of deep persistence, rebuilding is often the cleaner decision.

One more mistake is choosing a long-term protection stack only after an incident, and then choosing by marketing alone. If you are evaluating better ongoing protection for Windows endpoints, start with practical comparisons rather than feature lists. Our guides on Defender vs Bitdefender vs Norton and free vs paid antivirus are useful next reads after cleanup.

When to revisit

This checklist is worth revisiting whenever your tools, workflows, or threat exposure changes. In practice, that means reviewing it before seasonal planning cycles, after a Windows interface or security workflow change, when you switch antivirus platforms, or after your organization introduces new browser policies, admin practices, or remote access paths.

Refresh this process when:

• Windows Security menus or Defender scan options change
• Microsoft updates the role or support boundaries of MSRT or related scanners
• Your team changes endpoint protection vendors
• You begin storing more credentials in the browser or password manager
• You support more remote workers using unmanaged home networks
• You have a recent phishing wave, browser-extension incident, or infostealer scare

Practical action plan for the next 30 minutes

1. Disconnect the suspect Windows PC from the network.
2. Document visible symptoms with screenshots and filenames.
3. Run a full Defender scan, then Defender Offline.
4. Use MSRT and, if needed, Microsoft Safety Scanner as additional checks.
5. Remove suspicious browser extensions, apps, startup items, and tasks.
6. Patch Windows and browsers after the system stabilizes.
7. From a clean device, reset email and admin passwords and review sign-ins.
8. If trust is still questionable, back up needed files carefully and rebuild the PC.

That is the durable rule for Windows malware removal: if you can restore confidence with layered scanning, configuration review, and account hygiene, do so methodically. If you cannot restore trust, do not negotiate with uncertainty. Reimage the system and move on.