How to Remove Malware From a Windows PC: A Step-by-Step Guide

Remove malware from Windows with built-in tools: Safe Mode, full and offline scans, manual cleanup of apps and extensions, and when to reset your PC.

How to Remove Malware From a Windows PC: A Step-by-Step Guide

Windows can remove most malware on its own. The operating system ships with a genuinely capable antivirus, a deep-scan mode that runs before Windows even loads, and a reset option that can wipe out an infection completely. What most people are missing is not software. It is the right order of steps, because running them out of sequence is how infections survive a cleanup.

This guide walks through that sequence: cut the machine off from the internet, scan, deep-scan, remove the leftovers by hand, and reset only if nothing else works. Once the machine is clean, you will also secure the accounts the malware may have already raided. Expect the whole process to take an afternoon, most of it spent waiting for scans to finish.

One exception before you start. If your files will not open and a message on screen demands payment to get them back, you are dealing with ransomware, and cleaning the machine too quickly can destroy your only chance of recovering those files. Read our guide to ransomware before you touch anything else.

First, make sure it is actually malware

A slow computer is usually just a slow computer. Malware announces itself in more specific ways:

  • Your browser opens to a homepage you never chose, or your searches run through an engine you have never heard of.
  • Pop-up ads appear outside the browser, on the desktop or on top of other programs.
  • Programs you do not remember installing show up in the Start menu, or new toolbars appear in your browser.
  • Windows Security is switched off and will not switch back on.
  • The fan runs hard while the computer sits idle, a sign that hidden software is working the processor.
  • Friends report strange emails or messages coming from your accounts.

One thing that is almost never a real infection: a full-screen browser warning that your PC is infected, complete with an urgent phone number to call. That is scareware, a scam page built to sell you fake tech support. Genuine Windows alerts never include a phone number. Do not call it. Press Ctrl+Shift+Esc to open Task Manager, select your browser in the list, and click End task. If the warning does not come back when you reopen the browser, it was just a web page.

Step 1: Disconnect from the internet

Before you scan anything, take the machine offline. Unplug the network cable, or click the network icon at the right end of the taskbar and turn off Wi-Fi.

This matters because modern malware rarely works alone. Many infections quietly send your passwords and browsing data to a remote server, download additional components, or try to spread to other devices on your home network. Disconnecting freezes all of that in place while you work.

While you are cleaning, do not type any passwords on this computer. If the malware is recording keystrokes, every login you perform hands over another account. Anything urgent can be done from your phone.

Step 2: Run a full scan with Windows Security

Windows includes a built-in antivirus that handles the majority of common infections. Open the Start menu, type Windows Security, and open the app. Choose Virus & threat protection, then click Scan options and select Full scan. A quick scan only checks the usual hiding spots. A full scan checks every file and every running program, and it is the one you want here. Plan for an hour or more, longer on a large or older hard drive.

When the scan finishes, anything it found appears under Protection history on the same screen. Choose Remove, or Quarantine if you are not sure. Quarantine locks the file away where it cannot run, and you can restore it later if it turns out to be harmless.

If Windows Security will not open

Some malware blocks the antivirus to protect itself. The workaround is Safe Mode, a stripped-down version of Windows that loads only the essentials, which means most malware never gets the chance to start. Open the Start menu, click the power button, then hold Shift while you click Restart. When the blue menu appears, choose Troubleshoot, then Advanced options, then Startup Settings, then Restart. After the reboot, press 4 to enter Safe Mode. Run the full scan from there, then restart normally.

Step 3: Run the offline scan

Even if the full scan comes back clean, follow it with an offline scan. Some malware, often called a rootkit, buries itself deep enough in the system that it can hide from any scanner running inside Windows. The offline scan gets around this by restarting your PC and scanning from a minimal environment before Windows loads, where the malware cannot conceal itself or fight back.

Save any open work first, because the restart happens right away. Go back to Virus & threat protection, click Scan options, select Microsoft Defender Offline scan, and click Scan now. The computer restarts, scans for around fifteen minutes, and boots back into Windows. Check Protection history afterward for the results.

Step 4: Clean out what the scans missed

Scanners are good at removing the malicious core of an infection, but they often leave behind the junk that came with it: adware extensions, unwanted programs, entries that launch at startup. Check three places by hand.

Installed programs

Go to Settings, then Apps, then Installed apps, and sort the list by install date. Look for anything installed around the time your symptoms started that you do not recognize, and uninstall it. If a name means nothing to you, search for it on your phone before removing it. Some legitimate drivers and system tools have cryptic names.

Startup apps

Press Ctrl+Shift+Esc to open Task Manager and select the Startup apps tab. Anything listed here launches every time you turn on the PC, which is exactly where malware likes to live. Disable anything you cannot identify. Disabling is reversible, so you can switch an entry back on if something stops working.

Browser extensions

Open your browser's extensions page and remove anything you did not install yourself. Then check the browser's settings for the homepage and default search engine, since adware loves to change both. If redirects continue after that, use the option to reset browser settings to their defaults. Your bookmarks and saved passwords survive a reset. Extensions are switched off, which is the point.

Step 5: If it keeps coming back, reset Windows

If the same symptoms return after all of the above, the infection has a deeper foothold than consumer tools can reach, and a clean reinstall is faster and more certain than another round of scanning.

First, copy your personal files, such as documents and photos, to an external drive. Files only, never programs, since an installer could carry the infection across. Then go to Settings, then System, then Recovery, and click Reset this PC. Choose Remove everything, and when asked how to reinstall Windows, pick Cloud download so the fresh copy comes straight from the update servers rather than from files already on the machine.

After the reset, plug the external drive back in and run a full scan on it before you open anything you saved.

After the cleanup: assume your passwords leaked

A large share of the malware circulating right now exists for one purpose: stealing logins. A common type known as an infostealer grabs the passwords, cookies, and autofill data saved in your browser within moments of infection. So even after a successful cleanup, treat every password you typed or saved on that PC as compromised.

From your phone or another clean computer, change your email password first, since password resets for every other account flow through it. Then move on to banking, shopping, and social accounts, and turn on two-factor authentication as you go. If you find anything off inside an account, such as sent messages you did not write or a forwarding rule you did not create, follow our step-by-step account recovery guide.

It is also worth checking whether your email address is already circulating in criminal databases. Our free email breach checker shows which known breaches include your address, which is useful context for the scams that tend to follow an infection.

Finally, reconnect to the internet and go to Settings, then Windows Update, and click Check for updates. Malware usually gets in through security holes that were patched months earlier on machines that never installed the fix. Staying current closes the door it came through.

Your cleanup checklist

Work through these in order, and do not skip the account steps at the end. They are the difference between removing the malware and undoing the damage.

  • Disconnect from the internet before anything else.
  • Run a Full scan in Windows Security, from Safe Mode if the app is blocked.
  • Follow it with the offline scan to catch anything hiding from Windows.
  • Remove unfamiliar programs, startup entries, and browser extensions by hand.
  • Still infected? Back up personal files, then use Reset this PC with Cloud download.
  • Change your passwords from a different device, email first, and turn on two-factor authentication.
  • Update Windows before you return to normal use.