The default advice for a malware-infected PC used to be "wipe it and start over." Sometimes that's still correct. But in the majority of real-world cases — adware, browser hijackers, trojans, PUPs — a methodical removal process gets you clean without losing hours to reinstalling every application and reconfiguring your settings from scratch.
This is that methodical process. It's structured around the way malware actually works: how it survives removal attempts, how it reinfects, and where it hides. Follow the steps in order.
How to Confirm You Have Malware
Not every sluggish PC is infected. Look for these specific indicators:
- Browser homepage or search engine changed without your action
- Ads appearing in places they never did — on the desktop, in apps, or injected into websites
- Unknown programs appearing in your installed apps or startup list
- CPU or disk sitting at 90–100% while you're doing nothing
- Antivirus suddenly disabled or missing
- Files with unfamiliar extensions, ransom messages, or encrypted folders
If two or more of those apply, proceed. If your machine is just slow without those symptoms, check our Windows 11 performance guide first.
Step 1 – Disconnect From the Internet
Do this before anything else. Active malware is likely communicating with remote servers — downloading additional payloads, exfiltrating data, or waiting for commands. Disconnecting cuts all of that instantly. Unplug your ethernet cable and disable Wi-Fi from the taskbar. The malware cannot reinfect, spread to other devices, or receive updates while you're offline.
Step 2 – Boot Into Safe Mode
Safe Mode loads only essential Windows processes. This means most malware won't be running when you arrive — which makes it far easier to detect and delete. Hold Shift and click Restart from the Start menu. Navigate to Troubleshoot → Advanced Options → Startup Settings → Restart. Press 5 for Safe Mode with Networking so your scanner can update its definitions.
Step 3 – Run a Dedicated Malware Scanner
Your existing antivirus may already be compromised, outdated, or simply not specialized for removal. Use one of these trusted tools in addition to (not instead of) your existing software:
- Malwarebytes Free — Excellent at catching adware, PUPs, trojans, and rootkits that traditional AV misses. Free version includes a full manual scan.
- Microsoft Safety Scanner — Download fresh from microsoft.com/en-us/safety/scanner (it expires after 10 days). Runs in Safe Mode and scans memory for active threats.
Download on a clean device if needed and transfer via USB. Run both, quarantine everything flagged, and review the list before deleting — confirm you recognize what's being removed.
Never use "PC Cleaner" or "Registry Optimizer" tools found via pop-ups or ads — these are frequently malware themselves. Only use tools from the publishers' official websites.
Step 4 – Check Persistence Locations Manually
Sophisticated malware leaves behind "reinstallers" — code that brings back the main payload after you remove it. Check all of these:
Startup list: Task Manager → Startup apps. Also run msconfig and check its Startup tab — malware sometimes shows in one and not the other.
Scheduled Tasks: Open Task Scheduler. Check for tasks with random-looking names, tasks that run scripts from AppData or Temp folders, or tasks created on the date symptoms started.
Registry Run Keys: Open regedit (Win + R). Check:
Delete entries pointing to executables in Temp or AppData\Local\Temp. Normal programs don't run from there.
AppData folder: Go to C:\Users\YourName\AppData\Local and \Roaming. Sort by Date Modified. Anything recently created that you don't recognize deserves a Google search before you delete it.
Step 5 – Restore Your Browsers
Browser hijackers are often separate from the main infection and survive system scans. For each browser:
- Go to Extensions and remove anything you didn't intentionally install
- Check Settings → Search Engine — restore your preferred one
- Check the On Startup setting for hijacked URLs
- Right-click the browser shortcut → Properties → Target. If a URL appears after chrome.exe or firefox.exe, a hijacker injected it — remove it from the Target field
For Chrome specifically: chrome://settings/resetProfileSettings will reset search engine, startup pages, and new tab pages without affecting passwords or bookmarks.
Step 6 – Change Passwords From a Clean Device
Treat every credential your browser stored — and every password you typed — during the infection period as compromised. From your phone or another clean machine, change passwords for email first (since email is used to reset everything else), then banking, then any account where sensitive information is stored. Enable two-factor authentication on all critical accounts — our 2FA guide walks through the best methods.
When Reinstalling Is the Right Answer
Some infections genuinely warrant a full wipe. Reinstall if: your scanner reports a bootkit or UEFI-level infection; you've been hit by ransomware that encrypted your files; the malware had root-level OS access; or suspicious behavior persists after completing every step above.
Windows 11's Reset feature (Settings → System → Recovery → Reset this PC) has a "Keep my files" option that preserves documents and photos while reinstalling the OS. It's not perfect — it can't save installed applications or their settings — but it significantly reduces the pain of starting over.
Keep Windows Defender active and updated. Research any free software before installing it. Be suspicious of email attachments even from known contacts — malware spreads by impersonating people in your address book. And don't click "Allow" on browser notification requests from sites you don't fully trust: that single click is one of the most common malware entry points today.