Malware Removal

How to Remove Malware from a Windows 11 PC

If your PC is showing unexpected pop-ups, running extremely slowly, or redirecting your browser to strange websites, your machine may be infected. This guide walks through a thorough removal process, from quick scans to full offline recovery.

Get Emergency Malware Removal

560K+new malware samples detected daily

7 stepsto thorough removal

94%of malware arrives via email

15 minfor an offline scan

Signs of Malware Infection

PC suddenly very slow for no obvious reason
Unknown programs appearing in your taskbar or Start menu
Browser homepage or search engine changed without permission
Pop-up ads appearing even when no browser is open

Antivirus disabled or cannot be turned on
Files encrypted or inaccessible (ransomware)
Unusual network activity or high bandwidth when idle
Unknown processes in Task Manager using high CPU or memory

Step 1: Disconnect from the Network

If you suspect active malware, especially ransomware, disconnect from Wi-Fi and unplug the Ethernet cable immediately. This prevents the malware from causing further damage.

Stops spreading to other devices

Blocks additional payloads

Prevents data exfiltration

Protects network drives

Step 2: Boot into Safe Mode

Safe Mode starts Windows with only essential drivers and services, which prevents most malware from running.

From Settings

Open Settings > System > Recovery
Click Restart now under Advanced startup
Troubleshoot > Advanced options > Startup Settings > Restart
Press 4 for Safe Mode or 5 for Safe Mode with Networking

From Login Screen

Hold Shift and click Restart
Follow the same path: Troubleshoot > Advanced options > Startup Settings

Step 3: Run Windows Defender Offline Scan

This is the most powerful built-in scan. It runs before Windows fully loads, so malware cannot hide from it. The scan takes about 15 minutes, and results appear in Windows Security after the restart.

Open Windows Security > Virus & threat protection
Click Scan options
Select Microsoft Defender Antivirus Offline scan
Click Scan now — the PC will restart automatically

Step 4: Run a Full Defender Scan

After the offline scan completes, run a full scan from within Windows. This scans every file on every drive and can take 1-2 hours.

Open Windows Security > Virus & threat protection
Click Scan options > select Full scan
Click Scan now and let it complete fully

Tip: Before running the scan, update your definitions by going to Virus & threat protection > Protection updates > Check for updates. This ensures the scanner knows about the latest threats.

Step 5: Check for Persistence Mechanisms

Malware often installs itself in places that allow it to survive reboots. Check all of these common hiding spots.

Startup Programs

Open Task Manager > Startup apps
Disable anything suspicious or unrecognised

Scheduled Tasks

Search for Task Scheduler in Start
Look for unusual tasks not created by Microsoft or known software

Browser Extensions

Chrome: chrome://extensions
Edge: edge://extensions
Remove anything you did not install yourself

Recently Installed Programs

Open Settings > Apps > Installed apps
Sort by install date and remove anything unrecognised

Step 6: Reset Browsers

If your browser is hijacked with a changed homepage, redirects, or pop-ups, resetting it removes malicious extensions and restores default settings. This does not delete your bookmarks or saved passwords.

Microsoft Edge

Open Settings > Reset settings
Click Restore settings to their default values

Google Chrome

Open Settings > Reset and clean up
Click Restore settings to their original defaults

Step 7: Change Your Passwords

After removing malware, assume your passwords have been compromised. Change them from a clean device if possible.

Change your email password first — your email is the key to resetting all other accounts
Change your Microsoft account password
Change passwords for banking, social media, and sensitive accounts
Enable two-factor authentication on all important accounts

For Business Machines: Additional Steps

If this is a company-managed device, take these additional precautions. Do not attempt to clean the machine yourself if your company has an incident response process.

Report and Isolate

Contact your IT team immediately
Your IT team may block the device in Intune or MDM
The user account may be disabled until the scope is determined
The machine may be preserved for forensic analysis

Wipe and Reimage

A full wipe and reimage via Autopilot or SCCM is the most reliable approach
Cleaning a compromised business machine manually always carries a risk of incomplete removal
Check for lateral movement if the machine had access to shared drives or admin tools

Prevention: Protect Yourself Going Forward

Action	Details
Enable real-time protection	Windows Security > Virus & threat protection
Turn on tamper protection	Prevents malware from disabling Microsoft Defender
Enable ransomware protection	Controlled Folder Access in Windows Security
Enable Smart App Control	Blocks untrusted and unsigned apps automatically
Keep Windows updated	Settings > Windows Update
Use a standard (non-admin) account	Only use admin for installations
Be cautious with downloads	Only download software from official sources
Use a password manager	Prevents password reuse across sites

Important: If you paid for "tech support" after a pop-up warning, or if someone gained remote access to your PC, treat this as a full compromise. Change all passwords from a different device, contact your bank if financial information was visible, and consider a complete Windows reset.

Need Professional Malware Removal?

If the malware keeps coming back, your antivirus is disabled and you cannot re-enable it, or you suspect a deeper compromise, our team can perform a thorough cleanup and harden your system against future infections.

Get On-Demand IT Support Email Security Services

Get Security Insights Delivered

One email per month with our best articles. No spam.