Home » Blog » How to Remove Malware From Windows 11 (2026 Guide)

We review products independently, but we may earn commissions if you make a purchase using affiliate links on our website. Also note that we are not antivirus software; we only provide information about some products.

How to Remove Malware From Windows 11 (2026 Guide)

Last Updated: May 15, 2026. This guide was prepared against current 2026 lab data, vendor documentation, and security advisories.
Updated
0
Harry Brown
Windows 11 malware removal guide cover with Defender Offline Scan, Safe Mode, Malwarebytes, browser reset, and password rotation steps

The short version — what to do right now

If you think your Windows 11 PC is infected and you do not have time to read the full guide, do this:

  1. If files are actively being renamed or encrypted, stop using the PC immediately. Unplug Ethernet, turn off Wi-Fi, and shut the machine down if encryption is visibly still running. Do not keep clicking around while ransomware is changing files.
  2. Disconnect from the internet first. Turn off Wi-Fi or unplug the Ethernet cable. Stop info-stealers and RATs from exfiltrating more data.
  3. Use the normal Windows cleanup route if Windows Security still opens. Run Microsoft Defender Full Scan, then Microsoft Defender Offline Scan. Microsoft describes Defender Offline as a scan that boots from a trusted environment outside the normal Windows kernel, which is why it matters for stubborn malware and rootkit-style persistence: Microsoft Defender Offline Scan documentation.
  4. Use Safe Mode as the fallback route if normal Windows is broken. Boot into Safe Mode when Windows Security crashes, Defender will not open, or malware blocks normal cleanup. Use Safe Mode with Networking only when you need to download cleanup tools, then disconnect again after downloading. Microsoft documents the Startup Settings path through Windows Recovery Environment here: Windows Startup Settings.
  5. Run Malwarebytes Free and AdwCleaner as second-opinion scanners. Malwarebytes Free is the broader one-shot cleanup scanner; AdwCleaner is the specialist for adware, PUPs, preinstalled junk, and browser hijackers. Download both only from Malwarebytes: Malwarebytes Free and AdwCleaner.
  6. Reset your browsers, clean Startup and Scheduled Tasks, then reboot normally. Use Autoruns if you are comfortable with technical tools. Microsoft documents Autoruns here: Sysinternals Autoruns.
  7. Rotate passwords on critical accounts from a different clean device. Enable MFA. Check Have I Been Pwned.

The rest of this guide explains each step properly, identifies which kind of malware you are likely dealing with, and covers the recovery decisions most other articles leave out.

Choose your cleanup route: normal Windows or Safe Mode

There are two safe ways through this process.

Route A: normal Windows cleanup. Use this if Windows Security opens, Defender is not disabled, the desktop is usable, and malware is not blocking scanners. Run Defender Full Scan, run Defender Offline Scan, reboot, then run Malwarebytes Free and AdwCleaner.

Route B: Safe Mode fallback. Use this if Windows Security crashes, Defender refuses to open, the system is unstable, or malware blocks normal cleanup tools. Safe Mode loads a reduced Windows environment, so do not treat real-time protection behavior as your main safety layer there. Use Safe Mode to reduce malware persistence, run cleanup tools, and then run Defender Offline as soon as Windows Security is accessible again.

Important network rule: disconnect first. Safe Mode with Networking is useful only when you must download tools from official sites. If you have a second clean device, download Malwarebytes, AdwCleaner, Sysinternals Autoruns, or vendor cleanup tools there, transfer them by USB, and disconnect the infected PC again before scanning.

If files are actively encrypting

If Documents, Pictures, Desktop, or shared folders are actively being renamed with strange extensions, or new ransom notes are appearing while you watch, do not spend ten minutes opening scanners.

Unplug Ethernet. Turn off Wi-Fi. If encryption is still visibly running, power the machine down. That is not elegant, but it can stop additional local damage. After that, decide whether the data is important enough for professional recovery, forensic collection, backup restore, or decryptor matching before doing destructive cleanup.

Do not wipe the machine before checking whether you need the ransom note, encrypted samples, malware sample, timestamps, or file extensions for a decryptor. The No More Ransom project maintains a repository of free decryptors for many ransomware families, but those tools need the right family match and do not work for every case.

Signs your Windows 11 PC is actually infected

Slowness alone is rarely malware. Before you start a removal procedure, confirm you are seeing real infection signs versus something else: full disk, failing SSD, aggressive background sync, pending updates, or too many startup apps.

Strong signs you are infected:

  • Browser homepage or default search engine changed without your action.
  • New toolbars, browser extensions, or browser-bundled apps you did not install.
  • Pop-ups appearing outside of any open browser window.
  • Unfamiliar programs in Settings → Apps → Installed apps with install dates matching when problems started.
  • Microsoft Defender disabled and refusing to re-enable, or the Windows Security app crashing on open.
  • Unexpected Windows credential prompts asking you to “re-authenticate” — particularly for Microsoft account, banking, or email.
  • Files in Documents, Pictures, Desktop renamed with strange extensions such as .locked, .encrypted, .akira, or random characters, or a ransom note text file appearing in folders.
  • Sustained high CPU or GPU usage shown in Task Manager from a process you do not recognize, especially while the PC is idle.
  • Outbound network connections in Resource Monitor (resmon → Network tab) to addresses you do not recognize while no normal apps are running.
  • Antivirus alerts you have been actively dismissing for the last few days.

Weak signs that are usually something else:

  • “Slow boot” — most often startup-app bloat or pending updates.
  • Fan spinning up — usually thermal throttling, not malware.
  • Occasional Wi-Fi disconnects — driver or router issue.
  • One unwanted pop-up — often a website notification subscription you accepted accidentally; revoke it in browser settings under site permissions / notifications.

If your symptoms are entirely in the weak-signs bucket, work through system hygiene first: uninstall recent apps, clear Startup, run Disk Cleanup, and check Resource Monitor. If anything in the strong-signs list is present, proceed with the full removal procedure below.

Types of malware home users hit today

The threat landscape in 2026 looks different from 2015 or even 2020. Knowing what you are dealing with changes the cleanup approach — and the post-cleanup recovery — significantly.

Info-stealers — by far the most common class in 2026

Lumma, RedLine, Vidar, StealC, and similar stealers dominate home-user cleanup work. Lumma was one of the most prominent examples in 2025: Microsoft said its disruption effort followed over 394,000 Windows computers globally infected by Lumma between March 16 and May 16, 2025: Microsoft Lumma disruption report.

These products run silently, harvest browser cookies, saved passwords, autofill data, cryptocurrency wallet files, Discord tokens, Steam session cookies, and FTP credentials, then exfiltrate everything in a burst to a remote server.

The exfiltration is the damage. Removing the binary after the fact does not undo it. If you had an info-stealer running for any length of time, treat every saved password and active browser session as compromised.

Common entry path: cracked-software downloads, fake browser update prompts, and fake “captcha verification” pages that ask you to paste a command into PowerShell. That last pattern is the ClickFix technique. ASD’s Australian Cyber Security Centre describes ClickFix as a social-engineering technique observed since early 2024 and used in 2026 campaigns to deliver Vidar Stealer through compromised WordPress sites: ASD ACSC ClickFix / Vidar advisory.

Ransomware

Akira, Phobos, STOP/Djvu, BlackCat / ALPHV remnants, and various LockBit-derivative clones encrypt your Documents, Pictures, Desktop, and sometimes shared folders. They often leave family-specific extensions such as .akira, .locked, or .djvu[XXX], plus a ransom note text file in each affected folder.

Home-user ransomware is less common than info-stealers but more visible because the damage is obvious. STOP/Djvu has been heavily distributed through cracked-software bundles for years. Always check No More Ransom before even thinking about payment. It sometimes provides free decryptors, but not for every ransomware family.

Remote Access Trojans (RATs)

Remcos, AsyncRAT, DCRat, and similar RATs give an attacker real-time remote control: keylogging, file browsing, screen capture, and sometimes webcam access. RATs are usually delivered through malicious documents, fake installers, or bundled cracked software.

If you had a RAT, assume the attacker had hands-on-keyboard access. Recovery must include credential rotation and MFA hardening, not just file removal.

Cryptocurrency miners

XMRig is the workhorse, often bundled inside otherwise-legitimate-looking downloads. Symptoms: sustained high CPU/GPU usage, hot machine, fast fan, elevated power draw, and throttled foreground performance. Miners are less damaging than info-stealers or RATs because they usually do not steal data, but they can run for months because users tolerate the symptoms.

Adware and Potentially Unwanted Programs (PUPs)

Browser hijackers, ad injectors, fake “system optimizer” tools, and fake driver updaters live here. Microsoft Defender can catch many of them, but PUP classification has always carried a false-positive risk. That is why AdwCleaner is part of this guide. Malwarebytes describes AdwCleaner as targeting adware, PUPs, and browser hijackers, while Malwarebytes Free is the broader cleanup scanner for viruses, ransomware, spyware, adware, and trojans: Malwarebytes AdwCleaner documentation.

Tech-support scams and browser lockers

Not always malware. These are often browser-side scareware pages that lock a tab with a full-screen “Microsoft Security Alert — Call This Number” overlay. Close the tab. If needed, use Task Manager to kill the browser process. Never call the number. Never grant remote access.

If you already gave a scammer remote-access control, treat the machine as fully compromised: scan, rotate every password, review financial accounts, and strongly consider a reset.

Rogueware

“Your PC is infected — buy our product to clean it” software that the user installs voluntarily and then cannot uninstall cleanly. Less common than in 2010, still around. Treat it like adware: Malwarebytes Free and AdwCleaner are the right first tools.

Worms

Self-spreading malware. Rare for home users in 2026 because Windows has hardened against the SMB-spread and removable-USB-spread mechanisms worms historically relied on. If you are seeing what looks like worm behavior, you are probably dealing with persistence, scheduled tasks, or repeated reinfection from the same downloaded installer.

Step 1: Disconnect from the internet

Before any scanning, kill the network. Unplug Ethernet. Turn off Wi-Fi from the system tray or by hitting Airplane Mode (Win + A → Airplane mode tile).

This stops three things at once. Info-stealers in mid-exfiltration cannot complete the upload. RATs lose their command-and-control session. Malware downloaders cannot pull second-stage payloads. Ransomware mid-encryption may continue locally, but it cannot phone home while the network is cut.

You may need network access briefly later to download Malwarebytes, AdwCleaner, or other cleanup tools. Use a clean device and USB transfer if possible. If not, use Safe Mode with Networking only for the download window, then disconnect again.

Step 2: Use normal Windows first, or Safe Mode if normal cleanup is blocked

If Windows Security opens normally and the machine is usable, stay in normal Windows for the first pass. Run Defender Full Scan, then Defender Offline Scan. That route is simpler and avoids unnecessary network exposure.

If malware blocks Windows Security, crashes the desktop, prevents downloads, or keeps relaunching on boot, use Safe Mode. Safe Mode loads Windows with a reduced set of drivers and services, so many persistence mechanisms do not start. It is a cleaner environment for running removal tools, but do not treat Safe Mode real-time protection behavior as the protection layer. The goal is to reduce persistence, run scanners, then use Defender Offline for the pre-OS scan.

From a working sign-in screen: hold Shift while you click Power → Restart. The machine reboots into the Windows Recovery Environment.

From within Windows: Settings → System → Recovery → Advanced startup → Restart now.

If Windows is too broken to sign in: force-shut down the PC three times in a row during boot by holding the power button as soon as the Windows logo appears. Windows should automatically enter WinRE on the next attempt.

From WinRE: Troubleshoot → Advanced options → Startup Settings → Restart. After the reboot, press 4 for Safe Mode or 5 for Safe Mode with Networking. Use option 5 only if you need network access to download tools. Microsoft documents this Startup Settings path here: Windows Startup Settings.

Step 3: Run Microsoft Defender Full Scan

Open Windows Security: Start → type “Windows Security” → open. Navigate to Virus & threat protection → Scan options → Full scan → Scan now.

A Full Scan checks files and locations broadly across the system, including areas Quick Scan may not cover. It is slower, but more useful when you suspect an active infection. On a 500GB SSD with about 200GB used, expect 30–60 minutes. On a 1TB HDD, expect 2–4 hours.

When the scan finishes, review detections in Protection history. Quarantine confirmed threats. Defender’s quarantine is recoverable, so quarantine is safer than delete when you are not sure.

Step 4: Run Microsoft Defender Offline Scan

This is the step that separates a thorough cleanup from a half-done one. Almost every “how to remove malware” guide skips it. Do not skip it.

From Windows Security → Virus & threat protection → Scan options, select Microsoft Defender Antivirus (offline scan), then Scan now. Save open work first — the machine will reboot automatically.

Defender Offline reboots Windows into a trusted environment outside the normal Windows kernel. Microsoft describes this as useful when you suspect malware infection or want to confirm thorough cleanup after an outbreak, especially for malware that attempts to bypass the Windows shell, such as rootkits and boot-level threats: Microsoft Defender Offline Scan.

The Offline Scan takes about 15 minutes. The PC reboots back into normal Windows when complete. Results appear in Windows Security → Protection history.

Run the Offline Scan even if the Full Scan found nothing. Rootkit-class persistence is built to hide from the running OS; the Offline Scan gives Defender a cleaner view of what is sitting on disk.

Step 5: Second-opinion scan with Malwarebytes and AdwCleaner

Two scanners are better than one because each catches a different category of threat.

Malwarebytes Free is the broader one-shot cleanup scanner. Malwarebytes describes its free scanner as removing viruses, ransomware, spyware, adware, and trojans: Malwarebytes Free. Run a Malwarebytes Threat Scan and quarantine what it flags.

AdwCleaner is narrower and more specialized. It targets adware, PUPs, preinstalled junk, and browser hijackers: Malwarebytes AdwCleaner. Run it separately. It may ask to reboot to remove in-use items. Allow the reboot.

One additional Microsoft tool worth knowing about: Microsoft’s Malicious Software Removal Tool (MSRT / MRT). Microsoft says MSRT is generally released monthly through Windows Update and is also available as a standalone download: Microsoft MSRT download. On many Windows 11 systems you can run it with Win + R → mrt → Enter. If it is missing or outdated, download the current version from Microsoft.

MRT is not a replacement for Defender or Malwarebytes. It scans for a curated set of prevalent malware families. Treat it as a free extra pass, not your main cleanup plan.

Step 6: Clean and reset your browsers

The browser is where most home-user malware does its harvesting. Even if the underlying file has been removed, malicious extensions and modified settings can persist until you clean them.

Chrome: chrome://extensions — remove anything unfamiliar. chrome://settings/reset → Restore settings to their original defaults. Sign out of your Google account, then sign back in only after credential rotation in Step 9.

Edge: edge://extensions — same cleanup. edge://settings/reset → Restore settings to their default values. Sign out and back in after credential rotation.

Firefox: about:addons → remove unfamiliar extensions. Help → More troubleshooting information → Refresh Firefox.

Clear cookies and cached site data on each browser. Cookies are the primary thing info-stealers harvest. Even if your passwords were not saved in the browser, stolen cookies can grant active sessions.

Step 7: Audit Startup, Scheduled Tasks, and Services

Malware persistence on Windows usually lives in one of three places. Manual review is more reliable than trusting any single scanner to have caught all of them.

Startup apps. Task Manager → Startup apps tab. Disable anything unfamiliar. Most legitimate Startup entries are signed by a known publisher: Microsoft, Intel, Realtek, NVIDIA, your laptop OEM, or software you remember installing. Anything with a blank publisher or a generic name like svchost living in %AppData% or %LocalAppData% rather than Program Files should be disabled and investigated.

Scheduled tasks. Press Win + R → taskschd.msc → Enter. Browse Task Scheduler Library. Malware often hides here because users rarely look. Anything with a recent creation date that runs from a temporary or AppData folder is suspicious. Disable, do not delete, until you have confirmed it is malicious.

Services. Press Win + R → services.msc → Enter. Look at any service with Automatic startup that started recently and has a generic or random-string name. Right-click → Stop, then change Startup type to Disabled if you confirm it is malicious.

The Sysinternals tool Autoruns is the power-user version of all three checks in one tool. It surfaces auto-start applications and a long list of Registry and file-system autostart locations, including logon entries, Explorer add-ons, AppInit DLLs, Winlogon notification DLLs, services, codecs, and more. Microsoft documents it here: Sysinternals Autoruns.

Step 8: Clean temp files and reboot normally

Run Disk Cleanup: Start → type “Disk Cleanup” → run on C: drive. Tick Temporary files, Temporary Internet Files, Delivery Optimization Files, Thumbnails, and Recycle Bin. Click Clean up system files for a deeper pass including old Windows Update payloads.

Manually clear %temp% if it has not already been wiped: Win + R → %temp% → Enter → select all → delete. Anything in use will refuse to delete, which is fine — skip those.

Reboot into normal Windows. Run Defender Quick Scan one more time. If clean, proceed to hardening. If a detection appears again, repeat Defender Offline Scan and recheck Startup, Scheduled Tasks, Services, and Autoruns. Something is reinstalling itself.

Step 9: Post-cleanup hardening — the part most guides skip

If the malware was an info-stealer, RAT, or anything that touched browser saved passwords, you are not done when the file is removed. The data may already be out. The hardening pass is how you contain the damage.

Rotate critical passwords from a clean device. Use a different computer or your phone in a private browser session, not the same browser ecosystem. Critical accounts in order: primary email, financial services, PayPal/Venmo, crypto exchanges, then anything that reused the same password. Use a password manager from here forward: Bitwarden, 1Password, KeePass, or the built-in Chrome/Edge manager if you want the simple option.

Enable MFA everywhere it is available. Authenticator app is better than SMS where you have the choice. Hardware security keys are better still for your most important account, usually email.

Sign out of all sessions. Most major services — Google, Microsoft, Apple, banks, social media — have a security settings page that lets you sign out everywhere. Use it. Active sessions stolen via cookies do not require the attacker to know your password.

Check Have I Been Pwned. Enter your email addresses and sign up for breach notifications: Have I Been Pwned. If you had an info-stealer infection, treat every password saved in your browser as compromised even if it does not appear in public breach databases.

Review financial accounts. Look back through the last 30–90 days for transactions you do not recognize. If any are present, dispute them with the bank or card issuer immediately. Consider a credit freeze with Equifax, Experian, and TransUnion if the malware looked like it touched financial data.

Check installed-app inventory. Settings → Apps → Installed apps. Sort by install date. Anything you do not remember installing in the timeframe before symptoms started is suspect.

When to give up and Reset This PC

Sometimes manual cleanup is not the right call. Reset This PC reinstalls Windows 11 and gets you to a known-clean state faster than chasing persistence through Task Scheduler and Autoruns logs. Microsoft documents the reset path here: Reset your PC.

Reset is the right choice when:

  • You ran the full procedure above and symptoms persist or detections keep reappearing.
  • The infection is older than a few weeks and may have established deep persistence you cannot trace.
  • You suspect a rootkit and Defender Offline Scan flagged things, but the system is still acting wrong.
  • You granted remote-access screen-share to a tech-support scammer at any point.
  • The machine is used for work and your employer’s IT/security process requires a fresh image.

If the machine is used for work, do not reset it before talking to IT. They may need logs, samples, timestamps, and account activity for incident response.

Settings → System → Recovery → Reset PC → Get started. Choose Remove everything for malware cases because Keep my files preserves user folders, downloads, scripts, archives, and potentially malicious installers. Choose Cloud download rather than Local reinstall when possible, because the cloud version pulls a fresh Windows image rather than reusing your local reinstall image.

After reset, set up Windows 11 fresh, install applications from official sources only, and restore personal documents from a backup point you trust.

What NOT to do

Do not install a second always-on antivirus alongside Defender. Two real-time engines fight in the kernel, quarantine each other’s temp files, and can degrade both products. If you want a permanent third-party AV, install one reputable suite and let Windows Security switch Defender out of active real-time mode. Do not try to run two real-time AV engines together. For cleanup, Malwarebytes Free and AdwCleaner are on-demand tools and are safe to use alongside Defender.

Do not pay ransomware demands without first checking No More Ransom and recovery options. The No More Ransom project hosts free decryptors for many ransomware families. Check Volume Shadow Copies, but do not assume they survived — many ransomware families delete them early. CISA and other authoring agencies repeatedly warn that paying does not guarantee file recovery and may encourage further attacks; some payments may also create sanctions risk depending on the operator: CISA StopRansomware advisory example and OFAC ransomware payment advisory.

Do not download removal tools from random “virus removal” sites. Fake removal tools are themselves a major malware-delivery channel, particularly for older users. Stick to Microsoft, Malwarebytes, No More Ransom, Sysinternals, and official vendor sites.

Do not call the phone number on a browser-locker page. No real Microsoft, Apple, or AV-vendor security alert will give you a phone number to call. The phone number itself is the scam.

Do not skip the post-cleanup hardening pass. File removal ends the active infection. Credential rotation contains the consequences. Skipping it is how people end up with their email account drained, crypto wallet emptied, or bank account compromised weeks after they “fixed” the PC.

Do not restore files from a backup taken after the infection started. Backups can carry the malware. Restore from a known-good backup point or from cloud-synced files with version history.

The takeaway

Windows 11 in 2026 ships with a genuinely capable removal toolkit out of the box. Defender Full Scan plus Defender Offline Scan, then Malwarebytes Free and AdwCleaner as second opinions, will handle the vast majority of home-user infections. The Offline Scan is the underused star of the lineup — run it every time, even when the normal scan says clean.

The part that matters more than the removal itself is the post-cleanup pass. Modern home-user malware in 2026 is dominated by info-stealers, which means the question is not just “is the file gone” but “has my credential exposure been contained?” Rotate passwords from a different device, enable MFA, sign out of all sessions, check breach lookups, and watch financial accounts.

If symptoms persist after the full procedure, do not chase ghosts. Reset This PC with Remove everything and Cloud download is a clean, fast move, and there is no shame in taking it.

FAQ

Will Microsoft Defender alone remove all malware?

Defender removes the vast majority of consumer malware on the first scan, especially when you run both Full Scan and Defender Offline Scan. What it can miss are usually adware/PUPs, stubborn persistence, or browser-layer junk that a specialist tool handles better. The standard recommendation is Defender Full Scan followed by Defender Offline Scan, then a second-opinion scan with Malwarebytes Free and AdwCleaner.

Can I just reset Windows 11 to remove malware?

Reset This PC with the Cloud download option reinstalls Windows 11 and removes almost all malware. It is a valid last-resort move and sometimes faster than chasing persistence manually. The catch: Keep my files preserves user folders, downloads, scripts, archives, and potentially malicious installers. Choose Remove everything when reinstalling because of malware. Reinstalled Windows still needs to be re-secured with password rotation, MFA, session sign-out, and trusted app installs.

Should I pay a ransomware demand?

No, not before checking safer options. Paying does not guarantee recovery and may encourage further attacks. It may also create sanctions risk if the operator is on a restricted list. Check No More Ransom, backups, file-version history, Volume Shadow Copies, and incident-response options first. If files matter, contact a reputable incident-response firm before paying anyone.

How do I know if my PC is actually infected or just slow?

Real malware signs include browser homepage or search engine changes, new toolbars or extensions, pop-ups outside any browser, unfamiliar programs with recent install dates, antivirus disabled and refusing to re-enable, or files renamed with strange extensions. Slowness alone is rarely malware — more often it is a near-full disk, a failing SSD, too many background updates, or aging hardware. Run Resource Monitor to confirm what is consuming CPU, memory, disk, and network.

What is the difference between Defender Offline Scan and a normal scan?

A normal Defender scan runs inside the live Windows OS. Defender Offline Scan reboots into a trusted environment outside the normal Windows kernel. That matters for malware that tries to hide from the running OS, tamper with Defender, or hook itself below the normal Windows shell. It takes about 15 minutes and is one of the best built-in cleanup tools Windows has.

Is it safe to use the same browser after cleanup?

The browser itself is safe after reset and extension cleanup. The session cookies and saved passwords inside it may not be. Lumma, RedLine, Vidar, and other info-stealers target browser cookies, saved passwords, autofill data, and cryptocurrency wallet files. After cleanup, sign out of all sessions, rotate critical-account passwords from a different clean device, and re-enable MFA on anything important.

How do I check if my passwords were stolen?

Go to Have I Been Pwned and enter your email addresses. Sign up for breach notifications. Password managers including Bitwarden, 1Password, and the one built into Chrome/Edge can flag passwords that appear in known leaks. If you had an info-stealer infection, treat every password saved in your browser as compromised regardless of breach lookups.

Sourced from

Microsoft documentation on Defender Offline Scan, Startup Settings, Reset This PC, MSRT, and Sysinternals Autoruns; Malwarebytes documentation for Malwarebytes Free and AdwCleaner; No More Ransom decryptor repository; Have I Been Pwned breach lookup; CISA and OFAC ransomware guidance; Microsoft Lumma disruption reporting; ASD ACSC ClickFix / Vidar advisory; public threat reporting from major AV vendors.