How to Identify and Remove Malware from Windows 11

If your Windows 11 PC is acting strange—random pop-ups, sluggish performance, antivirus won’t turn on—you might have malware. Here’s the thing: most infections are removable with free tools and a methodical approach. You don’t need to pay for expensive removal services or panic about losing everything.

In my security consulting work, I’ve cleaned hundreds of infected systems. The process isn’t complicated, it’s just systematic. Follow these steps, and you’ll likely have your PC back to normal within a few hours.

This guide is part of our Windows Security & Protection Guide, covering malware defense, privacy controls, and comprehensive security strategies.

Identifying Malware Infections

Before jumping into removal, let’s confirm you actually have malware. Look for these key symptoms:

Strong indicators:

• Windows Defender disabled and won’t turn back on
• Browser homepage changed without your permission
• Pop-up ads appearing even when your browser is closed
• Unfamiliar processes in Task Manager using high CPU
• Search results redirecting to strange websites

My triage rule: If you’re experiencing three or more of these symptoms simultaneously, you likely have malware.

Quick Task Manager Check

Press Ctrl + Shift + Esc and check the Processes tab. Sort by CPU usage and look for:

• Unfamiliar process names (especially random characters)
• Processes running from temporary folders (%Temp%, %AppData%)
• Misspelled system process names (e.g., “svchost32.exe” instead of “svchost.exe”)

Think of Task Manager like checking your phone’s battery usage. If an app you don’t recognize is draining your battery, something’s wrong. Same principle here.

Preparing for Removal: Safe Mode

Before removing malware, boot into Safe Mode. This prevents malware from running and defending itself during removal.

Quick steps:

1. Open Settings → System → Recovery
2. Under “Advanced startup,” click Restart now
3. Select Troubleshoot → Advanced options → Startup Settings → Restart
4. Press 5 or F5 for “Enable Safe Mode with Networking”

I always start malware removal in Safe Mode. Think of it like trying to remove a bee’s nest—you want the bees calm and inactive, not defensive and swarming.

The 3-Step Removal Process

Step 1: Windows Defender Offline Scan

Start with Windows Defender Offline Scan—it’s built-in, free, and catches about 70% of infections in my experience.

Steps:

1. Open Windows Security → Virus & threat protection
2. Scroll to Scan options → Select Microsoft Defender Offline scan
3. Click Scan now
4. Your PC restarts, scans for 15-30 minutes, removes threats automatically

Why this works: It runs before Windows fully loads, so malware can’t defend itself. Don’t stop here though—we need a second opinion.

Step 2: Malwarebytes Free

Here’s the thing: no single tool catches everything. That’s why I always follow up with Malwarebytes. Different detection engine, different threats caught—especially adware and browser hijackers.

Steps:

1. Go to malwarebytes.com → Download the free version
2. Install and launch Malwarebytes
3. Click Scan (takes 20-60 minutes)
4. Review detections and click Quarantine
5. Restart when prompted

What you’ll see:

• Malware/Trojans: Always remove
• PUPs (Potentially Unwanted Programs): Review, but usually safe to remove
• Adware: Safe to remove (just annoying)

The free version is completely sufficient for malware removal—I use it on client systems all the time. Think of it like getting a second medical opinion: different doctors (tools) sometimes spot different issues.

Read our complete Malwarebytes review to learn more about free vs. paid features and how it compares to other security tools.

Step 3: AdwCleaner for Browser Hijackers

If your browser is still acting strange—homepage changed, weird search engine, toolbars—use AdwCleaner. It’s specialized for browser-based threats.

Steps:

1. Go to malwarebytes.com/adwcleaner (free)
2. Download and run (no installation needed)
3. Click Scan Now → Review detections → Click Clean & Repair
4. Restart when prompted

I use AdwCleaner when clients report browser issues. It’s laser-focused on this category of threats—think of it as the specialist you call in for specific problems.

Manual Cleanup Steps

Automated tools handle most threats, but check these areas for remnants:

1. Uninstall Suspicious Programs

Open Settings → Apps → Installed apps. Sort by install date and look for unfamiliar programs like “PC Optimizer,” “Search Protect,” or anything with generic names you didn’t install. Uninstall them.

My approach: If you don’t recognize it and didn’t intentionally install it, it shouldn’t be there.

2. Remove Browser Extensions

Chrome/Edge: Three-dot menu → Extensions → Manage extensions → Remove unfamiliar ones

Firefox: Menu → Add-ons and themes → Remove suspicious extensions

3. Reset Browser Settings

Chrome/Edge: Settings → Reset settings → Restore settings to their original defaults

Firefox: Help → More troubleshooting information → Refresh Firefox

This keeps your passwords and bookmarks but clears extensions and homepage changes. I reset browsers on every malware removal job—think of it like deep cleaning after guests leave.

4. Check Startup Programs

Open Task Manager (Ctrl + Shift + Esc) → Startup apps tab. Disable unfamiliar programs or items pointing to temporary folders.

If malware keeps coming back, check Task Scheduler (Win + R → taskschd.msc) for suspicious scheduled tasks reinstalling components. Look for tasks with random names or running from %Temp% folders.

Verify Malware Removal

Restart in normal mode and verify the malware is gone:

1. Run Windows Security Quick scan
2. Run Malwarebytes scan again
3. Check if symptoms resolved

Signs you’re clean:

• No new detections
• Performance back to normal
• Browser behaving normally
• Windows Defender and Update working properly

My success criteria: Multiple clean scans, normal performance for 3+ days, no symptoms return. If malware persists after thorough removal, a clean Windows reinstall is the most reliable solution.

Prevention: Avoiding Future Infections

Here’s the thing: removing malware is the hard part, but preventing it is actually easier.

Keep Everything Updated

Most infections I see happen through outdated software. Enable automatic updates:

• Windows: Settings → Windows Update → turn on automatic updates
• Browsers: Auto-update by default—don’t disable this

Configure Windows Defender Properly

Open Windows Security → Virus & threat protection → Ensure these are ON:

• Real-time Protection
• Cloud-delivered protection
• Tamper protection

For comprehensive setup instructions, see our guide on how to properly configure Windows Defender for maximum protection. I’ve seen Windows Defender block the same threats paid antivirus catches when configured correctly. It’s free, built-in, and effective.

Practice Safe Browsing

Key rules:

• Don’t click suspicious email links
• Download only from official sources (not third-party sites)
• Avoid pirated software (frequently bundled with malware)
• Don’t download “PC optimizer” or “driver updater” tools (usually malware)
• Read installer prompts—decline bundled software

For detailed guidance on staying safe online, see our safe browsing practices guide. Here’s my security philosophy: You don’t need perfect security habits. You just need consistent basic security. These measures prevent 95% of infections.

When to Reinstall Windows

If malware persists after following this entire guide, a clean reinstall is the most reliable solution.

Steps: Back up files → Settings → System → Recovery → Reset this PC → Choose “Remove everything”

This is the nuclear option—guaranteed malware removal. If you’ve spent hours fighting persistent malware, starting fresh is often faster.

Conclusion

Malware removal is systematic work—not scary, just methodical:

1. Boot to Safe Mode to prevent malware from running
2. Run Defender Offline Scan (70% success rate)
3. Follow up with Malwarebytes Free (catches what Defender misses)
4. Use AdwCleaner for browser threats
5. Manual cleanup: Remove suspicious programs, browser extensions, reset browsers
6. Verify: Run follow-up scans, monitor for 3 days

Most infections are removable with free tools and patience. The key is thoroughness—complete each step and verify your work.

Remember: prevention is your best defense. The 30 minutes you spend configuring security properly prevents hours of malware cleanup later.

For prevention strategies and comprehensive security approaches, see our Windows Security Guide covering antivirus configuration, privacy controls, and safe browsing practices.

---

Frequently Asked Questions

How do I know if I actually have malware or just a slow PC?

Malware has specific symptoms beyond general slowness: antivirus won’t turn on, browser homepage changed without permission, pop-ups when browser is closed, unfamiliar processes using high CPU, search redirects. If you’re experiencing just slowness without these symptoms, it’s likely not malware—try basic maintenance first.

Do I need to boot into Safe Mode to remove malware?

Safe Mode is highly recommended for stubborn infections because it prevents malware from running and defending itself during removal. However, Windows Defender Offline Scan runs before Windows loads (similar protection), and Malwarebytes works effectively in normal mode too. Use Safe Mode if malware persists after initial removal attempts or if it prevents you from running security tools normally.

How long does a full malware scan take?

Windows Defender Offline Scan takes 15-30 minutes. Malwarebytes takes 20-60 minutes for a full scan. Full Windows Defender scans can take 1-4 hours depending on your drive size and file count. Quick scans typically complete in 5-15 minutes but only check common infection locations. For thorough removal, plan for 2-3 hours total to run multiple scans with different tools.

Is Windows Defender enough, or do I need Malwarebytes too?

Windows Defender alone provides solid protection, but no single tool catches everything. Malwarebytes uses different detection engines and excels at catching adware, browser hijackers, and potentially unwanted programs that Defender might miss. For removal, use both—they complement each other. For prevention, Defender is sufficient if properly configured, but Malwarebytes Premium adds extra web protection layers.

Should I disconnect from the internet during malware removal?

Yes, disconnect from the internet (or enable airplane mode) before starting removal if possible. This prevents malware from downloading additional payloads, communicating with command servers, stealing data, or spreading to other networked devices. Reconnect only after completing initial scans. Note: You’ll need “Safe Mode with Networking” if downloading tools during removal.

Is the free version of Malwarebytes enough for malware removal?

Absolutely. I use Malwarebytes Free on client systems all the time. The paid version adds real-time protection (prevents future infections), but for one-time cleanup of existing infections, free works perfectly. The scanning and removal capabilities are identical between free and paid versions.

Will resetting my browser delete my saved passwords and bookmarks?

No. Browser reset keeps passwords and bookmarks but removes extensions and resets homepage/search settings. That said, use a password manager to back up your passwords—don’t rely solely on browser-saved credentials. Always export bookmarks as an extra precaution before major troubleshooting.

What if malware keeps coming back after I remove it?

Check Task Scheduler (taskschd.msc) for suspicious scheduled tasks reinstalling it—look for tasks running from %Temp% folders. Run Malwarebytes again in Safe Mode. Check startup programs in Task Manager. If it persists after thorough removal following this entire guide, a clean Windows reinstall is the most reliable solution.

Can malware steal my passwords and credit card information?

Some malware (keyloggers, spyware) steals credentials. If infected, change passwords AFTER removing malware—not before. If you change passwords while malware is active, you’re just giving it your new passwords. Clean first, then update credentials starting with email and banking, and monitor bank accounts for suspicious activity.

How is ransomware different from regular malware removal?

Ransomware encrypts your files and demands payment, making removal more complex. While you can remove the ransomware program itself using these same tools, that won’t decrypt your files—you need backups or specialized decryption tools (if available). Never pay the ransom. For ransomware, focus on removal, then restore from backups. Prevention (regular backups to offline/cloud storage) is critical because file recovery isn’t guaranteed.

Should I pay for professional malware removal services?

For most home infections, no—this guide plus free tools handles it. Consider professional help only for ransomware, business systems, suspected financial data theft, or after multiple failed removal attempts. Your money is better spent on prevention than removal services.