S
Solution Hub
windows

Remove Malware and Viruses from Windows 11 (Complete Removal Guide)

Infected Windows 11 PC? This guide covers how to identify malware, remove it safely with Windows Security and Malwarebytes, and lock down your system against reinfection.
Windows 11 Virus and threat protection scan screen showing malware removal options
Windows Security's Full Scan and Offline Scan are the two most reliable built-in tools for removing malware on Windows 11.

If you suspect malware on Windows 11: disconnect from the internet, boot into Safe Mode, then run a Full Scan in Windows Security (Settings → Privacy & security → Windows Security → Virus & threat protection). If the infection persists, run Microsoft Defender Offline Scan, which scans before Windows loads and catches threats that hide during normal use. For stubborn infections, follow up with Malwarebytes as a second-opinion scanner.

Problem Summary

A Windows 11 PC showing slowdowns, unexpected pop-ups, browser redirects, or disabled security tools is likely infected with malware. Removal requires isolating the system first, then running layered scans — built-in, offline, and third-party — to catch threats that single-tool scans miss. Skipping the isolation step lets malware continue communicating with its control server during cleanup.

Signs of a Malware Infection

Performance symptoms:

Sudden slowdowns — Apps take longer to open, the system feels sluggish overall. Frequent crashes — Repeated application crashes or a Blue Screen of Death. High resource usage — Task Manager shows unexplained high CPU or disk usage from background processes.

Security and system anomalies:

Pop-up ads with browser closed — A strong indicator of adware running in the background. Browser redirects — Your homepage or search engine changes without your action, or pages redirect to unfamiliar sites. Disabled security tools — Windows Defender becomes unresponsive or won't turn on. Ransomware messages — Demands for payment to unlock files. Unauthorized account activity — Logins or changes you didn't make.

Severity reference:

High CPU/disk usage — Moderate severity Frequent browser redirects — High severity Disabled antivirus — Critical severity Ransomware alerts — Critical severity

How Malware Gets In

Common infection paths:

Phishing emails — Urgent-sounding messages with malicious attachments. Opening the attachment installs the payload. Fake software updates — Pop-ups disguised as legitimate update prompts that install malware instead. Infected USB drives — Malware that spreads automatically when a drive is connected. Unpatched systems — Outdated Windows installations with known, exploitable vulnerabilities. Pirated software — Cracked programs frequently ship with hidden backdoors that bypass security checks. Unsafe websites — Drive-by downloads that install malware without a click.

Risk and prevention reference:

Phishing emails → Risk: credential theft → Prevention: verify the sender before opening attachments Pirated software → Risk: system backdoors → Prevention: use officially licensed software Outdated patches → Risk: exploited vulnerabilities → Prevention: enable automatic updates Unsafe websites → Risk: drive-by downloads → Prevention: use browser security features

Before You Start

Requirements:

  • Administrator access to the affected PC
  • An external drive or cloud storage account for backup
  • 60+ minutes of uninterrupted time for a full scan

⚠️ Do not skip the backup step — some malware damages files during removal Stay disconnected from the network until the infection is confirmed removed Do not reconnect to the internet mid-scan unless required for update downloads

Step 1 — Back Up Your Data

Why it works: Backing up before removal protects your files if the cleanup process damages or removes infected files that were also storing personal data.

  1. Copy documents, photos, and critical files to an external hard drive or cloud storage
  2. Avoid backing up executable files (.exe) or unknown files from the infected period
  3. Disconnect the external drive once the backup completes, to prevent it from being infected during scanning

Expected result: Your personal files are safe regardless of what the scan finds or removes.

[H3] Step 2 — Disconnect from the Network

Why it works: Most malware communicates with a remote command-and-control server for instructions or to download additional payloads. Disconnecting cuts that communication and stops the infection from spreading or worsening during cleanup.

  1. Turn off Wi-Fi, or unplug the Ethernet cable
  2. Keep the PC offline until you've completed the scans below
💡 Expected result: The malware is isolated and can't receive new instructions or pull in more malicious files.

Step 3 — Boot into Safe Mode

Why it works: Safe Mode loads only essential Windows drivers and services. Most malware needs additional drivers or startup services to run — in Safe Mode, it stays inactive, making it easier to detect and remove.

  1. Open SettingsSystemRecovery
  2. Under Advanced startup, click Restart now
  3. After restart, select TroubleshootAdvanced optionsStartup Settings
  4. Click Restart, then press 4 or F4 to boot into Safe Mode
💡 Expected result: Windows starts with a minimal set of drivers and services, preventing most malware from launching.

Step 4 — Run a Full Scan in Windows Security

Why it works: A Full Scan checks every file and running program on the drive, not just common infection locations. It is Microsoft's most thorough built-in scan.

  1. Open Windows SecurityVirus & threat protection
  2. Confirm Real-time protection is on
  3. Click Protection updates and install the latest definitions
  4. Go to Scan options → select Full scan → click Scan now
  5. Let the scan run uninterrupted

Scan type comparison:

Quick Scan — checks common infection locations only, takes 5–10 minutes Full Scan — checks the entire system, takes 60+ minutes Custom Scan — checks specific folders you select, time varies

💡 Expected result: Windows Security lists detected threats with options to remove, quarantine, or allow each one. Choose Remove for anything flagged as malicious.

Step 5 — Run Microsoft Defender Offline Scan

Why it works: Rootkits and other persistent malware can hide from scans that run while Windows is loaded. The Offline Scan runs before Windows boots, when the malware is inactive and cannot hide or interfere with detection.

  1. Open Windows SecurityVirus & threat protectionScan options
  2. Select Microsoft Defender Offline scan → click Scan now
  3. The PC restarts into a special scanning environment
  4. Wait for the scan to complete — the PC will restart again into Windows automatically
  5. Check Protection history for the results
💡 Expected result: Any rootkit-level or hidden threats missed by the standard scan are now detected and removed.

Step 6 — Remove Suspicious Programs and Reset Your Browser

Why it works: Malware frequently installs companion adware or browser hijackers that survive antivirus removal because they're technically registered as legitimate programs or extensions. Manual removal closes this gap.

Remove unknown programs:

  1. Go to SettingsAppsInstalled apps
  2. Look for anything installed around the time symptoms started, or anything you don't recognize
  3. Click the three-dot menu next to it → Uninstall

Reset your browser:

  1. Open your browser's settings menu → find Reset settings
  2. Review installed extensions and remove any you didn't add yourself
  3. Clear cache and cookies
  4. Confirm your default search engine and homepage are set correctly
💡 Expected result: Unwanted programs are removed and the browser no longer redirects or shows injected ads.

Step 7 — Run a Second-Opinion Scan with Malwarebytes

Why it works: No single scanner catches everything. Malwarebytes uses different detection signatures than Windows Defender and frequently catches adware and trojan remnants left behind after the primary cleanup.

  1. Download Malwarebytes from the official site
  2. Install and run a full scan
  3. Quarantine or remove anything flagged
💡 Expected result: Any remaining adware, PUPs (potentially unwanted programs), or trojan leftovers are identified and removed.

Step 8 — Run the Microsoft Safety Scanner (Optional Verification)

Why it works: This is a portable, no-install tool using the same detection engine as Windows Security, but it specifically targets active infections that may have evaded the first scan.

  1. Download the latest version from the official Microsoft website
  2. Run it directly — no installation required
  3. Let it complete a full scan
💡 Expected result: Confirms whether any active threats remain after your primary cleanup.

Managing Startup Items and Background Processes

Why this matters: Many malware variants set themselves to launch automatically at startup so they survive a reboot. Disabling these prevents reinfection after cleanup.

Review startup apps:

  1. Press Ctrl + Shift + Esc to open Task Manager
  2. Go to the Startup apps tab
  3. Look for anything with no publisher listed or an unfamiliar name
  4. Right-click → Disable

Check running processes:

  1. In Task Manager, go to the Processes tab
  2. Sort by CPU or Memory usage
  3. Right-click anything suspicious → End task

Tool reference:

Task Manager — controls startup items, prevents persistent threats from auto-launching Resource Monitor — analyzes process behavior, helps identify hidden activity Third-party scanners — provide deep detection and automated removal as a backup layer

Verification

After completing all steps, confirm the system is clean:

  1. Run a second Full Scan in Windows Security — it should report no threats found
  2. Check Windows SecurityProtection history for a clean recent scan log
  3. Open Task Manager and confirm no unfamiliar high-resource processes are running
  4. Browse normally for 24 hours and confirm no pop-ups, redirects, or crashes occur
  5. Reconnect to the network only after these checks pass

Preventing Reinfection

Enable Controlled Folder Access — Windows Security → Virus & threat protection → Ransomware protection. This blocks unauthorized changes to your files from ransomware.

Keep Windows Update automatic — Security patches close the vulnerabilities malware exploits to gain entry.

Avoid pirated software — Cracked software is one of the most common backdoor sources.

Verify links and attachments before opening — Especially in unsolicited or urgent-sounding emails.

Install only from official sources — Use the Microsoft Store or verified publisher websites, not third-party download aggregators.

Run periodic scans — A monthly Quick Scan catches new threats early, before they escalate.

When to Get Professional Help

If symptoms persist after completing every step above, or if you're dealing with active ransomware encrypting files, stop attempting removal yourself. Further scanning can sometimes trigger destructive payloads in advanced ransomware. At this point, a professional malware removal service can recover data safely and confirm complete removal.

Frequently Asked Questions

How can I remove malware from Windows 11 without losing my personal files?

Back up your important files to an external drive or cloud storage before starting any removal steps. Then run a Full Scan in Windows Security, followed by a Microsoft Defender Offline Scan for stubborn infections. Backing up first protects your data even if the malware has already affected some files.

What are the warning signs that my Windows 11 PC needs an urgent virus scan?

Watch for sudden slowdowns, frequent crashes, high CPU or disk usage without explanation, pop-up ads appearing with the browser closed, unexpected browser redirects, a disabled antivirus, or unauthorized account activity. Any of these signs warrants an immediate Full Scan.

Why is Safe Mode recommended during malware removal?

Safe Mode loads only essential Windows drivers and services. Most malware requires additional drivers or startup services to execute, so it stays inactive in Safe Mode. This makes detection and removal significantly more reliable.

What are the best tools for removing malware on Windows 11?

Windows Security (Microsoft Defender) provides strong native protection and should be the first tool used. Malwarebytes is effective as a second-opinion scanner for adware and trojans that Defender misses. The Microsoft Safety Scanner is useful as a final, no-install verification pass.

How do I prevent malware from reinfecting my PC?

Keep Windows Update set to automatic, enable Controlled Folder Access for ransomware protection, avoid pirated software, verify email links and attachments before opening them, and install software only from official sources like the Microsoft Store.

What should I do if my browser has been hijacked by a malicious extension?

Open your browser's settings and review installed extensions, removing anything you didn't add yourself. Reset the browser to default settings to clear hijacked search engines, then clear your cache and cookies to remove tracking scripts.

When should I contact a professional virus removal service?

If symptoms persist after running Windows Security, Microsoft Defender Offline Scan, and Malwarebytes, or if you're facing an active ransomware attack, stop further removal attempts and contact a professional service. Continued scanning during an active ransomware infection can sometimes trigger destructive payloads.

Back to Security Fix