How to Remove Malware From Your Computer (Step-by-Step 2026 Guide)

Quick answer: To remove malware from a Windows or Mac computer, follow seven steps in order: confirm the symptoms, disconnect from the network, boot into Safe Mode, run a full antivirus scan plus a second-opinion scanner, manually remove suspicious browser extensions and startup entries, recover or restore affected files, then rotate passwords and harden the system before reconnecting. According to AV-TEST's January 2026 cleanup test across 18 products, top-tier engines achieved 99-100% remediation when used in Safe Mode versus 85-92% in normal mode — the procedure matters as much as the product. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and NIST SP 800-83 Rev. 1 both recommend this layered isolate-scan-recover sequence.

Last updated: April 25, 2026 — Reviewed by Kenji Watanabe (GCED)

Quick Answer / TL;DR

• Disconnect first. Pulling the network cable or turning off Wi-Fi stops most ongoing damage and prevents further data exfiltration.
• Use Safe Mode for scanning. It loads the minimum drivers and services, which prevents most malware from running and lets your antivirus see what is normally hidden.
• Run two scanners, not one. Your real-time engine plus a second-opinion scanner (Malwarebytes, HitmanPro, ESET Online Scanner) catches what a single product misses.
• Never pay ransomware. The FBI, CISA and Europol all advise against it. Check the No More Ransom project for free decryptors first.
• Reinstall when in doubt. A clean install from official Microsoft or Apple media is the only fully reliable removal for advanced threats.

This guide walks through each step in detail, with the warnings and gotchas I have collected over a decade of running endpoint cleanup for consumer and small-business networks.

Before You Start: Identify, Don't Guess

The most common mistake I see is people running a scan, getting a clean result, and assuming nothing is wrong — or running a scan, getting a junk detection, and panic-deleting things they need. Spend ten minutes confirming you actually have an infection.

Step 1: Confirm the Symptoms

Real malware leaves multiple, consistent fingerprints. Look for at least two of these before treating it as confirmed infection:

• Unexpected resource usage. Open Task Manager (Ctrl-Shift-Esc on Windows) or Activity Monitor (Cmd-Space → "Activity Monitor" on Mac). Watch CPU, memory, disk, and network with the system idle for 60 seconds. A sustained 30%+ baseline on any of these without a known cause is suspicious.
• Browser hijacking. New homepage, new default search engine, new toolbar or extensions you did not install, redirects to unfamiliar domains.
• Pop-ups or ransom notes. Unexpected dialogs, especially those that try to prevent themselves from being closed, full-screen takeovers, or files renamed with extensions like .locked, .encrypted, .crypto.
• Disabled security tools. Windows Security Center reporting "managed by your administrator" when you are the administrator; Defender quietly turned off; a previously installed antivirus missing.
• Outbound network traffic. Open Resource Monitor → Network tab on Windows, or nettop in macOS Terminal. Unknown processes connecting to foreign IPs.
• Account anomalies. Unread emails marked as read, sent items you did not send, password change notifications, new logins from unfamiliar locations.

A single slow afternoon is not malware. A pattern of two or more of the above is. Note what you saw — you will need this for the cleanup phase.

Warning: Do not run any unknown "scanner" downloaded from a pop-up. Pop-up "Your computer is infected, click here to clean!" prompts are themselves malware. Only use scanners from vendors you already trust or were independently recommended.

Step 2: Disconnect From the Network Immediately

Unplug Ethernet, turn off Wi-Fi, disable Bluetooth. Do this before anything else. The reasons:

• Stops data exfiltration. Most modern malware phones home; cutting the network ends the leak.
• Prevents lateral movement. Worms and ransomware spread to other devices on the same network. Containing the infection to one machine matters.
• Stops command-and-control. Disconnects the malware from the attacker's server, so any "kill switch" or "delete evidence" command cannot be sent.

Do not put the computer in airplane mode if it has a cellular modem — pull the SIM if you have to. For laptops, the simplest approach is to physically disable the wireless adapter via the keyboard switch or unplug the Ethernet cable.

If the malware is ransomware actively encrypting files, you also want to power down — do not just hibernate. Hold the power button until the machine forcibly shuts down. You will lose anything unsaved, but you stop the encryption process from finishing the rest of your data.

Step 3: Boot Into Safe Mode

Safe Mode loads the operating system with the minimum drivers and services. Most malware does not survive into Safe Mode because the auto-start mechanisms it uses (registry Run keys, Windows services, scheduled tasks) are not loaded. This makes scanning dramatically more effective.

Windows 11: Hold Shift while clicking Restart from the Start menu, then go to Troubleshoot → Advanced options → Startup Settings → Restart, and press 4 (Safe Mode) or 5 (Safe Mode with Networking). If you can boot to the lock screen but not the desktop, the same option exists from the lock-screen power menu.

macOS (Apple Silicon): Shut down. Hold the power button until "Loading startup options" appears. Select your startup disk, then hold Shift and click "Continue in Safe Mode." For Intel Macs, restart and hold Shift until the Apple logo appears.

If you need to download a scanner, choose Safe Mode with Networking. Otherwise, Safe Mode without networking is safer because it prevents any lingering callback. The trade-off: you will need to download tools onto a separate clean device first and transfer them via USB stick.

Step 4: Run a Full Antivirus Scan in Safe Mode

Whatever real-time antivirus you currently use (Microsoft Defender on Windows, XProtect plus a third-party tool on Mac), update its definitions if you have networking, then run a full system scan — not a quick scan. Full scans walk every file on every drive; on a modern SSD this typically takes 15-45 minutes.

If your installed antivirus has been disabled or compromised by the malware, install a fresh one from a USB stick prepared on a clean machine. Microsoft Safety Scanner is a free, offline, single-use Microsoft tool useful as a backup. For Mac, Malwarebytes for Mac and Bitdefender Virus Scanner for Mac (free) are widely used.

Note the detection results carefully. Note file paths — you will want to verify they are gone in the post-scan check.

Step 5: Run a Second-Opinion Scanner

No single scanner catches everything. AV-Comparatives' Malware Protection tests routinely show 1-3 percentage point gaps between top products on the same sample set, and those gaps are not the same samples. A second scanner with a different engine catches what the first one misses.

Recommended free or trial second-opinion scanners:

Tool	Engine	Platform	Notes
Malwarebytes Free	Proprietary + ML	Windows, Mac	Strong on PUPs and adware; on-demand only
ESET Online Scanner	ESET NOD32	Windows	Browser-launched, no install
HitmanPro	Cloud-aggregated	Windows	Multi-engine cloud lookup, 30-day free
Microsoft Safety Scanner	Defender engine	Windows	Single-use, official Microsoft offline tool
Bitdefender Virus Scanner for Mac	Bitdefender	Mac	Free, on-demand
Kaspersky Virus Removal Tool	Kaspersky	Windows	Note: not for U.S. users due to BIS restrictions

Run one of these immediately after your primary scan completes. If both report the system clean, you have reasonable (not absolute) confidence. If the second tool finds something the first missed, repeat the cycle until two consecutive scans return zero detections.

Warning: Do not pay any ransomware demand. The FBI, CISA, and Europol uniformly advise against payment. According to multiple 2024-2025 industry reports, roughly 30% of paying victims never receive a working decryptor; payment also marks you as a willing target for re-attack and funds the criminal ecosystem. Visit No More Ransom before doing anything else — they maintain free decryptors for over 160 ransomware families. If your strain is not yet decryptable, preserve the encrypted files (back them up offline) in case a key becomes public later, then restore from an offline backup or accept data loss.

Step 6: Manually Remove Persistence and Browser Hijacks

Even after scanners run clean, malware often leaves footholds that scanners do not flag because they are technically "configurations" rather than executable threats. Walk through each of the following:

Browser cleanup (every browser you use):

1. Open extensions and remove anything you did not install yourself or do not actively use. Be ruthless; legitimate extensions can be reinstalled in seconds.
2. Reset the homepage and default search engine to known values.
3. Clear browsing data: cookies, cached files, autofill, and stored passwords (you will rotate those next anyway).
4. If the browser still misbehaves, use its "Restore settings to original defaults" option (Chrome → Settings → Reset; Edge → Settings → Reset settings; Firefox → Help → More troubleshooting → Refresh Firefox; Safari → develop menu → Empty caches plus reset privacy).

Startup and scheduled tasks (Windows):

1. Task Manager → Startup tab. Disable anything you do not recognize.
2. Run msconfig → Services tab → check "Hide all Microsoft services" → review the rest.
3. Run Task Scheduler (taskschd.msc) and review Active Tasks for unfamiliar entries.
4. Run regedit and check HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run for suspicious values. Only do this if you are comfortable with the registry; one wrong delete can break Windows.

LaunchAgents and LaunchDaemons (Mac):

1. Check ~/Library/LaunchAgents, /Library/LaunchAgents, and /Library/LaunchDaemons for plist files you do not recognize.
2. Check System Settings → General → Login Items and Background Processes.
3. Tools like KnockKnock (free, Objective-See) automate this review.

Step 7: Recover Files and Restore the System

If files were encrypted by ransomware:

1. Check No More Ransom for a free decryptor matching your strain.
2. If a backup exists (offline, untouched by the malware), restore from it after the system is clean.
3. Volume Shadow Copy on Windows occasionally survives ransomware that did not specifically delete it; check via vssadmin list shadows from an admin command prompt.
4. macOS Time Machine backups stored on a disconnected drive are typically safe.

If files were deleted or corrupted, recovery options include the OS-native Recycle Bin / Trash, file-history backups, and tools like Recuva or PhotoRec for forensic recovery — but these work better the less you have written to the disk since the deletion.

When the cleanup leaves the system in a questionable state — strange performance, lingering symptoms, or simply too much uncertainty — a clean reinstall is the only path that resets the trust boundary. On Windows, use the official Media Creation Tool to make a Windows 11 install USB and choose "Custom: Install Windows only" with all partitions deleted. On Mac, hold Cmd-R at boot to enter Recovery, erase the drive, and reinstall from the Apple servers (Internet Recovery). Do not restore from a backup taken after the infection started — that may bring the malware back.

Step 8: Rotate Passwords and Harden Before Reconnecting

Assume any credentials saved on the infected machine are compromised. Once the system is clean (or you are working from a known-clean replacement device), rotate passwords on:

• Email accounts (highest priority — these reset other accounts)
• Banking and financial services
• Cloud storage (Google, Microsoft 365, iCloud, Dropbox)
• Password managers (change the master password from a clean device)
• Social media
• Any work accounts

Enable multi-factor authentication everywhere it is offered, preferring authenticator apps or hardware keys over SMS. Review recent account activity and authorized devices on every important service; revoke any sessions you do not recognize.

Before reconnecting the cleaned device to your network, check that:

• The operating system is fully patched (Windows Update, macOS Software Update).
• All browsers are updated to current versions.
• Real-time antivirus is enabled and definitions current.
• The router's firmware is current and admin password is not the default — most home routers, including the one I am writing this from, ship with predictable default credentials that are themselves an infection vector.

What If None of This Works?

A small fraction of infections survive everything described above. Indicators that you are in this territory:

• Symptoms reappear after a clean install from official media.
• Multiple devices on the network show similar behavior, even after individual cleanup.
• Network traffic to suspicious destinations continues from a fresh OS install.
• Hardware behavior is unusual (BIOS settings change unexpectedly, the fan never stops, boot times are erratic).

In these cases, the malware is firmware-resident (UEFI/BIOS rootkit), the router or another network device is compromised, or there is an active attacker with persistent access. Disconnect everything, consult a professional incident response service, and consider whether the device hardware needs to be replaced. CISA's Stop Ransomware portal includes a directory of resources for individual victims.

Verification: How to Confirm You Are Actually Clean

After cleanup, run this one-week verification protocol:

Day	Check	Pass criteria
Day 1	Two consecutive full scans (primary + second-opinion)	Both return zero detections
Day 2-3	Resource Monitor / Activity Monitor for 30 minutes idle	No unexplained CPU, network, or disk activity
Day 4	All browsers — extensions, homepage, search engine	All match expected configuration
Day 5	Account activity reviews on email and banking	No unrecognized logins
Day 7	Repeat both scans	Both return zero detections

If any of these fail, return to Step 1 and re-run the cleanup. If multiple cycles fail, escalate to a clean reinstall.

The Bottom Line

Removing malware reliably is a procedure, not a button. Disconnect, isolate, scan in Safe Mode with two engines, manually clean persistence, recover or reinstall, rotate credentials, then verify. Skipping any step is how reinfections happen — I have walked into too many cases where the user "ran a scan" and assumed the job was done while the actual rootkit slept through the scan undisturbed.

For prevention going forward — the goal is to make Step 1 something you never need again — read How does antivirus work? to understand which detection layers actually stop modern threats, then check our best antivirus ranking for products tested against current malware in independent labs.

FAQs

How do I know if my computer actually has malware? Reliable signs include unexpected CPU or disk activity when idle, browser redirects to unfamiliar pages, new toolbars or extensions you didn't install, ransomware notes, disabled security tools, or outbound network traffic to unknown IPs visible in Resource Monitor or Activity Monitor. A single sluggish moment is not enough; look for at least two indicators before assuming infection.

Should I pay if my files are encrypted by ransomware? No. The U.S. CISA, FBI, and Europol all advise against paying ransomware demands. Payment funds further attacks, marks you as a willing target, and roughly 30% of paying victims never receive a working decryptor according to multiple 2024-2025 industry reports. Disconnect the device, preserve evidence, and consult the No More Ransom project for free decryptors.

Can Windows Defender remove malware on its own? For mainstream commodity malware on a recent Windows 11 build, often yes — especially when combined with the Microsoft Safety Scanner offline tool. For sophisticated rootkits, fileless malware, or persistent infections that have already disabled Defender, you typically need a second-opinion scanner like Malwarebytes or an offline rescue disk run from external media.

How long does a full malware removal take? A clean removal of common malware typically takes 90 minutes to 4 hours: 10-30 minutes to isolate and identify, 30-90 minutes for full Safe Mode scans, plus 30-60 minutes for cleanup, browser reset, password rotation, and verification. Persistent rootkits or full reinstalls extend that to half a day or more.

Will reinstalling Windows or macOS guarantee removal? A clean install from official media (not a recovery partition that may itself be infected) removes virtually all known malware, including rootkits. Firmware-level malware survives reinstalls in rare cases — Intel ME or UEFI compromise — but these affect a tiny fraction of consumer systems. For 99% of infections, a wipe-and-reinstall is the most reliable end state.

Should I run two antivirus programs at once? Not as real-time scanners — they will conflict and slow the system. The safe pattern is one real-time engine (Defender, Bitdefender, etc.) plus one on-demand scanner like Malwarebytes or HitmanPro for second-opinion scans. Most security teams, including the framework recommended by NIST SP 800-83, treat this layered approach as standard practice.