Affiliate links present. Disclosure
Guide
How to remove malware: where to start
The confusion
Something is wrong with the machine. You searched for how to fix it and found three guides giving different first steps: one says run your existing antivirus immediately, one says boot into safe mode first, one says download a specific removal tool before doing anything else. They can't all be right.
You're not sure how serious it is. The machine is behaving strangely — but you don't know if that means a minor adware infection, something actively stealing data, or ransomware that hasn't fully activated yet. The urgency of the situation depends on that difference, and nothing you've read has helped you figure out which it is.
The right first step depends on what type of infection is present. A browser hijacker, system-level malware, active ransomware, and a rootkit each require a different approach — and treating one like another wastes time at best, makes the situation worse at worst.
What most people assume
Most people assume running their existing antivirus scan will catch and remove whatever is there. If the antivirus already missed it during real-time protection, a standard scan on the same engine with the same definitions often misses it again. Active infections sometimes disable or interfere with the installed antivirus specifically to prevent this. A secondary scanner — something not already on the machine — often catches what the primary missed.
Most people assume 'quarantined' means the problem is solved. Quarantine is containment — the file is moved and blocked from executing. It's not removal, and on its own it doesn't address persistence mechanisms (registry entries, scheduled tasks, browser extensions) that reinstall the malware after the quarantined file is deleted. A clean scan result on one engine doesn't mean the machine is clean.
Most people assume the machine will return to its previous state after removal. Removal removes the malware — it doesn't undo what the malware already did. Changed browser settings need to be reset manually. Credentials accessed before removal are still compromised. Files encrypted by ransomware before you discovered the infection aren't recovered by removing the ransomware. The machine can be clean and the damage still present.
What's actually true
For the most common infections — browser hijackers, adware, PUPs (potentially unwanted programs) — Malwarebytes Free run in safe mode handles the majority of cases. Safe mode prevents most malware from loading, which makes it possible to scan and remove what wouldn't be removable while the system is running normally. A browser reset (settings → restore defaults) handles most browser-level changes.
Deeper infections — anything that disabled your security tools, anything that changed how Windows boots, anything that appeared alongside encrypted files — require different tools and, in some cases, a different decision about whether to attempt DIY removal at all. The severity of the infection determines the appropriate response, not a single checklist.
Where you might be
If the main symptom is browser redirects, unexpected search engines, or ads appearing where they shouldn't — this is typically a browser hijacker or adware. Malwarebytes Free in safe mode followed by a browser extension audit and browser reset covers most of these cases.
See the full cleanup path for browser-level infections →
If the machine is noticeably slow, processes you don't recognize are running, or CPU usage is unusually high — this may be a PUP, cryptominer, or backdoor. Safe mode scan with a secondary scanner (Malwarebytes if it wasn't your primary AV) is the starting point.
See whether this slowdown is malware or something else →If you're seeing files renamed with an unfamiliar extension, a ransom note on the desktop, or a lockscreen demanding payment — this is ransomware. Stop using the machine. Disconnect it from the network immediately. The cleanup path for ransomware is different from standard malware removal.
See the ransomware response path →If your security tools won't run, Windows Defender has been disabled without you doing it, or the machine won't boot normally — this is a deeper infection, potentially a rootkit. Attempting standard removal from within the compromised system is unlikely to work. This is outside routine DIY territory.
See the decision guide for severe infections →What no tool solves
Removing malware doesn't restore files that were encrypted without a working backup. Ransomware decryptors exist for some strains but not all, and they're not guaranteed. If files are encrypted and there's no backup, recovery may not be possible regardless of what tool is used.
Credentials accessed or stolen before discovery are still compromised after the malware is removed. A clean machine doesn't mean accounts accessed during the infection are safe — passwords used on the machine during the infection period should be changed from a different, known-clean device.
Some infections are designed to survive standard removal and reinstall themselves from a persistent mechanism. If the same symptoms return after a thorough cleanup, or if the infection appears to be in system processes, remote professional assistance is the more reliable path forward.
© 2026 Softplorer