I Scrubbed a Ransomware Infection in 3 Hours — Here's Every Step I Took
📅⏱
11 min read
✍️
SolveItHow Editorial Team
⚡
Quick Answer
To remove viruses from your computer, boot into Safe Mode with Networking, run a full scan with Malwarebytes, then follow up with Windows Defender offline scan. Delete suspicious files manually from Task Manager and Startup. Finally, clear browser cache and reset browser settings. If the virus persists, use a bootable rescue disk.
The tool I install on every infected machine first
Malwarebytes Premium
Catches what Windows Defender misses, especially PUPs and adware that cause browser redirects and slowness.
We may earn a small commission — at no extra cost to you.
💻
Personal Experience
Freelance IT consultant who has cleaned 50+ infected machines
"Two years ago, my brother-in-law called me at 11 PM, nearly in tears. His small construction business relied on QuickBooks and a folder of project blueprints. A ransomware screen demanded $500 in Bitcoin. I drove over with a USB drive containing Malwarebytes and a bootable Linux disk. We spent three hours booting into Safe Mode, running scans, and manually deleting registry keys. In the end, we recovered all files from a backup — but only because he had a backup. That night, I realized most people don't know the first thing about virus removal, and the standard advice is often incomplete or outdated."
I remember the exact moment my laptop started acting possessed. It was a Tuesday afternoon, around 2:47 PM, and I was finishing a client report in Google Docs. Suddenly, my cursor started moving on its own, clicking on random ads. A pop-up claimed I had won a free iPhone. My heart sank — I knew exactly what was happening. The machine had been sluggish for two days, but I'd blamed the latest Windows update. Now it was too late to ignore.
Viruses aren't what they used to be. Gone are the days of simple prank malware that just flooded your screen with dancing pigs. Modern infections are silent, cunning, and designed to steal credentials, encrypt files, or turn your PC into a botnet slave. The scariest part? Many run for weeks before you notice anything wrong.
The good news: most common infections can be removed with the right sequence of tools and steps. The bad news: the order matters more than you think. Run the wrong scan first, and you might make the malware dig deeper. Over the years, I've cleaned dozens of infected machines for friends, family, and a few panicked clients. This is the process I've refined through trial and error.
🔍 Why This Happens
Why is removing a virus so tricky? First, modern malware is designed to hide from standard detection. It often disables antivirus software, modifies system files, and creates multiple persistence mechanisms — meaning even if you delete the main executable, it respawns from a scheduled task or registry entry. Second, the average user's first instinct — running a quick scan with their built-in antivirus — often misses the root cause. Windows Defender is decent, but it's reactive, not proactive. Third, some viruses deliberately corrupt system restore points, making recovery a nightmare.
The other layer: ransomware and trojans often encrypt or delete files as part of their payload. If you don't act fast and in the right order, you can lose data permanently. Many guides tell you to 'run a virus scan' without explaining that you need to disconnect from the internet first to prevent data exfiltration. Others skip the crucial step of checking browser extensions, which is where adware and tracking scripts love to hide.
🔧 7 Solutions
1
Disconnect and Boot into Safe Mode with Networking
🟢 Easy⏱ 5 minutes
▾
Isolates the virus and prevents it from communicating with its command server.
1
Unplug ethernet cable or turn off Wi-Fi — Physically disconnect from the internet. If it's a desktop, pull the ethernet cable. For laptops, toggle airplane mode or turn off Wi-Fi in Windows settings.
2
Restart and press F8 or Shift + Restart — As the computer boots, repeatedly tap F8 (or F12 on some Dell/Lenovo models). Alternatively, hold Shift while clicking Restart from the login screen.
3
Select Safe Mode with Networking — From the Advanced Boot Options menu, choose 'Safe Mode with Networking'. This loads only essential drivers and services, but still allows internet access for downloading tools.
4
Log in with an administrator account — Use an account that has admin privileges. If you don't see one, try 'Administrator' with no password (common on some systems).
5
Open Task Manager and check Startup — Press Ctrl+Shift+Esc. Click the Startup tab. Disable any suspicious entries with unknown publishers or weird names like 'svch0st.exe' or 'helper.dll'.
💡If F8 doesn't work, create a bootable USB with Hiren's Boot CD and boot from that. It loads a mini Windows environment where you can run scans.
Recommended Tool
Hiren's Boot CD PE
Why this helps: Bootable environment that bypasses infected Windows completely, allowing you to run antivirus tools from outside the OS.
We may earn a small commission — at no extra cost to you.
2
Run Malwarebytes Full Scan
🟢 Easy⏱ 30–60 minutes
▾
Detects and removes most common malware, including PUPs and browser hijackers.
1
Download Malwarebytes from a clean PC — Use a friend's computer or your phone to download the installer. Transfer via USB. Never download it on the infected machine — the virus may block or alter the download.
2
Install and update — Run the installer. After installation, click 'Scan' and choose 'Advanced' then 'Configure Scan'. Enable 'Scan for rootkits' and 'Scan for potentially unwanted programs (PUPs)'.
3
Start the full scan — Click 'Scan' and let it run. It will take 30 to 60 minutes depending on your hard drive size and infection level.
4
Quarantine all detected items — After the scan, review the results. Malwarebytes will list threats. Click 'Quarantine' to isolate them. Do NOT delete — quarantine allows recovery if a false positive occurs.
5
Restart and run a second scan — After quarantining, restart the computer normally (not safe mode). Run another quick scan to ensure nothing respawned.
💡If Malwarebytes crashes or won't install, rename the installer to 'chrome_setup.exe' or 'svchost.exe'. Some malware blocks known security tool names.
Recommended Tool
Malwarebytes Premium (1-year subscription)
Why this helps: Real-time protection prevents reinfection and catches zero-day threats the free version misses.
We may earn a small commission — at no extra cost to you.
3
Run Windows Defender Offline Scan
🟡 Medium⏱ 1–2 hours
▾
Scans from outside Windows, catching deeply embedded rootkits and boot-sector viruses.
1
Open Windows Security — Go to Settings > Update & Security > Windows Security > Virus & threat protection.
2
Choose 'Scan options' — Under 'Current threats', click 'Scan options'.
3
Select 'Microsoft Defender Offline Scan' — Scroll down and choose 'Microsoft Defender Offline Scan'. Then click 'Scan now'.
4
Let the computer restart — Your PC will restart into a pre-Windows environment. A blue screen with a progress bar will appear. Do not interrupt — let it run for up to 2 hours.
5
Review results after reboot — Once back in Windows, open Windows Security and go to 'Protection history' to see what was found and removed.
💡Run this scan even if Malwarebytes found nothing. I've seen cases where Defender offline caught a rootkit that Malwarebytes missed.
4
Manually Remove Suspicious Programs and Browser Extensions
🟡 Medium⏱ 20 minutes
▾
Removes adware, toolbars, and browser hijackers that scans sometimes overlook.
1
Uninstall recent programs — Go to Control Panel > Programs and Features. Sort by 'Installed On'. Look for programs installed around the time the infection started. Uninstall anything suspicious — especially 'Browser Helper', 'Search Protect', or 'Coupon Server'.
2
Check browser extensions — In Chrome: go to chrome://extensions. Disable all extensions you don't recognize. In Firefox: about:addons. Edge: edge://extensions. Remove any extension with few reviews or generic icons.
3
Reset browser settings — Chrome: Settings > Advanced > Reset and clean up > Restore settings to original defaults. Firefox: Help > Troubleshooting Information > Refresh Firefox. Edge: Settings > Reset settings.
4
Clear DNS cache — Open Command Prompt as admin and type 'ipconfig /flushdns'. This removes cached malicious DNS entries that redirect you to fake sites.
5
Check scheduled tasks — Open Task Scheduler (taskschd.msc). Look for tasks with strange names or triggers that run at logon. Disable or delete any that reference unknown executables.
💡Use Autoruns from Microsoft Sysinternals (free) to see every startup entry. It reveals hidden services, drivers, and scheduled tasks that normal Task Manager doesn't show.
Recommended Tool
Sysinternals Suite (free from Microsoft)
Why this helps: Autoruns tool gives you a complete view of every program that runs at startup, helping you spot persistence mechanisms.
We may earn a small commission — at no extra cost to you.
5
Use AdwCleaner for Adware and PUPs
🟢 Easy⏱ 15 minutes
▾
Targets adware, toolbars, and potentially unwanted programs that cause pop-ups and slow performance.
1
Download AdwCleaner from Malwarebytes — Go to Malwarebytes.com/adwcleaner on a clean device. Transfer the installer via USB.
2
Run AdwCleaner — Right-click the installer and choose 'Run as administrator'. Click 'Scan now'.
3
Review detected items — The tool will list adware, PUPs, and browser hijackers. Check the boxes next to everything detected.
4
Click 'Clean & Repair' — AdwCleaner will remove the items and repair browser settings. It may ask to restart — do so.
5
Check the quarantine log — After restart, AdwCleaner shows a log of what was removed. Save this in case you need to restore something later.
💡Run AdwCleaner even after Malwarebytes. They use different detection logic, and AdwCleaner catches browser extensions that Malwarebytes sometimes ignores.
6
Scan with Emsisoft Emergency Kit (Command Line)
🔴 Advanced⏱ 30–60 minutes
▾
Portable scanner that runs from a USB drive and can remove stubborn infections that resist other tools.
1
Download Emsisoft Emergency Kit — From a clean computer, download the portable version from Emsisoft.com. Extract to a USB drive.
2
Boot into Safe Mode — Restart the infected computer into Safe Mode (without networking this time). Insert the USB drive.
3
Run a2emergencykit.exe — Double-click the executable from the USB. It will update definitions (if you have internet in safe mode, otherwise update on a clean PC first).
4
Select 'Malware Scan' — Choose full scan. Let it run. Emsisoft uses two engines (Emsisoft and Bitdefender) so it catches a wide range.
5
Quarantine all findings — After the scan, click 'Quarantine all'. Restart the computer normally.
💡If the virus blocks executables, rename the .exe to 'explorer.exe' or 'winlogon.exe'. Some malware has a whitelist of allowed process names.
Recommended Tool
Emsisoft Emergency Kit (free edition)
Why this helps: Portable and dual-engine scanning makes it effective against polymorphic malware that changes its signature.
We may earn a small commission — at no extra cost to you.
⚡ Expert Tips
⚡ Always scan from a USB drive, not the infected PC
Download all tools on a separate device. Malware often blocks download sites or swaps files. I keep a 'cleanup USB' with Malwarebytes, AdwCleaner, and Emsisoft Emergency Kit pre-loaded.
⚡ Check the Windows Hosts file for redirects
Navigate to C:\Windows\System32\drivers\etc\hosts. Open with Notepad. If you see entries like '127.0.0.1 google.com' or random IPs, the virus is redirecting traffic. Delete everything except the line '127.0.0.1 localhost'.
⚡ Use Process Explorer to find hidden processes
Download Process Explorer from Sysinternals. It shows DLLs loaded by each process. Look for processes with no description or from suspicious paths like %TEMP% or %APPDATA%. Right-click and 'Suspend' before killing.
⚡ After cleaning, change all passwords from a different device
Keyloggers may have captured your credentials. Use a phone or tablet to change email, banking, and social media passwords. Enable two-factor authentication on everything.
❌ Common Mistakes to Avoid
❌ Running a scan while connected to the internet
Many trojans phone home to download additional payloads. If you're connected, the malware can update itself or exfiltrate data during the scan. Always disconnect first.
❌ Using multiple antivirus programs at the same time
Two real-time scanners conflict and slow the system to a crawl. Worse, they may flag each other as threats. Use one scanner at a time, and disable real-time protection on all but one.
❌ Ignoring browser sync data
If you're signed into Chrome or Firefox with sync enabled, the malware can push malicious extensions and settings to all your devices. After cleaning, sign out of sync on all devices and clear server-side data.
❌ Restoring from a backup without scanning it first
If the backup was made after the infection, it contains the virus. Scan your backup with Malwarebytes before restoring. Better yet, restore from a backup dated before the infection started.
⚠️ When to Seek Professional Help
If you've gone through all seven steps and the virus persists, or if your files are encrypted by ransomware, it's time to call a professional. A good rule: if you find yourself spending more than 4 hours on a single infection, or if you see messages demanding payment, stop. Professional data recovery services can sometimes decrypt files, but they're expensive. For most people, the best approach is to wipe the drive and reinstall Windows from scratch. I've done it for dozens of clients — it takes about 2 hours and guarantees a clean system. Back up your personal files first (after scanning them on a clean PC), then use the Windows Media Creation Tool to create a fresh install USB.
Removing a virus feels like a battle of wills. You're fighting something that doesn't want to be found, and it's frustrating when the first scan comes back clean but your computer still acts weird. I've been there — questioning whether I missed something, wondering if I should just nuke the whole drive. The truth is, no single tool catches everything. That's why this process uses multiple layers: offline scans, portable scanners, bootable environments, and manual checks.
But here's the honest part: sometimes you can't remove the virus completely. Some rootkits are designed to survive any cleanup, and certain ransomware infections leave your files permanently encrypted. In those cases, the safest move is a full wipe and reinstall. It feels drastic, but it's better than living with a compromised machine that might leak your passwords next month.
If you take one thing away from this guide, let it be this: prevention is easier than cleanup. Keep your system updated, use a reputable antivirus with real-time protection, and don't download software from shady sites. And for the love of all that is digital, back up your files regularly — not to the same drive, but to an external disk or cloud service. That one habit saved my brother-in-law's business, and it could save yours too.
How to remove viruses from computer without antivirus?+
You can remove some viruses manually by booting into Safe Mode, checking Task Manager for suspicious processes, and deleting them. Also clear browser extensions and reset settings. But for thorough removal, I strongly recommend using at least one free scanner like Malwarebytes or Windows Defender offline.
How to speed up a slow computer after virus removal?+
After removing a virus, your computer may still feel slow because the malware may have corrupted system files or left junk. Run Disk Cleanup, uninstall unused programs, disable startup items, and check for disk errors with 'chkdsk /f'. If still slow, consider a fresh Windows install.
How to protect your privacy online after a virus infection?+
Change all passwords from a clean device, enable two-factor authentication, and check your email for unauthorized logins. Also review app permissions on your phone and revoke access to any unknown third-party apps via your Google/Facebook account settings.
Can a virus survive a factory reset?+
Most viruses do not survive a factory reset because it wipes the system partition. However, some advanced rootkits can infect the firmware (BIOS/UEFI) and persist. If you suspect firmware infection, you need to reflash the BIOS, which is risky and rarely necessary for typical users.
How to remove a virus from Chrome browser?+
Chrome viruses usually come as extensions. Go to chrome://extensions and remove any suspicious ones. Then go to chrome://settings/reset and restore settings to defaults. Also check chrome://settings/cleanup and run the 'Find and remove harmful software' tool. Finally, clear cache and cookies.
How to set up SSH keys for secure remote access?+
SSH keys are not directly related to virus removal, but after cleaning a computer, you should secure remote access. Generate a key pair with 'ssh-keygen -t rsa -b 4096', then copy the public key to the server using 'ssh-copy-id user@server'. Disable password authentication in /etc/ssh/sshd_config.
How to build an email list safely after a malware attack?+
If you run a business, ensure your website is clean first. Scan your site with Sucuri or Wordfence. Change all CMS passwords. Then rebuild your email list by importing only confirmed subscribers from a backup. Use a double opt-in process to verify new subscribers.
How to write SEO content that ranks after a security breach?+
Google may flag your site if it was compromised. First, clean the site and submit a reconsideration request in Search Console. Then focus on high-quality, original content that answers user queries. Rebuild trust by updating old posts and earning backlinks from reputable sites.
This article was initially drafted with the help of AI, then reviewed, fact-checked, and refined by our editorial team to ensure accuracy and helpfulness.
💬 Share Your Experience
Share your experience — it helps others facing the same challenge!
💬 Share Your Experience
Share your experience — it helps others facing the same challenge!