Malware is any software that damages your device, steals your data, or makes money for an attacker without your permission. It includes viruses, ransomware, spyware, adware, trojans, and browser hijackers. If something feels wrong with your device — it is slow, showing strange ads, redirecting your browser, or your files are suddenly encrypted — this guide will help you identify and remove it.
1. How to tell if you have malware
Malware does not always announce itself. Some types — particularly spyware and banking trojans — are designed to be invisible. Others are obvious. Here are the signs to look for:
Signs you probably have malware
- Your computer is suddenly much slower — malware often runs in the background, consuming processor power and memory. If a fast computer becomes sluggish without explanation, this is a warning sign.
- Your browser is redirecting to sites you did not choose — browser hijackers change your default search engine, homepage, or redirect specific searches to fake results pages filled with ads.
- You are seeing unexpected ads — ads appearing on websites that do not normally show them, or pop-ups appearing on your desktop outside any browser window, indicate adware.
- Your antivirus has been disabled — some malware specifically targets and disables security software as its first action. If Windows Defender turned itself off, something may have turned it off.
- Programs are opening or closing without your input — this can indicate a remote access trojan (RAT), which gives an attacker control of your computer.
- Your files have been renamed with a strange extension — this is ransomware. Files like
photo.jpg.lockedordocument.docx.WNCRYhave been encrypted. - Someone else is using your accounts — if you receive password reset emails you did not request, or friends report strange messages from your accounts, a keylogger or credential stealer may have captured your passwords.
- Your webcam light turns on unexpectedly — this is a serious warning sign of a RAT or stalkerware with camera access.
Signs that look like malware but usually are not
- Slowness after a Windows Update — normal. Windows updates often run background processes for several hours after installation.
- High disk activity on a new computer — normal. Windows indexes your files after setup.
- A single browser ad — annoying but not malware. Websites show ads. Browser malware shows ads everywhere, on every site, including sites that are normally ad-free.
2. Before you start: what to do first
Before running any malware removal tool, take these steps. They take five minutes and prevent you from losing data or making the situation worse.
- Disconnect from the internet. If you have malware that is actively communicating with an attacker, disconnecting cuts that connection and prevents data being sent out while you clean up. Pull the network cable or turn off Wi-Fi before starting.
- Back up your important files — carefully. Copy your documents, photos, and any irreplaceable files to an external drive or USB. Do this before running a removal tool. However: if you suspect ransomware, do not back up encrypted files — you will just copy the problem to your backup. Only back up files that still open normally.
- Write down your symptoms. Note what you noticed and when it started. This helps if you need to ask for help later, and it tells you what to check after removal to confirm the malware is gone.
- Do not pay ransom yet. If ransomware has encrypted your files, do not pay immediately. Read the ransomware section of this guide first — there may be free decryption tools available.
3. Remove malware from Windows
Step 1: Boot into Safe Mode
Safe Mode starts Windows with only the minimum required programs. Many types of malware cannot run in Safe Mode, which makes them easier to remove.
- Press the Start button and click Power
- Hold the Shift key and click Restart
- On the blue screen that appears, select Troubleshoot → Advanced Options → Startup Settings → Restart
- When your computer restarts, press 4 or F4 to boot into Safe Mode (press 5 for Safe Mode with Networking if you need internet access for your removal tool)
Step 2: Run a dedicated malware scanner
Even if you have antivirus software installed, running a second dedicated scanner is good practice for removal. Malware sometimes disables or bypasses your existing antivirus but cannot disable a scanner it has never encountered.
The tools we recommend for Windows malware removal in 2026:
- Bitdefender Total Security — our top-rated scanner. The free Bitdefender Virus Scanner can be downloaded separately for a one-time scan. If you want ongoing protection, Bitdefender Total Security is the most effective option available.
- Malwarebytes Free — excellent free scanner for a second-opinion scan alongside your primary antivirus. Does not provide real-time protection in the free version, but is highly effective for manual removal scans.
- ESET HOME Security Premium — ESET's Advanced Memory Scanner is particularly effective at detecting fileless malware that hides in system memory rather than files. Use this if standard scanners are not finding what you suspect.
Run a full system scan, not a quick scan. A full scan checks every file on your drive. It takes longer (15–45 minutes depending on your drive size) but is thorough. When the scan completes, quarantine or delete everything the scanner finds.
Step 3: Check your browser
Browser malware — hijackers and adware extensions — often survives antivirus scans because browsers have their own extension systems.
- Open your browser and go to Extensions or Add-ons settings
- Remove any extension you did not install or do not recognise
- Check your browser's default search engine and homepage in Settings — restore them to your preferred values if they have been changed
- Clear your browser cache and cookies
Step 4: Check your startup programs
Many malware types add themselves to Windows startup so they run every time you boot.
- Press Ctrl + Shift + Esc to open Task Manager
- Click the Startup apps tab
- Look for programs you do not recognise, particularly anything with a generic name like svchost32, updatehelper, or random letter combinations
- Right-click any suspicious entry and select Disable
Step 5: Update Windows and all software
After removing malware, update Windows and every application on your computer. Malware usually enters through unpatched vulnerabilities. Updating removes the door it came through.
4. Remove malware from Mac
Macs get malware less often than Windows PCs, but they are not immune. The most common Mac threats in 2026 are adware, browser hijackers, fake software installers, and — increasingly — information stealers targeting cryptocurrency wallets and saved passwords.
Step 1: Check for suspicious applications
- Open Finder → Applications
- Look for applications you do not remember installing. Common names used by Mac adware include Advanced Mac Cleaner, Mac Cleanup Pro, MacKeeper, and many variations
- Drag any suspicious application to the Trash — but also check ~/Library/LaunchAgents and ~/Library/Application Support for leftover files associated with the same application name
Step 2: Run a Mac malware scanner
- Bitdefender Total Security — the Mac version of Bitdefender is one of the best available. It detects both Mac-specific threats and any Windows malware that might be passing through your Mac to infect other devices.
- Kaspersky Premium — strong Mac application with comprehensive scanning. The Mac build received specific investment from Kaspersky in 2024 and is consistently rated highly in Mac-specific tests.
- Apple's built-in XProtect runs automatically and does not need to be invoked manually. Running a third-party scanner is a supplement, not a replacement.
Step 3: Check browser extensions and profiles
In Safari, go to Settings → Extensions. In Chrome or Firefox on Mac, check Extensions in the browser menu. Remove anything unfamiliar. Also check for unexpected browser profiles in Chrome Settings → People → Manage People — malware sometimes creates a secondary profile to preserve its settings even after you reset the browser.
5. Remove malware from Android
Android malware most commonly arrives through apps installed outside the Google Play Store, though malicious apps have also appeared in the Play Store itself. Signs include unexpected battery drain, data usage spikes, unfamiliar apps, or phone behaviour you did not initiate.
- Restart your phone in Safe Mode. Press and hold the power button, then press and hold the Power off option until you see "Reboot to Safe Mode". In Safe Mode, third-party apps cannot run, which stops the malware and lets you identify it.
- Find the malicious app. In Safe Mode, go to Settings → Apps. Look for apps you do not recognise, apps with no icon, or apps with generic names. Sort by install date to find recently installed apps.
- Uninstall the suspicious app. Tap the app → Uninstall. If the Uninstall button is greyed out, the app has Device Administrator privileges. Go to Settings → Security → Device Administrators, deselect the app, then return to Apps to uninstall it.
- Run a mobile security scan.
- Bitdefender Mobile Security — highest detection rate in our Android testing, with a clean interface and minimal battery impact.
- Norton Mobile Security — includes Wi-Fi security scanning and SMS phishing detection alongside malware protection.
- Reset to factory settings if the problem persists. If you cannot identify or remove the malicious app, a factory reset is the most reliable solution. Go to Settings → General Management → Reset → Factory Data Reset. This removes everything — back up your photos and contacts first via Google account sync.
6. Remove malware from iPhone
True malware on a standard (non-jailbroken) iPhone is rare because Apple's iOS platform prevents apps from accessing each other's data or running in the background without permission. However, iPhones are vulnerable to phishing attacks, malicious browser redirects, calendar spam, and — on jailbroken devices — genuine malware.
- Restart your iPhone. A restart clears any malicious content that exists only in browser memory. Hold the side button and a volume button, then slide to power off.
- Clear your browser history and data. Go to Settings → Safari → Clear History and Website Data. This removes malicious scripts that may be running from cached web pages.
- Check for calendar spam. If you see unwanted events appearing in your Calendar app, go to Calendar → tap the suspicious calendar name at the bottom → scroll down → Delete Calendar.
- Review your installed apps. Scroll through your apps and delete anything you do not recognise. On iOS, apps are sandboxed — they cannot affect each other — but deleting unfamiliar apps removes potential data collection.
- Check for suspicious configuration profiles. Go to Settings → General → VPN & Device Management. If there is a profile you did not install, tap it and remove it. Malicious profiles can change DNS settings and intercept traffic.
- If your iPhone is jailbroken, remove the jailbreak. Jailbreaking removes iOS's security barriers entirely. Restoring to a non-jailbroken iOS version via iTunes or Finder removes all jailbreak-related malware.
7. What to do if ransomware has encrypted your files
Ransomware is the most serious category of malware. It encrypts your files and demands payment — typically in Bitcoin — in exchange for a decryption key. Here is the correct sequence of actions:
- Do not pay immediately. Payment does not guarantee you will receive a working decryption key. Approximately 40% of ransomware victims who pay do not recover their files. Payment also funds the criminal groups responsible.
- Identify the ransomware variant. The ransom note and encrypted file extension usually identify which ransomware you have. Visit nomoreransom.org — a free database maintained by Europol and security companies — and enter your file extension or upload a sample encrypted file. For many ransomware variants, free decryption tools exist.
- Do not delete the encrypted files. Even if no decryption tool exists today, researchers break new ransomware variants regularly. Keep the encrypted files — a decryption tool may become available in the future.
- Check your backups. If you have a backup that predates the infection, restoring from backup is the fastest recovery path. Windows 10 and 11 include a Previous Versions feature for some files. If you have a cloud backup — Norton's 50GB backup or a service like Backblaze — restore from there.
- Report it. In the UK, report to Action Fraud. In the US, report to the FBI's Internet Crime Complaint Center (IC3). In the EU, report to your national CERT. Reporting helps researchers track variants and may assist in recovering funds.
- Wipe and reinstall. After recovering what you can, wipe the affected drive and reinstall Windows or macOS from scratch. Do not restore a system backup that was made after the infection — it may contain the ransomware.
How to avoid ransomware in future
The best defence against ransomware is a combination of two things: a good antivirus with dedicated ransomware protection, and an offline or cloud backup. If your files are backed up somewhere the ransomware cannot reach, an attack becomes an inconvenience rather than a disaster.
- Bitdefender Total Security — includes a dedicated Ransomware Remediation module that detects encryption behaviour and automatically restores affected files.
- Kaspersky Premium — Kaspersky's anti-ransomware module stopped a live LockBit sample in under six seconds in our testing.
- Norton 360 Deluxe — includes 50GB cloud backup that is inaccessible to ransomware running on your local machine.
- ESET HOME Security Premium — the Ransomware Shield monitors file encryption attempts and blocks them at the process level.
8. Best malware removal tools in 2026
The antivirus you install today is your primary defence — but for a computer that is already infected, a dedicated removal scan is the right first step. Here are the tools we recommend, based on our independent testing:
9. How to prevent malware in future
Removing malware is the emergency response. Prevention is the strategy. The single most important thing you can do is install one of the antivirus products above and keep it running. Beyond that, the following habits eliminate the vast majority of malware risk:
The habits that prevent most infections
- Never open email attachments you were not expecting. The most common malware delivery method in 2026 is still a phishing email with a malicious attachment or link. If an email asks you to open a document, check a delivery, or verify your account, go directly to the website rather than clicking the link.
- Only download software from official sources. Download applications from the developer's official website, the Microsoft Store, Mac App Store, or Google Play Store. Avoid download sites that bundle extra software with installers.
- Keep everything updated. Windows, macOS, your browser, and all your applications. Most malware exploits known vulnerabilities that already have patches available. Avira Prime's Software Updater does this automatically.
- Use a password manager. If one of your passwords is stolen, a password manager limits the damage to one account rather than spreading to every account that shares the same password. Every antivirus in our review includes one.
- Enable two-factor authentication on your email, bank, and any important account. Even if an attacker steals your password, they cannot log in without the second factor.
- Be suspicious of urgency. Malware distributors and phishing attackers create pressure — your account will be suspended, your delivery failed, you owe a fine. Legitimate organisations do not demand you act within minutes. Slow down and verify through official channels.
- Keep a backup. An offline backup (external drive kept disconnected from your computer) or a cloud backup (like the 50GB included with Norton 360 Deluxe) means a malware attack is recoverable rather than catastrophic.
What does NOT protect you
- A Mac does not make you immune. Mac malware is increasing year on year. In 2023 and 2024, several significant Mac-specific information stealers were discovered, including Atomic Stealer and MetaStealer.
- Antivirus alone is not enough. Good antivirus is essential, but it does not stop you from typing your password into a phishing website. Human habits and technical protection work together.
- Free antivirus is not worthless, but it has limits. Avira's free product uses the same engine as Avira Prime and provides genuine protection. But free products lack real-time web protection, VPN, and advanced threat layers. For most users, a paid product covering these gaps is worth the cost.
Quick reference: malware removal checklist
- ☐ Disconnect from internet
- ☐ Back up files that still work normally
- ☐ Boot into Safe Mode (Windows)
- ☐ Run a full system scan with a trusted antivirus
- ☐ Check browser extensions — remove unfamiliar ones
- ☐ Check startup programs — disable unfamiliar ones
- ☐ Update Windows/macOS and all software
- ☐ Change passwords for important accounts from a clean device
- ☐ Enable two-factor authentication
- ☐ Install ongoing protection to prevent reinfection