
Last updated: July 6, 2026
Malware that keeps coming back is usually not a simple one-file infection. It may be restoring itself through a startup item, browser extension, scheduled task, malicious application, remote-access tool, cloud sync, infected backup, compromised account, or another device on the same network.
This guide explains how to remove persistent malware safely on Windows and Mac, how to avoid making the infection worse, when Safe Mode or offline scanning helps, when a full reinstall is the cleanest solution, and what account-security steps to take after the device is clean.
Important: These steps are for cleaning devices you own or are authorized to manage. If the device belongs to an employer, school, client, or organization, report the issue to the proper IT or security team before changing settings, deleting files, or resetting the system.
Quick Answer: What Should You Do First?
If malware keeps returning, do not repeatedly install random “cleaner” tools from ads or pop-ups. Start with a safe containment plan:
- Stop logging into banking, email, social media, shopping, crypto, work, and cloud accounts from the infected device.
- Disconnect the device from the internet if the infection appears active, spreading, stealing data, or encrypting files.
- Use a clean device to download official security tools, change important passwords, and research instructions.
- Back up only personal files you need, not programs, cracks, installers, scripts, browser profiles, or suspicious archives.
- Run updated security scans and, on Windows, consider Microsoft Defender Offline or another trusted offline scan.
- Remove the persistence point: startup item, extension, scheduled task, remote-access tool, malicious app, DNS change, or infected sync source.
- If the infection keeps returning, perform a clean reset or reinstall from official media.
| Situation | Best first action | Why it matters |
|---|---|---|
| Pop-ups, redirects, fake virus alerts | Clean browsers, extensions, notifications, and installed apps | Often caused by adware, notification abuse, or browser hijackers |
| Malware returns after reboot | Check startup items, scheduled tasks, services, login items, and LaunchAgents | The infection may have a persistence mechanism |
| Accounts are sending messages by themselves | Use a clean device to change passwords and revoke sessions | The malware may have stolen credentials or sessions |
| Security tools are disabled | Use Safe Mode or offline scanning | Active malware may interfere with cleanup |
| Files are being encrypted | Disconnect immediately and preserve evidence | Ransomware can spread and destroy recovery options |
| Remote-control software appeared | Disconnect and remove remote-access permissions | A scammer may still control the device |
| Malware returns after restore | Inspect backups and cloud sync before restoring again | The backup may contain the source of reinfection |
| Multiple cleanup attempts fail | Clean reinstall from official media | Some infections cannot be trusted after partial removal |
Why Malware Keeps Coming Back

When a virus, adware, spyware, browser hijacker, or trojan reappears after removal, one of these causes is often involved:
- A startup item reloads it. Malware may launch when Windows or macOS starts.
- A scheduled task restores it. Windows tasks can quietly reinstall or relaunch unwanted software.
- A service keeps running in the background. Some unwanted programs create background services.
- A browser extension brings it back. Extensions can hijack searches, inject ads, read pages, or change settings.
- Browser sync restores bad settings. If malicious extensions or settings are synced, they may return after reset.
- Notifications are abused. Scam sites can send fake virus alerts through browser notifications.
- An unwanted application is still installed. Removing one file is not the same as uninstalling the parent program.
- A remote-access tool remains active. A scammer may reconnect and reinstall malware.
- Cloud sync restores infected files. Files from OneDrive, Google Drive, iCloud, Dropbox, or another service may reappear.
- An external drive is infected. USB drives and external disks can reintroduce malicious files.
- A cracked installer is reused. Pirated software, game cheats, keygens, and “activators” are common reinfection sources.
- DNS or proxy settings were changed. Traffic may be redirected to malicious pages.
- The router was changed. A compromised router can push malicious DNS or redirect traffic.
- The backup contains the problem. Restoring from an infected image or old browser profile can restore the malware too.
- A deeper infection exists. Rootkits, boot-level malware, or tampered system files are less common but more difficult to trust after cleanup.
The goal is not just to delete one suspicious file. The goal is to remove the reason the malware keeps returning.
Signs Your Device May Still Be Infected
Possible signs include:
- The device slows down, freezes, restarts, or overheats unexpectedly.
- The browser homepage, search engine, or new-tab page keeps changing.
- New extensions, toolbars, or apps reappear after removal.
- Pop-up ads appear on websites that normally do not show them.
- Fake virus alerts ask you to call a support number.
- Task Manager, Activity Monitor, security settings, or update controls are disabled.
- Security software turns off by itself.
- Unknown remote-access programs are installed.
- Emails, social-media posts, or messages are sent without your action.
- Unknown browser notifications appear even when the browser is closed.
- Files are renamed, encrypted, or given unfamiliar extensions.
- Banking, email, Facebook, Instagram, or other accounts show unfamiliar activity.
- DNS, proxy, VPN, or router settings change without explanation.
One symptom does not prove malware by itself. A slow computer can also be caused by failing hardware, full storage, driver problems, too many startup apps, or a bad update. But repeated symptoms after cleanup deserve a deeper investigation.
1. Decide How Serious the Infection Is
Before deleting files, determine whether this looks like ordinary adware or a serious compromise.
Lower-risk symptoms
- Browser pop-ups.
- Unwanted notifications from a website.
- Changed search engine.
- One suspicious extension.
- One recently installed unwanted app.
These may often be fixed by removing apps, browser extensions, notification permissions, and changed browser settings.
Higher-risk symptoms
- Ransomware or encrypted files.
- Banking, email, or social accounts accessed without permission.
- Remote-access software installed after a support scam.
- Security tools disabled or blocked.
- Malware reappears immediately after reboot.
- Unknown administrator accounts.
- Repeated compromise after password changes.
- Work, school, client, or business data involved.
Higher-risk cases may require offline scanning, help from a trusted professional, or a clean reinstall rather than manual guessing.
2. Disconnect the Device Safely

Disconnecting can stop active malware from sending data, receiving commands, downloading additional payloads, spreading across the network, or continuing a ransomware attack.
Disconnect immediately if:
- Files are being encrypted.
- A scammer still has remote control.
- Unknown software is actively installing.
- Security tools are being disabled.
- You see suspicious account activity happening in real time.
Turn off Wi-Fi, unplug Ethernet, disable mobile hotspot sharing, and disconnect external drives if ransomware is suspected.
Use a clean device when possible
Use a separate trusted phone or computer to:
- Download official security tools.
- Look up instructions.
- Change passwords.
- Contact banks, platforms, or support.
- Preserve evidence.
If you must reconnect the infected device to download updates or scanners, connect only long enough to download from official sources, then disconnect again until you are ready to scan.
3. Stop Logging Into Sensitive Accounts

Keyloggers, browser stealers, infostealers, remote-access trojans, and malicious extensions can capture usernames, passwords, cookies, authentication codes, and session tokens.
Until the device is clean, avoid logging into:
- Email accounts.
- Banking and payment services.
- Cryptocurrency wallets and exchanges.
- Shopping accounts with saved cards.
- Social media accounts.
- Cloud storage.
- Password managers.
- Work or school accounts.
Use a clean device to secure accounts. If social media accounts were affected, follow focused account-security steps for protecting your Facebook account from unauthorized access and securing your Instagram account after suspicious activity.
4. Back Up Personal Files Carefully
Before a full reset or reinstall, back up important personal files if doing so will not spread the infection.
Usually safe to back up
- Photos.
- Documents you created.
- Videos.
- Music files.
- Project files you recognize.
- Exported password-manager emergency kits or recovery codes, if handled securely.
Do not blindly back up
- Unknown executables.
- Cracked software, keygens, or activators.
- Old installers from unverified websites.
- Scripts, macros, or batch files you do not understand.
- Password-protected ZIP or RAR files from unknown sources.
- Browser profile folders unless you know exactly what you are preserving.
- Full system images created after the infection began.
Scan the backup from a clean system before restoring files. If ransomware is active, avoid connecting backup drives until the device is isolated and the situation is understood.
5. Run Updated Security Scans
Security software works best when its detection database is current. Update the security tool before scanning when it is safe to connect to the internet.
On Windows
- Run a full scan with Microsoft Defender Antivirus or another trusted security product.
- Use Microsoft Safety Scanner as a second-opinion on-demand scanner.
- Do not use unknown “PC repair” tools advertised by pop-ups.
- Download scanners only from official vendor websites.
Download Microsoft Safety Scanner from Microsoft
On Mac
- Install all available macOS updates.
- Remove unknown applications and login items.
- Use a reputable Mac security scanner when symptoms continue.
- Do not install “Mac cleaner” tools from scary pop-ups or ads.
Do not assume that a Mac cannot be infected. macOS has strong built-in protections, but unwanted software, malicious browser extensions, fake updates, malicious profiles, and stolen credentials remain realistic risks.
6. Use an Offline or Boot-Time Scan
Some malware can interfere with scans while the main operating system is running. An offline or boot-time scan starts before the normal Windows desktop loads, making certain active threats easier to remove.
Microsoft Defender Offline on Windows
- Open Windows Security.
- Select Virus & threat protection.
- Open Scan options.
- Select Microsoft Defender Antivirus (offline scan).
- Select Scan now.
- Save work first because Windows will restart.
After the scan, review Windows Security protection history and run another full scan after reboot.
When offline scanning is especially useful
- Security software closes or fails.
- Malware returns immediately after reboot.
- Suspicious processes cannot be ended.
- The infection blocks security websites.
- Rootkit-like behavior is suspected.
If offline scanning still fails, do not keep stacking random tools. A clean reinstall may be safer.
7. Use Safe Mode for Cleanup

Safe Mode starts the computer with a limited set of drivers and startup items. It is useful when malware depends on normal startup programs or background components.
Start Windows in Safe Mode
- Open the Windows Recovery Environment.
- Select Troubleshoot.
- Select Advanced options.
- Select Startup Settings.
- Select Restart.
- Choose 4 or F4 for Safe Mode.
- Choose 5 or F5 only when you specifically need Safe Mode with Networking.
If BitLocker is enabled, Windows may require the BitLocker recovery key before certain recovery actions.
Read Microsoft’s current Windows Safe Mode instructions
Start a Mac in Safe Mode
Apple silicon Mac:
- Shut down the Mac.
- Press and hold the power button until startup options appear.
- Select the startup disk.
- Hold Shift.
- Select Continue in Safe Mode.
Intel-based Mac:
- Turn on or restart the Mac.
- Immediately press and hold Shift.
- Release Shift when the login window appears.
Read Apple’s current Safe Mode instructions
8. Remove Startup Items, Scheduled Tasks, and Unknown Apps
Persistent malware survives by creating a way to relaunch itself. Removing the visible pop-up without removing the persistence mechanism lets it return.
On Windows, review:
- Installed apps: Settings > Apps > Installed apps.
- Startup apps: Task Manager > Startup apps.
- Scheduled tasks: Task Scheduler Library.
- Services: Services app.
- Startup folders: Startup shortcuts for the user and all users.
- Browser extensions: Chrome, Edge, Firefox, Brave, or other browsers.
On Mac, review:
- Applications: Remove apps you do not recognize.
- Login Items: System Settings > General > Login Items & Extensions.
- Profiles: Remove unknown configuration profiles.
- Browser extensions: Safari, Chrome, Firefox, or other browsers.
- Launch agents and daemons: Review carefully or ask a professional if unsure.
Do not delete random system files merely because the name looks unfamiliar. Research unknown entries and create a restore point or backup when appropriate.
9. Clean Browser Extensions, Notifications, and Sync
Many “malware keeps coming back” cases are really browser hijackers or notification scams.
Check every browser installed
Do not clean only the browser you normally use. Also check Chrome, Edge, Firefox, Brave, Opera, Safari, and any browser installed by another application.
Remove suspicious browser extensions
- Open the browser’s extension manager.
- Remove extensions you do not recognize or no longer need.
- Be cautious with coupon tools, downloaders, PDF converters, search helpers, video downloaders, and “security” extensions you did not intentionally install.
- Restart the browser and test again.
Remove malicious notification permissions
Fake virus alerts often come from websites that you allowed to send notifications. Remove notification permissions for unknown sites.
Reset browser settings
If the homepage, search engine, new-tab page, or redirects keep returning, use the browser’s built-in reset function.
Read Google Chrome’s guidance for removing unwanted ads, pop-ups, and malware
Watch browser sync
If a bad extension or setting returns after signing into the browser, disable sync temporarily, clean the browser, remove unwanted extensions from the synced account, then re-enable sync only after confirming the account is clean.
10. Remove Unknown Remote-Access Tools
Tech-support scammers often persuade victims to install remote-access applications. If the tool remains installed with unattended access, the scammer may reconnect and reinstall malware.
Look for remote-access tools you did not intentionally install
- AnyDesk.
- TeamViewer.
- UltraViewer.
- Chrome Remote Desktop.
- RustDesk.
- RemotePC.
- LogMeIn or GoTo tools.
- ScreenConnect or ConnectWise Control.
- Unknown remote support agents.
These tools are not automatically malicious. Many are legitimate when installed knowingly. The problem is unauthorized installation, unattended access, or use by a scammer.
After a support scam
- Disconnect from the internet.
- Uninstall the remote-access software.
- Check whether unattended access was enabled.
- Run updated security scans.
- Change passwords from a clean device.
- Contact banks, card issuers, and payment providers if financial accounts were viewed.
- Review our guide on protecting yourself from online fraud and recovery scams.
11. Check DNS, Proxy, VPN, Hosts, and Router Settings
Sometimes the computer is clean, but traffic is still being redirected.
Check for suspicious changes
- Unknown proxy settings.
- Unknown VPN profiles.
- Unfamiliar DNS servers.
- Modified hosts file entries.
- New browser search providers.
- Router DNS changes.
- Unknown router admin accounts.
- Remote router administration enabled unexpectedly.
If multiple devices on the same network redirect to strange websites, inspect the router. Change the router admin password, update firmware, disable remote administration, review DNS settings, and use WPA2-AES or WPA3 with a strong Wi-Fi password.
12. Windows-Specific Malware Cleanup
For Windows 11 and supported Windows 10 systems, use a layered cleanup process.
Recommended Windows order
- Stop using sensitive accounts on the infected device.
- Update Windows Security definitions if possible.
- Run a full Microsoft Defender Antivirus scan.
- Run Microsoft Defender Offline when normal scanning fails or threats return.
- Run Microsoft Safety Scanner as a second-opinion scan.
- Remove unwanted applications under Settings > Apps > Installed apps.
- Review Task Manager > Startup apps.
- Review browser extensions and notifications.
- Check scheduled tasks and services if reinfection continues.
- Use System Restore only if you trust the restore point and understand that personal files are not the same as system state.
- Use Reset or clean reinstall if the device remains untrusted.
If malware locked you out of Windows
If the issue involves a forgotten Windows password, a changed login method, or being locked out of your own PC, avoid shady password-bypass tools. Use legitimate owner-recovery and reset methods instead. See our guide to recovering access to your own Windows login safely.
13. Mac-Specific Malware Cleanup
On macOS, persistent unwanted software is often tied to login items, browser extensions, configuration profiles, fake updates, or applications installed outside trusted sources.
Recommended Mac order
- Install all available macOS updates.
- Start in Safe Mode if the Mac is unstable or suspicious software starts automatically.
- Remove unknown applications from the Applications folder.
- Review System Settings > General > Login Items & Extensions.
- Remove suspicious browser extensions.
- Check Safari, Chrome, Firefox, and any other browser installed.
- Remove unknown configuration profiles if the Profiles setting appears.
- Use a reputable Mac security scanner if symptoms remain.
- Reinstall macOS from Recovery when cleanup fails.
Read Apple’s current macOS reinstall instructions
Reinstalling macOS from Recovery does not normally remove personal files, but a full erase-and-reinstall does. Back up important files first when possible.
14. Change Passwords and Revoke Sessions After Cleanup
Do not change important passwords from the infected device before cleanup. If a keylogger or infostealer is still active, it may capture the new password immediately.
Use a clean device to secure accounts
- Secure the primary email account first.
- Change passwords that were used on the infected device.
- Change any password that was saved in the browser.
- Use unique passwords stored in a password manager.
- Enable passkeys or multi-factor authentication where available.
- Revoke unknown sessions.
- Review connected apps and recovery information.
- Generate new backup codes if old ones may have been exposed.
Prioritize email, banking, payment apps, password managers, cloud storage, Facebook, Instagram, shopping accounts, work accounts, and cryptocurrency services.
15. Reset or Reinstall When Malware Still Returns

A full reset or reinstall is not failure. It is often the cleanest way to restore trust when malware persists.
Choose reset or reinstall when:
- Malware returns after multiple scans.
- Security tools are repeatedly disabled.
- Remote-access compromise occurred.
- Ransomware was present.
- System files appear tampered with.
- Unknown administrator accounts exist.
- You cannot determine how the device was compromised.
- The device is used for banking, work, business, or sensitive data.
Windows reset or reinstall
Windows recovery options include Reset, System Restore, recovery drive reinstall, and installation-media reinstall. A Reset can keep personal files while removing apps and settings, but a full reinstall from official installation media is more thorough.
Read Microsoft’s current Windows recovery options
Mac reinstall or erase-and-reinstall
macOS Recovery can reinstall macOS. For serious compromise, selling the device, or repeated reinfection, an erase-and-reinstall may be more appropriate than reinstalling over the existing setup.
Read Apple’s current macOS reinstall instructions
After reinstalling
- Install all system updates before restoring files.
- Install only trusted applications from official sources.
- Restore personal files gradually.
- Scan external drives and restored files.
- Do not restore old cracks, unknown installers, or suspicious browser profiles.
- Change passwords from the clean system.
What to Do If the Malware Is Ransomware
Ransomware encrypts files and demands payment for a decryption key. If you see ransom notes, renamed files, or active encryption:
- Disconnect the device from the internet immediately.
- Disconnect external drives and network shares.
- Do not delete ransom notes or encrypted files.
- Do not pay immediately under panic.
- Preserve evidence: ransom note, file extensions, payment addresses, contact details, and timestamps.
- Report the incident to the proper authority or security team.
- Check whether clean offline backups exist.
- Consult a trusted professional if business, legal, or irreplaceable data is involved.
Paying does not guarantee recovery, and it may encourage further attacks. Decryption is sometimes possible for older ransomware families, but many modern cases require clean backups or rebuilding systems.
How to Prevent Malware From Coming Back

- Keep Windows, macOS, browsers, and apps updated.
- Use real-time security software and keep it updated.
- Use a password manager and unique passwords.
- Enable passkeys or multi-factor authentication for important accounts.
- Back up important files using a versioned backup strategy.
- Keep at least one backup disconnected or protected from automatic overwriting.
- Download software only from official websites or trusted stores.
- Avoid cracked software, keygens, pirated games, cheats, fake activators, and unknown APK files.
- Do not ignore browser or operating-system security warnings.
- Review browser extensions regularly.
- Block unwanted notification permissions.
- Scan USB drives and external media before opening files.
- Use a standard user account for daily activity where practical.
- Keep router firmware updated and use a strong router admin password.
- Do not grant remote access to unsolicited callers or pop-up support agents.
- Teach family members not to install “updates” from random websites or ads.
The best malware defense is layered: clean software sources, updated systems, security scanning, careful browser habits, strong account security, and reliable backups.
Persistent Malware Cleanup Checklist
- Stop using the infected device for sensitive logins.
- Disconnect it if active compromise is suspected.
- Use a clean device for passwords, banking, and research.
- Back up only necessary personal files.
- Run updated security scans.
- Run offline or boot-time scanning when normal scans fail.
- Use Safe Mode when malware launches at startup.
- Remove suspicious installed apps.
- Review startup items and login items.
- Review scheduled tasks and services on Windows.
- Review configuration profiles and login items on Mac.
- Clean all browsers, not only the default browser.
- Remove malicious notification permissions.
- Disable browser sync temporarily if bad settings return.
- Remove unknown remote-access tools.
- Check DNS, proxy, VPN, hosts, and router settings.
- Secure email first.
- Change important passwords from a clean device.
- Enable multi-factor authentication or passkeys.
- Reset or reinstall if the system cannot be trusted.
Frequently Asked Questions
Why does malware keep coming back after I delete it?
Deleting one visible file may not remove the startup entry, scheduled task, browser extension, malicious app, remote-access tool, sync source, or backup that restores it. Persistent malware must be removed at its source.
Can a browser extension be the reason malware keeps returning?
Yes. Browser extensions can change search settings, inject ads, read page data, redirect traffic, and reappear through browser sync. Remove suspicious extensions from every browser and review synced extension settings.
Why do pop-ups keep appearing even after antivirus says the PC is clean?
The pop-ups may be browser notifications from a website you accidentally allowed. Remove notification permissions for unknown sites and reset browser settings if redirects continue.
Should I disconnect from the internet during malware removal?
Disconnect immediately if the malware appears active, is encrypting files, is sending data, or if a scammer has remote control. You may need to reconnect briefly to update security tools, but use a clean device whenever possible.
Should I change passwords before removing malware?
Use a clean device to change passwords. If the infected device contains a keylogger or infostealer, changing passwords on that same device may expose the new passwords.
Is Safe Mode enough to remove malware?
Safe Mode helps when malware depends on normal startup items, but it is not a complete solution. You still need updated scans and removal of the persistence mechanism.
What is Microsoft Safety Scanner?
Microsoft Safety Scanner is an on-demand Windows scanning tool designed to find and remove malware. It does not replace real-time antivirus protection and should be downloaded fresh before use.
What is Microsoft Defender Offline?
It is a Windows scan that restarts the computer and checks for threats before the normal desktop session loads. It can help when malware interferes with ordinary scanning.
Can Macs get malware that keeps coming back?
Yes. Macs can be affected by unwanted applications, malicious browser extensions, fake updates, configuration profiles, login items, and credential theft. Safe Mode, login-item review, browser cleanup, and macOS reinstall may be needed.
Can malware survive a factory reset?
Ordinary malware usually does not survive a proper clean reset or reinstall. Reinfection often happens because the user restores infected files, browser profiles, cracked software, malicious extensions, or cloud-synced settings afterward.
Can malware hide in my router?
Home routers can be compromised or misconfigured, especially through weak admin passwords, outdated firmware, or exposed remote administration. Suspicious DNS or redirects across multiple devices can be a router warning sign.
Should I restore from a backup after malware?
Restore only files you trust and scan them first. Avoid restoring full system images or browser profiles created after the infection began unless you are certain they are clean.
Can antivirus remove every infection?
No. Security software is important, but some infections require Safe Mode, offline scanning, manual removal of persistence, browser cleanup, or a full reinstall.
How do I know whether the malware stole my passwords?
You often cannot know for certain. If infostealer, keylogger, remote access, or browser compromise is suspected, assume passwords and sessions may be exposed and secure important accounts from a clean device.
Why does malware return after I reinstall the same software?
The installer may be bundled with malware or unwanted software. Download applications only from official vendor websites or trusted stores, and avoid cracks, activators, and repackaged installers.
What should I do if malware disabled Task Manager or Activity Monitor?
Use Safe Mode, offline scanning, or a trusted bootable recovery environment. If system tools remain disabled after cleanup, consider a full reset or reinstall.
Should I pay for a “PC repair” pop-up that says my system is infected?
No. Do not call numbers or install tools from scary pop-ups. Close the browser, disconnect if necessary, and use trusted security software from official sources.
What if ransomware encrypted my files?
Disconnect the device, preserve evidence, avoid paying under panic, check clean backups, and contact trusted support or the appropriate authority. Do not delete encrypted files or ransom notes until you understand recovery options.
How do I know whether I should reinstall Windows or macOS?
Reinstall when malware persists after multiple cleanup attempts, when remote access or ransomware occurred, when security tools are blocked, or when the device handles sensitive work or financial data and you cannot trust the system.
After cleanup, which accounts should I secure first?
Secure your primary email first, then banking, payment, password manager, cloud storage, social media, shopping, work, and cryptocurrency accounts. Revoke sessions and enable MFA or passkeys where possible.
Final Verdict
Malware that keeps coming back usually means the visible infection was removed but the underlying persistence mechanism remains. The source may be a startup item, scheduled task, browser extension, notification permission, remote-access tool, cloud sync, infected backup, malicious installer, or router setting.
The safest approach is to stop sensitive logins, use a clean device for account recovery, run updated and offline scans, clean browsers and startup locations, remove remote access, check network settings, and change passwords only after the device is clean.
If the infection keeps returning or the device was used for sensitive accounts, do not waste days chasing random files. A clean reinstall from official media, followed by careful file restoration and stronger account security, is often the most reliable way to regain trust.
You Might Want to Learn:
>> How to Speed Up Windows PC – Guide
>> How to Secure Windows PC From Hacking and Malware
See you soon in the next post!
