Our team at IT Cares removes viruses and malware from Canadian computers every day. We know which tools work in 2026, which infections require professional intervention, and exactly when the situation requires professional tools rather than consumer software. This guide gives you the exact process we use, adapted for someone doing it themselves for the first time.
The good news: the majority of infections — adware, browser hijackers, PUPs, and common trojans — can be fully removed using free tools in 2-4 hours. The challenging cases — rootkits, ransomware with encrypted files, banking trojans — require professional tools or system reinstallation. This guide helps you determine which category you are in, remove what you can, and make an informed decision about the rest.
How to Know If Your Computer Has a Virus
Not every slow computer has malware. But these specific symptoms reliably indicate a malware infection rather than a hardware or software performance problem:
Common infection symptoms (in order of reliability)
- Very reliable indicators: Browser homepage changed without your action; new browser extensions you didn't install; antivirus detected something and you dismissed or ignored it; pop-up ads appearing outside the browser (in the corner of your screen); files have changed to strange extensions (.locked, .encrypted, .WNCRY)
- Moderate indicators: Browser redirects to search engines you don't use; computer significantly slower than 2-3 months ago; unusual CPU or disk activity in Task Manager when no programs are open; computer overheating and fan running constantly at high speed; programs opening or closing on their own
- Weak indicators (many other causes): Computer is slow in general; computer sometimes crashes; internet seems slow
If you see any of the "very reliable indicators," proceed with this removal guide. If you only have "weak indicators," first check our complete guide to fixing slow computers to rule out hardware causes before assuming malware.
Virus Types: Symptoms, Danger Level, and Removal Difficulty
| Malware Type | What It Does | Key Symptoms | Danger Level | Removal Difficulty |
|---|---|---|---|---|
| Adware | Displays unwanted ads, collects browsing data for advertisers | Pop-up ads, new browser toolbars, slow browser, ad overlays on websites | Low | Easy — Malwarebytes |
| Browser Hijacker | Changes browser homepage, search engine, redirects traffic for ad revenue | Different search engine, homepage you didn't set, constant redirects | Low-Medium | Easy-Moderate — Malwarebytes + browser reset |
| Trojan | Disguises as legitimate software, enables backdoor access, downloads more malware | Program you downloaded behaves unexpectedly, unusual network activity, antivirus warning | High | Moderate — Safe Mode + multiple scanners |
| Spyware | Records keystrokes, screenshots, webcam footage; steals passwords and financial data | Often invisible; sometimes slow performance, unusual network activity at night | Very High | Moderate — Change all passwords from clean device |
| Ransomware | Encrypts your files and demands payment for decryption key | Files suddenly inaccessible, strange extensions (.locked, .encrypted), ransom note | Critical | Very Hard — May require professional help; check nomoreransom.org |
| Rootkit | Hides itself and other malware at the OS level, survives normal removal attempts | Malware returns after removal; antivirus cannot be opened; system behaves erratically | Critical | Very Hard — Offline scanner or reinstall required |
Tool Comparison: 5 Best Free Virus Removal Tools in 2026
Each tool has a different specialty. For thorough removal, use multiple tools in sequence rather than relying on a single scanner.
| Tool | Best For | Real-time? | Installation | Detection Focus | Speed |
|---|---|---|---|---|---|
| Malwarebytes Free | Adware, PUPs, browser hijackers | No (on-demand) | Required | PUPs, adware, behavioral | Fast (20-30 min) |
| Windows Defender Offline | Rootkits, pre-boot threats | N/A (offline scan) | Built-in Windows | Rootkits, pre-OS threats | Moderate (30-60 min) |
| HitmanPro (30-day free) | Second-opinion multi-engine scan | No | Portable (no install needed) | Multi-vendor cloud scan | Fast (15-25 min) |
| ESET Online Scanner | Thorough scan, no install needed | No | Browser-based (no install) | Broad, strong detection | Slow (45-90 min) |
| Kaspersky Virus Removal Tool | Standalone removal on any Windows | No | Portable executable | Top detection rate | Moderate (30-60 min) |
Recommended removal sequence for best results
Step 1: Malwarebytes Free (catches adware, PUPs, browser hijackers most consumer tools miss)
Step 2: Windows Defender Offline Scan (catches rootkits operating before Windows loads)
Step 3: HitmanPro (multi-engine cloud scan, catches stragglers from different vendor databases)
Step 4: ESET Online Scanner (optional thorough verification that removal is complete)
Windows Virus Removal: Complete Step-by-Step Process
Confirm the infection and note the symptoms
Before doing anything else, open a note and write down every symptom you have noticed: specific pop-ups, programs that appeared, when it started, what you installed or downloaded around that time. This information helps identify the malware family and ensures you can confirm complete removal at the end.
Also check: open Task Manager (Ctrl+Shift+Esc) > Processes tab. Look for processes using high CPU or with unfamiliar names. Note their full names and parent processes.
Disconnect from the internet (for serious infections)
If you suspect a trojan, ransomware, spyware, or any malware that might be sending your data to external servers, disconnect from the internet immediately. Unplug your Ethernet cable or disable Wi-Fi in Windows Settings. This prevents the malware from:
- Sending your passwords and files to the attacker's server
- Receiving commands from the attacker (command-and-control)
- Downloading additional malware payloads
- Encrypting additional files (in the case of ransomware)
For adware and browser hijackers, internet disconnection is less critical. Reconnect when you need to download removal tools.
Boot into Safe Mode with Networking
Safe Mode loads Windows with only essential services and drivers, preventing the vast majority of malware from running during the scan. This is the most important step for effective removal.
Windows 10/11:
- Click Start > Power > hold the Shift key and click Restart
- In the blue menu: Troubleshoot > Advanced options > Startup Settings > Restart
- After restart, press 5 (or F5) for Safe Mode with Networking
- The screen resolution will be different and the taskbar may look different — this is normal for Safe Mode
Alternative (if above doesn't work): Press Win+R, type msconfig, click OK. Go to the Boot tab, check "Safe boot" and select "Network." Click OK and restart. Remember to uncheck Safe boot after cleaning is complete or your computer will always boot to Safe Mode.
Download and run Malwarebytes Free
In Safe Mode with Networking, open your browser and go to malwarebytes.com. Download the free version installer. Install it (it will automatically start a 14-day Premium trial — this is fine, it gives you all features for free during this period).
Once installed, click Scan (full Threat Scan). This takes 15-30 minutes. When complete:
- If threats are found: click Quarantine to remove all of them. Do not restart yet.
- If nothing is found: the infection is not in Malwarebytes' detection scope, or it has disabled its own visibility (rootkit). Proceed to the next steps.
Run Windows Defender Offline Scan
This is a critical step for rootkits. Open Windows Security (search it in Start, even in Safe Mode). Go to Virus & threat protection > Scan options > Microsoft Defender Antivirus (offline scan) > Scan now.
The computer will restart and run a scan before Windows loads — this is where rootkits hide from normal scans. The scan takes 20-40 minutes and the computer will restart automatically when complete. If threats are found, Defender removes them automatically and shows a report after the final restart.
Download and run HitmanPro (free 30-day trial)
HitmanPro is unique: it scans your system using cloud-based detection engines from multiple vendors simultaneously (Bitdefender, Kaspersky, ESET, and its own). It runs as a portable executable — no installation required. Download it from hitmanpro.com.
Run it, select "I am going to scan the system only once" (no need to install). If it finds threats, the 30-day free trial lets you remove them. HitmanPro is particularly effective at finding threats that Malwarebytes and Defender missed, because it checks against multiple vendor databases simultaneously.
Clean up browser extensions and reset browser settings
Malware frequently installs browser extensions that persist even after the main malware is removed. These extensions can redirect searches, display ads, steal form data, and reinstall the main malware.
Chrome: Settings (⋮ menu) > Extensions. Remove any extension you don't recognize or didn't intentionally install. Then: Settings > Reset settings > Restore settings to original defaults.
Firefox: Menu > Add-ons and themes > Extensions. Remove unknown extensions. Then: Help > More troubleshooting information > Refresh Firefox.
Microsoft Edge: Settings (⋯) > Extensions. Remove unknowns. Settings > Reset settings > Restore settings to default values.
Check startup programs and scheduled tasks
Many malware variants install scheduled tasks that redownload and reinstall themselves even after removal. Check both locations:
Startup programs: Task Manager > Startup apps. Look for unfamiliar programs and disable them.
Scheduled tasks: Search "Task Scheduler" in Start. Click Task Scheduler Library. Look for tasks with unfamiliar names that run daily or at user login. Right-click suspicious tasks and select Disable before deleting (disabling first lets you verify nothing breaks before permanent deletion).
Change all important passwords from a different device
This step is mandatory if you had any indication of a trojan, keylogger, or spyware infection. Even if you believe the malware is now removed, passwords entered on an infected computer may have been captured and transmitted before you removed it.
Priority order for password changes (do these from your phone or a different computer):
- Banking and financial accounts
- Email accounts (Gmail, Outlook, etc.) — these are used for password recovery
- Work accounts and VPN credentials
- Social media accounts
- Shopping accounts with saved payment methods
Enable two-factor authentication (2FA) on every account that supports it, especially banking and email.
Run a verification scan 24-48 hours later
After restarting normally and using the computer for a day, run another Malwarebytes scan. If the same threats appear again, the malware has a persistence mechanism that survived your removal:
- A rootkit loading the malware before Windows
- A scheduled task you missed
- Malware hiding in a system restore point
- An infected USB drive or network share reinfecting the system
If malware returns after your removal attempt, the situation requires professional tools or a clean Windows reinstall. Contact IT Cares for a professional assessment.
Mac Virus Removal: Step-by-Step
True Mac malware is less common than Windows malware, but it exists and is growing. The most common Mac threats in 2026: adware bundled with "free" software, browser hijackers, fake antivirus scareware, and crypto-mining malware that secretly uses your Mac's CPU for cryptocurrency mining.
Run Malwarebytes for Mac (free)
Download from malwarebytes.com (select Mac version). Run a full scan. This is the most effective free tool for Mac malware and adware removal. It detects and removes adware, browser hijackers, and common Mac malware families. The free version provides complete on-demand scanning.
Check Login Items and Launch Agents
Login Items: System Preferences (or System Settings) > Users & Groups > Login Items. Remove anything you don't recognize.
Launch Agents (advanced): Open Finder > Go menu > Go to Folder > type /Library/LaunchAgents. Look for .plist files with unfamiliar names. Google any suspicious file names before deleting them.
Check for malicious configuration profiles
Malware sometimes installs configuration profiles that can force browser settings and prevent changes. Go to System Preferences (or System Settings in macOS Ventura+) and look for a "Profiles" section. If it exists, click it and remove any profile you don't recognize (these are normally only added by corporate IT management or MDM software).
Clean browser extensions on Safari, Chrome, and Firefox
Safari: Preferences > Extensions. Uninstall extensions you don't need or recognize. Also check Advanced > Homepage and search engine settings. Chrome/Firefox: Same extension cleanup process as described in the Windows section above. Reset browser settings if in doubt.
Check Activity Monitor for suspicious processes
Open Activity Monitor (Applications > Utilities). Sort by CPU usage. Any process consistently using 50%+ CPU when the Mac should be idle is suspicious. Google the process name to identify it. If confirmed malicious: right-click > Quit Process. Then find and delete the associated application or file.
Android Virus Removal (Bonus)
Most "phone viruses" on Android are actually unwanted apps, adware, or browser-based scareware rather than true viruses. True malware on Android is mainly distributed through unofficial app stores or side-loaded APK files.
Restart in Android Safe Mode
Hold the power button until the Power off option appears. Long-press "Power off" until a "Restart in Safe Mode" prompt appears. Tap OK. In Safe Mode, third-party apps are disabled but still visible — this helps you identify which app is causing problems.
Uninstall suspicious apps in Safe Mode
Go to Settings > Apps (or Application Manager). Sort by install date (recently installed apps first). Remove any app you don't recognize, particularly apps installed around the time problems started. Some malware disguises itself as system tools, flashlights, or utilities. Also check for apps with device administrator privileges: Settings > Security > Device administrators — remove any suspicious app from this list before attempting to uninstall it.
Run Malwarebytes for Android (free)
Download Malwarebytes from the official Google Play Store. Run a full scan. If malware is found, remove it. Do not download antivirus apps from any source other than the Google Play Store — many fake "antivirus" apps are themselves malware.
Factory reset as last resort
If problems persist after removing suspicious apps and running a scan, factory reset the device. Settings > General Management > Reset > Factory data reset. Back up contacts, photos, and important data to Google account or cloud storage first. Do not restore backed-up apps without verifying them — restore app data selectively rather than restoring a full backup that might include the malicious app.
After Removal: Security Hardening Checklist
Removing the infection is only half the job. Applying these hardening measures prevents reinfection and significantly raises the bar for future attacks.
Post-Removal Security Hardening Checklist
When to Call a Professional: Clear Decision Guide
The following situations require professional tools, professional experience, or both. Attempting DIY removal in these cases often wastes time and may complicate professional recovery:
- Ransomware with encrypted files — Removing the ransomware does not recover your files. A professional can identify the specific ransomware family, check for known decryption keys, and advise on the best recovery approach. Always check nomoreransom.org first.
- Malware that returns within 48-72 hours of removal — This is a rootkit signature. Consumer tools running inside the infected OS cannot reliably remove rootkits. A bootable rescue disk and/or clean OS reinstall is needed.
- Your antivirus program was disabled or uninstalled by malware — Malware that specifically targets security software is sophisticated. The infection is likely more complex than consumer tools can handle alone.
- Banking credentials or email accounts were accessed without your permission — This indicates credential theft. Contact your bank immediately and then a professional. Changing passwords is necessary but may not be sufficient if the malware has keylogging capabilities still running.
- Business computers or company network affected — Business infections have legal implications (PIPEDA reporting for breaches of personal data), client relationship implications, and risk of network-wide spread that consumer removal cannot address.
- You simply don't have 4+ hours to work through this process — IT Cares typically resolves standard virus infections remotely in 60-90 minutes. For many users, the value of professional time and guaranteed results outweighs the time investment of DIY removal.
Professional Virus Removal Across Canada — Remote in 60-90 Minutes
IT Cares removes viruses, malware, ransomware, rootkits, and spyware remotely across Canada. Our technicians use professional-grade tools unavailable in consumer software. We provide a 30-day guarantee: if the infection returns within 30 days of our removal, we re-clean at no additional charge.
Comments (3)
The ransomware warning at the top saved me from making a terrible mistake. I was about to pay $800 in Bitcoin when I found this article. Checked nomoreransom.org and found a free decryption tool for my specific ransomware family. Got all my files back for free. Cannot thank IT Cares enough for this information.
The virus type table is incredibly useful. I could identify exactly what I had (browser hijacker) from the symptoms column and go directly to the right fix. Safe Mode + Malwarebytes + browser reset worked perfectly. Total time about 2 hours. Very well written and organized.
After my computer got reinfected twice, I called IT Cares. They found a rootkit in under 30 minutes that my Malwarebytes kept missing. Fully removed remotely and set me up with the hardening checklist from this article. Completely resolved. Highly recommend calling them if DIY removal isn't working.
Leave a Comment