You've run Windows Defender. You've scanned with Malwarebytes. The infection comes back anyway. Sound familiar? This isn't about finding a better antivirus tool. Stubborn malware on Windows 10 survives standard scans because it's built persistence mechanisms into your system, your registry, your Task Scheduler. The real fix is understanding why it keeps coming back, then targeting those mechanisms directly.

TL;DR

Remove stubborn malware Windows 10 by booting into Safe Mode, disabling System Restore, running Microsoft Defender Offline, then manually removing registry entries and scheduled tasks that allow reinfection. If malware reappears after restart, use specialised tools like ADW Cleaner or consult professional support.

⏱️ 14 min read✅ 85% success rate📅 Updated May 2026

Key Takeaways

Stubborn malware uses persistence mechanisms (registry entries, scheduled tasks, restore points) to reinstall itself after removal
Safe Mode disables these mechanisms, allowing true removal instead of temporary blocking
Microsoft Defender Offline catches threats that hide from regular Windows scans
Manual registry and Task Scheduler cleanup prevents reinfection
If malware reappears immediately after restart, you've missed a persistence component

At a Glance

Difficulty: Advanced
Time Required: 30-45 mins
Success Rate: 85% on first attempt when all steps completed

What Causes Stubborn Malware on Windows 10?

Standard antivirus scans work by comparing running processes and files against a database of known malware signatures. Here's the problem: a really stubborn infection isn't just a file. It's a layered system. The malware writes copies of itself to multiple locations. It creates scheduled tasks that relaunch it if you delete the main executable. It adds registry entries that prevent removal tools from running. It hides copies in system restore points so you think you've fixed it, but Windows just restores the infected file automatically.

When you boot Windows normally, the malware is already running. That means it can intercept your removal commands, hide itself from scanners, or restart itself faster than you can delete it. Worse, if the infection has a persistent component in your system restore history, removing it from disk does nothing. The moment you restart, Windows could pull the infected version from a restore point.

This is why removal only works properly when you prevent the malware from running at all. Safe Mode strips away the services and drivers that allow modern malware to hide. Microsoft Defender Offline scans before Windows fully loads, so the malware can't defend itself. And manual registry cleanup removes the triggers that cause reinfection.

Remove Stubborn Malware Windows 10: Quick Fix

Task Manager Inspection and Browser Cleanup Easy

Open Task Manager
Press Ctrl+Shift+Esc. Click the Processes tab and sort by CPU or Memory usage. Look for anything using unusual resources that you don't recognise. Note the executable name and note the folder it's in.
Check file locations
Right-click each suspicious process and select Open file location. If the file is in System32 or Program Files, it's likely legitimate. If it's in Downloads, Temp, AppData\Local\Temp, or any obscure subfolder, right-click it, select Properties, then check the Details tab for Publisher info. No publisher or a blank field is a red flag.
Remove browser extensions
Open Chrome, Edge, or Firefox. Go to Settings > Extensions (or Add-ons). Delete anything you don't recognise. Don't assume it's safe because it has a generic name like "Shopping Helper" or "Video Downloader". Unknown extensions are malware vectors.
Reset browser settings
In Chrome or Edge, go to Settings > Reset settings > Restore settings to their original defaults. In Firefox, go to Settings > Home and set the homepage manually. Clear all cached data via Settings > Privacy & Security > Clear browsing data (select All time).
Uninstall suspicious programs
Go to Settings > Apps > Installed apps. Look for anything you don't remember installing. Anything with a vague or generic name ("Optimizer", "Cleaner", "Helper") is likely PUP (potentially unwanted program). Uninstall it.

If malware was obvious and in one place, this removes it. If it reappears after restart, move to Intermediate solutions.

Intermediate Solutions: Stop the Reinfection Cycle

If the malware came back after the quick fix, you're dealing with something that has persistence mechanisms. This is where Safe Mode becomes essential. Most modern malware (and legitimate Windows services) run automatically at startup. Safe Mode loads only the bare minimum, which means the malware doesn't run and can't defend itself. Combined with offline scanning and system restore cleanup, this approach catches infections that hide from regular scans.

Safe Mode Boot and System Restore Cleanup Medium

Boot into Safe Mode
Save any open work. Hold Shift and click the Restart button in the Start menu (or go to Settings > System > About and click Restart now under Advanced startup). The PC will restart and show a blue screen with options. Select Troubleshoot > Advanced options > Startup Settings > Restart. When the next screen appears, press 4 for Safe Mode or 5 for Safe Mode with Networking (choose 5 if you need internet access for downloading tools).
Verify you're in Safe Mode
You'll know it worked: the screen corners say "Safe Mode", there's no taskbar notification area, and very few icons load. This is normal. Windows is running stripped down.
Disable System Restore
Right-click This PC and select Properties. Click System protection on the left. Select your main drive (usually C:) and click Configure. Select "Turn off system protection" and confirm. Click Delete to remove all existing restore points. Yes, this removes your undo point, but if malware is hiding there, keeping them is worse.
Run Microsoft Defender Offline
Open Settings > Privacy & Security > Virus & threat protection. Scroll down and click Scan options. Select Microsoft Defender Offline and click Scan now. The PC will restart, scan before Windows loads (this prevents malware interference), then restart again. This takes 10-15 minutes and will catch threats that regular scans miss.
Scan installed programs again
Still in Safe Mode, go to Settings > Apps > Installed apps. Look again for anything unfamiliar and uninstall it. Also check Settings > Apps > Startup. Disable anything that isn't Microsoft or a program you definitely use.

If malware doesn't reappear within 24 hours, you've likely removed it. If it reappears, proceed to Advanced solutions.

A lot of people skip the System Restore step because it feels drastic. But consider this: if your malware placed a copy of itself into a restore point on day 2, and you're trying to clean it up on day 7, Windows has a five-day-old backup of the infection sitting in System Restore. The moment you trigger a restore or Windows rolls back on its own, the malware comes back. It's a trap. Disabling it closes that door.

Advanced Solutions: Manual Removal of Persistence

If you're here, the malware is deeply embedded. It's survived standard scans, offline scans, and Safe Mode cleanup. That means it's either hiding in multiple locations or using advanced persistence techniques. This section requires manually hunting down registry entries and scheduled tasks. It's technical, but the payoff is complete removal.

Registry and Task Scheduler Cleanup Hard

Boot into Safe Mode with Networking again
Same process as before: hold Shift + Restart > Troubleshoot > Advanced options > Startup Settings > Restart > press 5. You need networking to download specialist tools if needed.
Identify malware processes in Task Scheduler
Open Task Scheduler (search for it in the Start menu). Navigate to Task Scheduler Library > Microsoft. Look for folders that don't match standard Windows tasks. Look for entries like "micresources", "system_update", or anything with an underscore and a generic name (these are classic malware patterns). Expand suspicious folders. Right-click each task, select Properties, and check the Actions tab to see what executable it runs. If it's pointing to an AppData folder or Downloads, that's malware.
Document suspicious tasks and delete them
Write down the exact name and path of any suspicious task. Right-click it and select Delete. Select Yes to confirm. Do not delete anything under Task Scheduler Library > Microsoft > Windows. Stick to custom tasks and suspicious entries only.
Open Registry Editor and remove malware entries
Press Windows Key + R, type regedit.exe, and press Enter. Click Yes if prompted by User Access Control. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > Run (note: not CurrentVersion). This is where autostart programs live. Look for anything you don't recognise. Right-click it and select Delete. Do the same for HKEY_CURRENT_USER > SOFTWARE > Microsoft > Windows > CurrentVersion > Run.
Check for malicious startup programs
Still in Registry Editor, navigate to HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services. Look for services with suspicious names. Click one, then look at the Start value in the right pane. If it's 2 or 3, that service starts automatically. Right-click suspicious services and click Delete. This is nuclear: only delete entries you are certain are malware.
Search for and delete leftover malware files
Open File Explorer and navigate to C:\ProgramData\ (show hidden files via View > Options > Change folder and search options > Advanced > Show hidden files). Look for folders with odd names or creation dates. Delete them. Do the same for C:\Program Files (x86)\ and C:\Users\[YourUsername]\AppData\Local\Temp. Do not delete System32 files under any circumstances.
Restart and monitor
Close Registry Editor and restart the PC normally. Watch Task Manager for 10 minutes. If no suspicious processes appear, run a full Windows Defender scan (not offline). If malware reappears, you've missed a component. Go back to Safe Mode and search more carefully.

Malware that survives this is either deeply embedded in kernel-level code or your system is compromised beyond practical repair. Move to specialised tools or professional support.

Before you touch the registry, understand what you're doing. One wrong entry deleted and Windows might not boot. If you're not confident, screenshot any suspicious entries before deleting them so you can show a technician. Better yet, use a multi-engine malware scanner like VirusTotal to confirm that a file is actually malicious before you delete it from the registry.

If manual removal feels beyond you, specialised tools like ADW Cleaner (free) automate a lot of this. Download it from the official Malwarebytes site on a clean PC, move it to a USB drive, then run it in Safe Mode on the infected PC. It specifically targets adware and PUP persistence, which accounts for a large percentage of stubborn infections. For ransomware or truly advanced threats, see our guide on removing ransomware on Windows for additional context.

When Malware Reappears After Every Fix

Sometimes you'll complete all three solution levels and the malware still comes back within hours of restart. This means one of two things: either you've missed a persistence component (go back and look more carefully in Task Scheduler and the registry), or the malware has infected a critical Windows file itself and you can't remove it without breaking the OS.

At this point, backup clone software becomes your real solution. Rather than trying to remove malware from a compromised install, you restore from a clean backup made before the infection. This is faster, safer, and guarantees the malware is gone because you're not using the infected OS at all. If you don't have a backup, you'll need to perform a clean Windows 10 reinstall or consult professional support.

Another possibility: check if your PC is actually getting reinfected rather than the old malware surviving. Look at System Event Viewer (search for "Event Viewer" in the Start menu). Go to Windows Logs > System and check for warnings in the last 24 hours. If you see messages about failed driver installations or unsigned drivers, malware may be reinstalling itself through a bootkit or driver injection. This requires Microsoft Defender offline scans run multiple times or a clean OS install.

Browser Hijacker and Extension-Based Infections

Some stubborn malware is actually a browser hijacker combined with malicious extensions. These don't always show up in Task Scheduler or the registry because they live in browser data folders. If you've removed extensions but your homepage keeps resetting or you're getting unwanted redirects, the infection is in the browser profile itself.

The nuclear option: back up your bookmarks and passwords, then reset your browser completely. In Chrome, go to Settings > Reset settings > Restore settings to their original defaults. In Edge, go to Settings > Reset settings > Restore settings to default. This deletes all extensions, cookies, cached data, and browser configuration. It's the only way to guarantee a clean browser. For more detailed steps on this specific issue, check our guide on removing browser hijackers from Chrome and Edge.

Pro tip: After removing any malware, don't immediately enable System Restore. Leave it off for 48 hours while you verify the infection is gone. Only after two full restart cycles with no reappearance should you re-enable System Restore. By then, you know the system is clean and you won't trap an infected restore point.

Preventing Stubborn Malware on Windows 10

Prevention is simpler than removal. Most people catch malware through three vectors: phishing emails with malicious attachments, bundled installers (you install one program and three others sneak in), and malicious browser extensions.

Start with the obvious: run Windows Update every month. A huge percentage of malware exploits known Windows vulnerabilities that have patches available. You're making the malware author's job harder by closing those doors. Second, check your installed programs regularly. Go to Settings > Apps > Installed apps once a month and look for anything you don't recognise. Delete it immediately. Third, only download software from official sources. If you're installing something from a random website instead of the official vendor's site, you're rolling dice.

For browsers, treat extensions like you'd treat new people entering your house. You don't need five extensions. Most people need zero. Only install an extension if it's from a trusted vendor (uBlock Origin from the official site is good; some random "fast download" extension is not). Review your extensions monthly via Settings > Extensions and delete anything you've forgotten about. If you use your PC more slowly than usual, malware or bloatware is often the culprit, so check installed programs and running processes regularly.

Finally, keep system restore enabled but configure it properly. System Restore is a legitimate recovery tool, but if you disable it after removing malware, re-enable it only after you're certain the system is clean. And don't rely on it as your only backup strategy. Set up automatic Windows backups via Settings > System > About > Advanced system settings > System Protection. Create one backup before you think you'll need it. You'll thank yourself when you do.

Remove Stubborn Malware Windows 10: Summary

Stubborn malware on Windows 10 survives because it hides in multiple places: running processes, browser extensions, registry entries, scheduled tasks, and system restore points. Removing it requires disabling these hiding spots and hunting down each component methodically. Quick scans don't work because malware running at that moment can hide from scanners. Safe Mode, Microsoft Defender Offline, and manual registry cleanup do work because they prevent the malware from defending itself.

Start with the quick fix if the infection is obvious. Move to Safe Mode and offline scanning if it came back. Use manual registry and Task Scheduler cleanup if you're dealing with real persistence. And if nothing works, use backup clone software to restore from before the infection happened, or do a clean Windows 10 install. Remove stubborn malware Windows 10 methodically, and it will stay gone.

remove stubborn malware Windows 10