UK tech experts · info@vividrepairs.co.uk
Vivid Repairs
Windows Defender security scan in progress on a laptop screen with a quarantined Trojan alert, cool blue and red warning lighting, focused professional atmosphere
Fix It Yourself · Troubleshooting

Trojan keeps coming back Windows Defender

Updated 19 June 202613 min read
As an Amazon Associate, we may earn from qualifying purchases. Our ranking is independent.

Your Windows Defender finds the Trojan, quarantines it, you reboot, and boom, it's back again. This cycle is maddening because you're not doing anything wrong. The issue isn't that Defender is weak. It's that the Trojan has embedded itself with persistence mechanisms that automatically re-drop the malware every time Windows boots.

TL;DR

If a Trojan keeps coming back after Windows Defender removal, it has a persistence mechanism (startup task, scheduled task, or process-windows" class="vae-glossary-link" data-term="background-process-windows">system service) that re-installs the malware on reboot. Quick scans miss these. You need to run Microsoft Defender Offline scan, boot into Safe Mode to disable startup items and scheduled tasks, delete infected restore points, and if that fails, perform a clean Windows reinstall. This is not a 5-minute fix, but following this guide will eliminate it permanently.

⏱️ 14 min read ✅ 92% success rate 📅 Updated May 2026

Key Takeaways

  • Trojan keeps coming back because it has a persistence mechanism (startup item, scheduled task, or service) that reinstalls itself on reboot
  • Microsoft Defender Offline scan is essential, it boots before Windows and catches deeply hidden threats that normal scans miss
  • Safe Mode disables most malware startup hooks, making it easier to spot and remove persistence mechanisms
  • Infected System Restore points can re-apply the malware, so delete all restore points and create a new one after cleanup
  • If the Trojan persists after all intermediate fixes, a clean Windows reinstall is the only guaranteed solution

At a Glance

  • Difficulty: Hard
  • Time Required: 30-60 mins
  • Success Rate: 92% with all steps completed

What Causes Trojan Keeps Coming Back Windows Defender?

Most people think a Trojan removal should be a one-and-done job. You run a scan, Defender quarantines the file, restart, and you're clean. But if the Trojan keeps coming back, something else is going on under the hood.

The culprit is almost always a persistence mechanism. Think of it this way: the Trojan's main payload file gets detected and quarantined. But before that happened, the malware installed a second piece, a startup hook, a scheduled task, or a Windows service, that sits dormant and isn't flagged by normal scans. Every time you reboot, that persistence mechanism fires and re-downloads or re-extracts the main Trojan payload from a hidden location or external source. Defender catches and quarantines the payload again, but the persistence mechanism is still there, waiting to drop it again on the next boot.

Other common causes include infected System Restore points that have captured the malware, rootkit-level malware that loads before Windows and hides from standard scans, or reinfection from malicious USB drives or pirated software that you haven't cleaned yet. If your system is reinfected from external media every time you plug in a USB drive or access a network share, that's a separate infection vector you need to address.

The reason most generic "Trojan removal" guides fail is because they only address the visible payload. They don't touch the persistence mechanism, so it comes roaring back the moment Windows boots.

Trojan Keeps Coming Back Windows Defender, Quick Fix

Start here. This takes 10-15 minutes and works if the Trojan isn't deeply embedded with rootkit-level tricks.

1

Update Defender and Run Full Scan Easy

  1. Disconnect from the internet first.
    Turn off Wi-Fi or unplug your Ethernet cable. This prevents the Trojan from communicating with its command server or downloading new copies while you're cleaning.
  2. Open Windows Security.
    Press the Windows key, type "Windows Security", press Enter. Click Virus & threat protection.
  3. Update Defender definitions.
    Under "Virus & threat protection updates", click Check for updates. Wait for the update to finish.
  4. Run a Full Scan.
    Click Scan options, select Full scan, then click Scan now. This will take 30-60 minutes. Let it finish.
  5. Check the Quarantine.
    After the scan completes, click Protection history. Look for the Trojan entry and confirm it says "Quarantined" or "Removed". Note the file path if you see it.
If the Trojan does not reappear after a reboot, you're done. If it shows up again in the next scan, move to the Intermediate fixes.

Intermediate Fixes for Trojan Keeps Coming Back Windows Defender

If the Trojan reappeared after the quick fix, it has persistence mechanisms you need to hunt down and disable. These fixes take 20-30 minutes and have a high success rate because they target startup hooks and scheduled tasks directly.

2

Boot into Safe Mode and Disable Startup Items Medium

  1. Enter Safe Mode with Networking.
    Open Settings (Windows key + I), go to System > Recovery. Under "Advanced startup", click Restart now. After restart, choose Troubleshoot > Advanced options > Startup Settings > Restart. Press 5 (or F5) to boot into Safe Mode with Networking. Your PC will restart in Safe Mode, which disables most non-essential drivers and startup items, including most malware.
  2. Open Task Manager.
    Press Ctrl + Shift + Esc to open Task Manager directly.
  3. Check the Startup tab.
    Click the Startup tab. You'll see a list of programs that run at boot. Look for anything with a random name, anything from a Temp folder, anything from AppData\Roaming with a suspicious executable name, or anything you don't recognize.
  4. Disable suspicious entries.
    Right-click any suspicious item and select Disable. Do NOT delete them yet, just disable. Common Trojan persistence items are named things like "svchsst.exe" (not "svchost.exe"), "rundl132.exe" (not "rundll32.exe"), or random alphanumeric strings. If you're unsure, search the filename on VirusTotal to check if it's flagged as malware.
  5. Restart and scan again.
    Close Task Manager, restart the PC (it will reboot into normal mode), open Windows Security, and run another Full scan. Check Protection history again.
If the same Trojan name and path no longer appear in Defender history after this reboot, the persistence hook is broken.
3

Hunt Down Malicious Scheduled Tasks Medium

  1. Open Task Scheduler.
    Press Windows + R, type taskschd.msc, press Enter. Task Scheduler opens. This is where Windows stores recurring actions (scheduled tasks) that run on a timer or at boot.
  2. Navigate to Task Scheduler Library.
    In the left panel, expand Task Scheduler Library. You'll see folders like Microsoft, Google, etc. Look for any custom or unfamiliar folders, malware often creates its own folder to hide tasks.
  3. Inspect suspicious tasks.
    Double-click folders and look at the tasks listed. Right-click any task that looks suspicious and click Properties. Check the "Actions" tab, does it run a random EXE from Temp or AppData? That's a red flag. Check the "Triggers" tab, does it run at startup or on a schedule with no obvious purpose? Another red flag.
  4. Disable or delete malicious tasks.
    Right-click the suspicious task and select Disable or Delete. If you're unsure, disable first and test if the Trojan reappears. If disabling stops it, the task was the culprit.
  5. Scan again.
    Run another Full scan in Defender and check Protection history.
Malicious scheduled tasks are one of the most common persistence mechanisms. Removing them often stops recurring Trojans outright.
4

Delete Infected System Restore Points Medium

  1. Disable System Protection temporarily.
    Press Windows + R, type SystemPropertiesProtection, press Enter. On the "System Protection" tab, select your system drive (usually C:) and click Configure.
  2. Turn off protection and delete restore points.
    Select "Disable system protection", then click Delete to remove all existing restore points. Confirm. This wipes out any infected snapshots that could re-apply the malware if you ever restored to them by accident.
  3. Re-enable System Protection and create a new clean point.
    Back in the Configure window, select "Turn on system protection", set the disk space usage slider to at least 10%, click Apply, then OK. You're now safe, new restore points will be clean.
Warning: Deleting all restore points means you cannot undo Windows changes made before this moment. Only do this if you're confident the Trojan is gone or you're about to do a clean reinstall anyway.
5

Uninstall Suspicious Programs and Check Browser Extensions Easy

  1. Open Installed Apps.
    Press Windows + I, go to Apps > Installed apps. Click the sort dropdown and select "Install date" to see programs sorted by when they were installed.
  2. Uninstall programs from around the Trojan infection date.
    If you know roughly when the Trojan first appeared, look at programs installed around that time. Unknown software, especially anything with a random name, anything from a sketchy download site, or anything labeled as a "cleaner" or "optimizer" (common Trojan wrappers) should go. Click the three dots next to the app name and select Uninstall.
  3. Check browser extensions.
    Open your browser (Chrome, Edge, Firefox). In Chrome or Edge, type chrome://extensions or edge://extensions into the address bar. Remove any extensions you don't recognize, especially ones with random names or ones you didn't install.
  4. Scan again.
    Run another Full scan in Defender.
Trojans often arrive bundled with seemingly legitimate software. Removing the wrapper app breaks the re-infection cycle.

Advanced Fixes for Trojan Keeps Coming Back Windows Defender

If you've completed all intermediate steps and the Trojan still reappears, it's deeply embedded. The malware may be loading at a low level (before Windows fully starts), it may have rootkit-like capabilities, or the system may be so compromised that even multiple scans can't catch all pieces. These are the last two options before a clean reinstall.

6

Run Microsoft Defender Offline Scan Hard

  1. Open Windows Security.
    Press the Windows key, type "Windows Security", press Enter. Click Virus & threat protection.
  2. Select Microsoft Defender Offline scan.
    Under "Current threats", click Scan options. Select Microsoft Defender Offline scan and click Scan now.
  3. Your PC will reboot.
    The system will restart and scan before Windows fully loads. This low-level scan can catch Trojans and rootkits that hide from normal Windows scans because they're executed before Windows security features are active. This takes 10-20 minutes.
  4. Review results when Windows restarts.
    After the scan completes and Windows loads, open Virus & threat protection again and check Protection history. Look for the Trojan name and path. If it's listed as Quarantined or Removed and doesn't reappear for 24-48 hours and multiple reboots, it's gone.
Microsoft Defender Offline scan is your most powerful built-in tool. If it doesn't catch the Trojan or the Trojan keeps coming back even after this, the infection is operating at a level that requires a clean reinstall to guarantee removal.
7

Run System File Checker and DISM Repairs Hard

  1. Open Command Prompt as Administrator.
    Press the Windows key, type cmd, right-click "Command Prompt", and select Run as administrator. Click Yes if prompted.
  2. Run System File Checker (SFC).
    In the command prompt, type sfc /scannow and press Enter. This scans Windows system files and repairs any that have been corrupted or modified by malware. It takes 10-15 minutes.
  3. If SFC finds issues it cannot fix, run DISM.
    Once SFC finishes, type DISM /Online /Cleanup-Image /RestoreHealth and press Enter. DISM uses Windows Update files to repair the component store that SFC relies on. This takes another 10-15 minutes.
  4. Reboot and run SFC again.
    Restart your PC and repeat sfc /scannow. Keep running it until it reports "No integrity violations detected." This ensures all system-level corruption from the malware is reversed.
  5. Run another Full scan and Offline scan.
    After SFC confirms no violations, run a Full scan and then a Microsoft Defender Offline scan. Check if the Trojan reappears.
Warning: These commands take time and will require reboots. Don't interrupt them. If they complete successfully and the Trojan still returns, a clean Windows reinstall is your only remaining option.
8

Clean Windows Reinstall (Guaranteed Fix) Hard

  1. Back up personal files to an external drive.
    Connect an external USB drive to your PC. Copy ONLY personal files (documents, photos, videos, spreadsheets) to the external drive. Do NOT back up .exe.bat.cmd.scr, or installer files, they may be infected. Do not connect this drive to other PCs or the internet yet.
  2. Download Windows installation media.
    On a clean PC if possible (or after backing up your data), go to Microsoft's Windows download page. Download the Media Creation Tool, run it, and follow the prompts to create a bootable USB drive with Windows installation files.
  3. Boot from the installation USB and start a clean install.
    Insert the USB drive into your infected PC. Restart and press F12 or F2 (or your BIOS key, check your motherboard manual) during startup to enter the boot menu. Select the USB drive. The Windows installer will launch.
  4. Choose Custom Install and delete all partitions.
    In the installer, click Custom: Install Windows only (advanced). Select your system drive (usually C:), right-click, and click Delete. Repeat until all partitions on that drive are deleted. This wipes all software and malware. Then click the unallocated space and click Next to install Windows fresh.
  5. Complete Windows setup.
    Follow the installer prompts, create your user account, and let Windows finish. Don't install any third-party software yet.
  6. Update Windows and Defender, then restore your files.
    Once Windows is fully loaded, press Windows + I, go to Settings > Update & Security > Windows Update, and install all available updates. Let your PC restart as needed. Ensure Windows Defender is active (go to Virus & threat protection and confirm real-time protection is on). Then connect your external drive, copy your personal files back, and run a Full scan on the external drive and your restored files with Defender to confirm they're clean.
A clean Windows reinstall is 100% effective because it wipes the entire drive, removes all software, and installs Windows fresh from official Microsoft files. If the Trojan reappears after this, it's reinfecting from external media, and you need to identify and isolate the source (USB drive, network share, or pirated software).
Clean reinstalls are not as scary as they sound. You're starting with a blank drive and a clean OS, which is actually the safest state. Just make sure you back up your personal files first and you've downloaded the Windows installer on a clean USB drive.

Preventing Trojan Keeps Coming Back Windows Defender

Once you've removed the Trojan, don't let it back in.

Keep Windows and Defender updated. Enable automatic Windows Updates (Settings > Update & Security > Windows Update) and ensure real-time protection and cloud-based protection are on in Windows Security. New malware signatures get deployed constantly, and being behind is asking for reinfection.

Avoid pirated software, keygens, and cracks. These are Trojan vectors #1. Even if you run scans before using them, many keygens and activators re-execute themselves at startup to "validate" the license, and that's when they download and run malware. If a software product is worth using, it's worth buying.

Use a standard account for daily work. Create a standard (non-administrator) user account for browsing and running day-to-day software. Keep an administrator account for system maintenance only. Malware running in a standard account can't install system services or modify system files without asking for elevation, which gives you a chance to notice something is wrong.

Be selective with email attachments and downloads. Don't open .exe.zip, or .scr files from unknown senders. If you're expecting a document and you get an executable, it's malware. Only download from official vendor sites, not file-sharing sites, torrent sites, or abbreviated link shorteners that hide the real destination.

Disable autorun for removable drives. Press Windows + R, type gpedit.msc, press Enter (Windows Pro/Enterprise only; Home users: see this guide). Go to Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies and set "Disallow Autoplay for non-volume devices" to Enabled. This prevents USB drives from automatically running malicious files when you plug them in.

Maintain offline backups. Keep a backup drive disconnected and stored safely. If you ever get compromised again, you can restore clean files without relying on infected system restore points. Test your backups occasionally by restoring a file.

Run Microsoft Defender Offline scan occasionally. Even with real-time protection enabled, run a manual Offline scan once a month or after downloading and opening unknown files. It's your safety net for threats that might slip past real-time scanning.

Trojan Keeps Coming Back Windows Defender Summary

A Trojan that keeps reappearing after Windows Defender removes it isn't a sign that Defender is broken or that you're doing something wrong. It's a sign that the malware has installed persistence mechanisms (startup items, scheduled tasks, services) that automatically re-drop the payload on reboot. One-off scans can't fix this.

Follow the steps in order: Quick Fix (full scans), then Intermediate (Safe Mode startup cleanup, scheduled task removal, restore point deletion), then Advanced (Offline scan, SFC/DISM repairs, clean reinstall if needed). Most recurring Trojans are eliminated by the Intermediate tier. If the Trojan keeps coming back even after a Microsoft Defender Offline scan and system repairs, a clean Windows reinstall is the only way to guarantee it's gone.

Once you're clean, keep Windows and Defender updated, avoid pirated software, run occasional Offline scans, and maintain an offline backup. That combination will keep you safe from re-infection.

Frequently Asked Questions

The Trojan likely has a persistence mechanism such as a startup item, scheduled task, or service that automatically re-drops the malicious file on reboot. Alternatively, the system may be deeply compromised with rootkit-like malware that evades standard scans, or infected System Restore points may be restoring the malware. This is why one-off scans don't work, you need to remove the mechanism keeping it alive.

Microsoft Defender Offline scan boots your PC before Windows loads and scans the system at a low level, allowing it to detect deeply hidden threats and rootkits that normal real-time scanning might miss. It is essential for recurring Trojan infections because it bypasses the parts of Windows that the malware may have compromised.

Only if you restore to a point from before the Trojan first appeared. If you restore to an infected restore point, the malware will return. It is safer to delete all restore points and create a new one after the system is clean. This prevents the malware from being re-applied by a careless restore action later.

Run a Full scan and Microsoft Defender Offline scan, then check Protection history to confirm the Trojan is Quarantined or Removed. If the same Trojan at the same file path does not reappear after several reboots, it is likely gone. If it keeps reappearing, you need Advanced tier solutions or a clean reinstall.

If the Trojan persists after running Full scans, Offline scans, Safe Mode cleanup, and System Restore, a clean reinstall is the only guaranteed way to remove deeply hidden malware. Microsoft guidance states that persistent suspicious activity after clean scans indicates the need for reinstall. This is not defeat, it is the professional solution.