5 Things to Do After Removing a Virus From Your Windows Device (2024)

Has your device recently been infected by a virus or Trojan that you've successfully removed with a virus scan? You may wonder what the virus changed during its stay on your device, so you can review and revert those changes. The viruses often alter your system settings, making it easier for them to re-infect the device.

In this article, we'll show you how to undo the changes made by the malware while it was on your computer. Let's get started.

Ensure the Virus Has Truly Been Removed From Your Computer

To begin with, make sure that the malware or virus that infected your computer recently has been removed. If the virus still exists on your computer while you undo its changes, it will be useless because it can resume altering your device's settings. Therefore, you will have to undo the changes from scratch again.

For this reason, follow these steps to ensure your device is virus-free:

• Right-click the Windows Start button and select Task Manager. Verify whether any suspicious processes are running that you have never seen before, especially those consuming a lot of resources. Find out what these processes do by searching the web. In case they are related to malware, your device is still infected.
• Open the Windows Security app by searching "Windows Security" in the Windows Search. Navigate to the Protection history tab in the left sidebar. If you find any active threats, you must remove them first.

  

• Check if your device is infected with malware by running a Windows Defender offline scan. Your device is malware-free if the scan comes back clean. As a precaution, download a third-party antivirus and run a virus check on your computer. If that also fails to detect a virus, your device is likely not infected with malware.

These steps will help you confirm that the virus has been removed from your device. Once you have confirmed that, you need to undo the changes. For that, you have two options; undo the changes manually or restore your system to a previous point in time.

By restoring a restore point, you restore the system to the state it was when the restore point was created. As a result, any changes made after that are automatically reverted. So, if you created a restore point before your device was infected, you would be much better off restoring that restore point than reverting each change manually.

Check out our guide on how to create a restore point on Windows to learn how to use previous restore points to revert system changes. In case a restore point has never been created before on your device, follow these steps to revert any major system changes manually.

1. Ensure the Hosts File Has Not Been Tampered With

In most cases, viruses are trained to hijack the Hosts file, which maps domain names to IP addresses. Usually, they do this to prevent users from connecting to Microsoft servers or block antivirus manufacturer websites, so they can't remove the virus. Hence, you should first check to see if the Hosts file has not been hijacked.

Follow these steps to do that:

1. In the File Explorer navigation bar, paste the following path.

   C:\Windows\System32\drivers\etc 

2. Right-click on the Hosts file and then click Open With.

   

   See Also

   iPhone Trojan Virus Detected Hoax Popup - What To Do - GadgetMatesFake-Alert Scams Growing Again | McAfee Blog
3. Click the OK button after choosing Notepad from the list of available apps.
4. Check the last lines of the file to see if any genuine domain names are added, such as microsoft.com or google.com.

   

5. Delete any such addresses from the file if there are any.
6. To save the changes, click the File tab and then click Save. (Make sure you're logged in as an administrator; otherwise, the file won't save)

   

2. Reset Your Network Connections

A cybercriminal can also compromise your security by manipulating your local DNS resolver to provide the malicious IP address to queries for specific domains.

This means that whenever you look for a genuine domain, your browser could be assigned the IP address of a fake website that cybercriminals might have created themselves. Because fake websites look and feel the same, you could easily be fooled.

Follow these steps to rule out this possibility:

1. Open the Control Panel app by typing "Control Panel" into Windows Search.
2. Navigate to the Network and Sharing Center.
3. Then click on Change adapter settings.

   

4. Right-click on your network connection and select Properties.
5. Then double-click the Internet Protocol Version 4 (TCP/IPv4) or the Internet Protocol Version 6 (TCP/IPv6), depending on your settings.
6. Ensure that the options Obtain an IP address automatically and Obtain DNS server address automatically are selected. If you have manually added an IP address or DNS server address, make sure it hasn't been changed.

   

7. In the bottom-right corner, click on the Advanced button.
8. Remove any suspicious addresses that appear in the DNS and IP Settings tab.

   

3. Delete Registry Keys Added by the Malware

Malware can also modify the Windows registry keys in the Registry Editor to gain an advantage. Thus, you should ensure that the malware has not added any new keys, which could still exist, giving the virus permission to infect your device again.

Be careful, however. Deleting random keys from the Registry Editor has a high chance of causing system instability and corruption. As such, you should only perform these steps if an expert has advised that you should delete specific Registry keys related to the virus, and you should only delete the ones you're instructed to get rid of.

Also, be sure to create a backup of the Registry before tinkering with its keys since deleting essential keys could cause serious operating system problems.

1. In the Windows Search box, type "Registry Editor."
2. To run the Registry Editor as administrator, right-click on it and choose Run as administrator.
3. To open the Registry Editor search bar, press CTRL + F.

   

4. Enter the name of the virus you just removed.
5. Look for suspicious keys with strange names or somehow related to the virus.
6. To delete any keys associated with the virus, right-click them and choose Delete from the context menu.

   

4. Make Sure Your Browser Hasn't Been Compromised

Despite removing viruses from our computer on an operating system level, some viruses will try to wreak into your browser and break havoc there too. Thus, it's essential to ensure your browser hasn't been hijacked. Follow these tips to do that:

• Make sure no suspicious extensions have been added.
• Reset your browser or carefully undo any changes viruses may have made.
• Make sure no new search engine has been added and set as the default.
• Make sure no suspicious pages are added to the browser startup settings.

Our article on removing the Quick Search Tool hijacker will give you detailed instructions on how to do everything listed above. Regardless of what the hijacker is called, the same instructions apply.

5. Disable Suspicious Processes and Services

Last but not least, ensure no services or processes have been added by the virus to facilitate its second entry. Much like the Registry step, it's best to only do this if you've been instructed to get rid of specific processes, or if you feel confident in your ability to identify and disable the right ones. Ending the wrong processes can cause a system crash.

Here are the steps you need to follow:

1. Right-click on the Windows Start button to open the Task Manager.
2. Go to the Startup tab.
3. Right-click on the suspicious processes and hit Disable.

   

4. Then type "System Configuration" in the Windows Search box and open the System Configuration app.
5. Check the box for Hide all Microsoft Services.
6. Then, uncheck the boxes for any suspicious services that are running.

   

Revert the Changes Made by Malware on Windows

Hopefully, our article will help you undo the changes made by the malware so it cannot intrude on your device again. Once you have undone these changes, make necessary efforts to foolproof your device's security to prevent viruses and malware from entering it in the future.