How to Remove Ransomware Traces on Windows

What Causes This?

Ransomware often leaves behind more than encrypted files. Even after the main infection is removed by antivirus software, it can leave startup entries, scheduled tasks, temporary files, ransom notes, registry changes, and dropped executables scattered across Windows. These leftovers can slow down your PC, trigger warnings, or make it harder to confirm the system is truly clean.

Common Symptoms

• Strange files or ransom notes still appear on the desktop or in folders
• Unknown startup apps or scheduled tasks keep coming back
• Security software reports suspicious remnants but does not fully remove them
• Temporary folders, downloads, or AppData contain random suspicious files
• The PC feels unstable, slow, or shows repeated error messages after cleanup

How to Fix It Manually

1. Disconnect the PC from the internet

   • Unplug Ethernet or turn off Wi-Fi from Settings > Network & Internet.
   • This helps stop any remaining malicious process from contacting outside servers or spreading to shared drives.

2. Boot into Safe Mode

   • Press Windows + I to open Settings.
   • Go to System > Recovery.
   • Under Advanced startup, click Restart now.
   • After restart, choose Troubleshoot > Advanced options > Startup Settings > Restart.
   • Press 4 or F4 for Safe Mode.

3. Check for suspicious startup items

   • Open Task Manager with Ctrl + Shift + Esc.
   • Click the Startup apps tab.
   • Look for unknown entries, especially with random names, missing publishers, or unusual file locations.
   • Right-click suspicious items and choose Disable.
   • Then press Windows + R, type shell:startup, and press Enter.
   • Delete any shortcut or file you do not recognize.

4. Remove suspicious scheduled tasks

   • Press Windows + S, type Task Scheduler, and open it.
   • In Task Scheduler Library, review tasks with odd names or actions that launch files from AppData, Temp, ProgramData, or random folders.
   • Right-click suspicious tasks and choose Disable, then Delete if you are sure they are malicious.

5. Clean common ransomware leftover locations

   • Open File Explorer and check these folders one by one:
     • %Temp%
     • %AppData%
     • %LocalAppData%
     • C:\ProgramData
     • C:\Users\YourName\Downloads
   • Delete obvious ransom notes, random executable files, and suspicious folders created around the time of the attack.
   • Empty the Recycle Bin afterward.

6. Scan for leftover malware

   • Open Windows Security from the Start menu.
   • Go to Virus & threat protection.
   • Click Scan options and run a Microsoft Defender Offline scan.
   • After Windows restarts and finishes scanning, run a Full scan as well.

7. Check for damaged system files

   • Right-click Start and choose Terminal (Admin) or Windows PowerShell (Admin).
   • Run these commands one at a time:
     1. sfc /scannow
     2. DISM /Online /Cleanup-Image /RestoreHealth
   • Restart the PC when both scans finish.

8. Review shared folders and restore normal settings

   • Reconnect to the internet only after scans are clean.
   • Check that Remote Desktop, file sharing, and mapped drives are disabled if you do not need them.
   • Change important passwords from a clean device, especially if the ransomware infection may have included password theft.

Fix It Automatically with Kudu

If you do not want to dig through startup entries, scheduled tasks, temp folders, and system clutter by hand, Kudu can help. It scans for leftover malware-related junk, broken startup items, and other unwanted traces so you can clean up Windows faster and with less guesswork.

Download Kudu Free →