How to Clean an Infected Computer

By “compromised,” I mean a computer that malefactors are known to have connected to in some way. They may have directly accessed it using remote-connection software, been invited in by a user, or something else allowed them access.

The general approach is to secure the computer, remove any malware that may have been left behind, and secure any online accounts they had an interest in.

Plan of Attack (In Brief)

1. Remove the affected computer from any network.
2. Find access to the Internet from another safe computer.
3. Get a USB stick.
4. On the safe computer, download one or two tools to clean the affected computer.
5. Use a USB stick to move it/them to the affected computer.
6. Install tools to clean the affected computer and run them.
7. Connect the affected computer to the network and Internet.
8. Run the malware scanner a second time.
9. Once the computer is clear of malware, change the user account password.
10. Also, change any online credentials the malefactor may have been interested in.

Procedure to Do All of the Above

Before undertaking this procedure, consider simply reformatting the computer and starting over.

Do this if:

• You have very few applications installed on the PC and possess installers for any you have.
• You have a good backup of your user data and have tested restoring it, so you know it can be retrieved reliably.
• You can also keep most or all of your user data “in the cloud” (on OneDrive, Google Drive, etc.) or on an external or networked drive.

That will take a while to complete, but it might be a more efficient way to ensure the malefactor will no longer have access to your computer or have any malware left behind.

• Microsoft has a tech support article on this process if you want to go this route: https://support.microsoft.com/en-us/windows/give-your-pc-a-fresh-start-0ef73740-b927-549b-b7c9-e6f2b48d275e
• Your computer’s manufacturer may also have a tech support article you can consult.
• If the computer is under warranty, you might want to work with the manufacturer’s tech support to complete this process.

Continuing With the Process

Assuming you don’t want to factory reset the computer, here’s how to proceed.

1. Disconnect the affected computer from the Internet and any network it’s on.
   1. Wired connections: Unplug the Ethernet cable.
   2. Wireless connections: Click on the wifi symbol at the lower-right of your screen:
   3. Then click on your wifi connection name and Disconnect. Or click on the Airplane symbol to turn on Airplane mode.
2. Obtain a USB stick and access to a safe computer with an active Internet connection.
3. Plug the USB stick into the safe computer and download the Malwarebytes installer via the following: https://www.malwarebytes.com/mwb-download/thankyou
   1. Only if you interacted with the malefactor and he/she used remote-connection software to get on it. Also, download Revo Uninstaller via the following: https://www.revouninstaller.com/start-freeware-download/
4. These are direct download links that will leave files in your Downloads.
5. If needed, copy the Malwarebytes installer and Revo installer to the USB stick. Remove it, then plug it into the affected computer.
6. Only if you had to download Revo Uninstaller:
   1. On the USB stick in the affected computer, run the Revo installer program.
   2. Open Revo Uninstaller and wait while it completes its list of installed programs.
   3. Click on the program used by the malefactor to get onto the computer, then click Uninstall in the toolbar at the top of the Revo window.
   4. Click Continue; this will create a restore point and then launch that program’s uninstaller. You will probably have to respond to prompts to confirm the removal of the program.
   5. Once that’s finished, back in Revo, click on the Advanced button in “Scanning modes,” then click Sca.n
   6. You may be presented with one or more lists of leftover items. For each of these windows that come up, check off all the boxes next to the items, then click the Delete button. Confirm you want them deleted.
   7. Click Finish when the last window has come up and all leftover items have been removed.
   8. Also, remove any other remote-access programs that Revo has found. Some are TeamViewer, AnyDesk, GoToMyPC, Logmein, and Join.Me, Google Remote Desktop, and VNC. Some of these may have extra words in their names, particularly VNC (there’s UltraVNC, TightVNC, etc.) Remove any of those in the same way as above (steps 3 through 7)
   9. This will cut off any software the malefactor may have left behind to get back onto later.
7. From the USB stick on the affected computer, run the installer for Malwarebytes.
8. Click the option for Home users (because that’s what you are). You won’t need to allow the installation of any added components. Confirm you want to use the software.
9. Run Malwarebytes (it should have invited you to launch it at the end of the installation process).
10. In its Dashboard, click Scan.
    1. It may warn you that you don’t have the latest definitions; that’s OK for now; you’ll scan a second time once you can update them.
11. Allow Malwarebytes to finish. Have it quarantine everything it finds (it might not find anything). Note, not everything it does find may relate to this incursion or even be particularly dangerous, but quarantine everything anyway.
12. It will likely tell you to reboot to complete removal; do so. In fact, reboot even if it finishes without telling you to do so.
13. Reconnect the affected computer to its network by turning off Airplane mode and reconnecting to wifi or plugging the Ethernet cable back in.
14. Wait a few minutes (up to 5) to allow the computer to connect to the Internet.
15. Open Malwarebytes and rerun a scan. By default, it should start by updating its definitions, and it will tell you it’s doing so.
16. As before, once the scan is complete, have it quarantine everything it finds, assuming it did find anything to remove (it might not).
17. Reboot the affected computer even if it doesn’t tell you to, and uninstall Malwarebytes. You no longer need it, and it might prevent Windows Defender from working correctly.
18. If neither of the two scans turned up any threats, consider using an online scanner to give a second opinion. Choose from one of these.
    1. ESET Online Scanner, via https://www.eset.com/int/eset-online-scanner/. Click “SCAN NOW,” run the downloaded file, and then follow the prompt.s
    2. Trend Micro HouseCall, via https://www.trendmicro.com/en_ca/forHome/products/housecall.html. Click “Windows/Mac,” run the downloaded file, then follow the prompt.s
    3. Whichever of these you use, have it do a scan as thoroughly as possible. These scans may take a long time, so be patient.
    4. As with Malwarebytes, have the tool quarantine or remove everything it finds. Reboot when finished.
    5. If the program has been installed on your PC, use Revo Uninstaller to remove it. (As with Malwarebytes, you no longer need it.)
19. On the affected computer, change your local user account password. Microsoft has a tech support page about doing this: https://support.microsoft.com/en-us/windows/change-or-reset-your-windows-password-8271d17c-9f9e-443f-835a-8318c8f68b9c
20. This may entail changing your Microsoft Online account password and PIN if you use one to log in.
21. That might affect other devices you connect to that account with (smartphone, tablet, etc.), so carefully note your new password — in writing — in a safe place, and update the password manager if you use one.
22. Also, change passwords for all accounts the malefactor was interested in, including email accounts, banking accounts, and e-commerce accounts (Amazon, etc.).
23. If you haven’t already done so, configure multi-factor authentication for all those accounts and your Microsoft Online account if you use one to log in to the computer.
    1. Consult https://2fa.directory/us/ to find out how this is done for each site or service you use.
    2. Microsoft’s 2FA can be set up from here: https://support.microsoft.com/en-us/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7
    3. I recommend using Microsoft’s authenticator app for this
    4. If you have a Google/Gmail account, use Google’s authenticator
    5. Yahoo/AT&T/snet.net/SBCGlobal accounts can use any Yahoo app for this (e.g., Yahoo News, Yahoo Sports, Yahoo Mail)
    6. Yes, your phone may end up with an array of authenticator apps. Some can be used for multiple services, so you may be able to limit the number needed on your device.
    7. As with passwords, write down the 2FA method used with each service. Also, write down (as in step 21) any offline or bypass codes that may be generated.

Desired End Result

The goal is to prevent the malefactor from reaccessing the machine, remove any malware he or she may have left behind, reset passwords on the computer itself, reset passwords online, and lock down other accounts using 2FA so the malefactor can’t access those.

If all of this sounds intimidating, I apologize, but these steps are all necessary, especially the last ones. Your accounts will need to be re-secured to lock out the malefactor.