1. Don't restart or shut down yet
If you suspect an active infection, avoid restarting. Some malware activates on boot or encrypts files during shutdown. Disconnect from the internet first (pull the Ethernet or disable WiFi).
2. Boot into Safe Mode
Hold Shift and click Restart → Troubleshoot → Advanced Options → Startup Settings → Restart → Press 4. Safe Mode loads Windows with minimal drivers, preventing most malware from running.
3. Run Malwarebytes in Safe Mode
Download Malwarebytes Free from malwarebytes.com. Run a full system scan in Safe Mode. Quarantine everything found. Do not delete quarantine items immediately — you may need them for analysis.
4. Run Windows Defender Offline Scan
Windows Security → Virus & Threat Protection → Scan Options → Microsoft Defender Offline Scan. This runs before Windows loads, catching rootkits that hide during normal operation.
5. Change all passwords
After cleaning the device, change passwords for email, banking, Microsoft account, and any other service — using a different device first if possible. Enable 2FA on all accounts.
6. Verify the system is clean
Run a second scan with a different tool (HitmanPro, Sophos Home free). If both come back clean after a full restart, the infection is likely removed. Monitor for unusual activity for 48 hours.
If malware keeps returning after removal, if you see ransomware encryption messages, if your screen is locked, or if you suspect data was stolen — contact us immediately for emergency response.