Disconnect the device from the internet (Wi-Fi and Ethernet)
Disconnect any external storage devices (USB drives, external HDD/SSD)
Back up important files using a trusted offline method (or do not back up if you suspect ransomware)
Identify the malware type (ransomware, spyware, adware, trojan, worm) if possible
Run a full system scan with your primary antivirus/anti-malware tool
Update antivirus/anti-malware definitions before scanning
Use a second-opinion scanner (on-demand malware scanner) and run a full scan
Scan in Safe Mode if available and supported by your OS
Remove detected threats and quarantine or delete them as prompted
Check for persistence mechanisms:
Browser extensions and add-ons
Startup programs and scheduled tasks
Services and installed programs
Browser policies and homepage/search redirects
Remove suspicious or recently installed software
Review and clean Windows/macOS startup items and login items
Clear malicious browser settings:
Reset browser settings
Remove unknown extensions
Restore default homepage/search
Check network connections:
Review active connections and listening ports
Block suspicious IPs/domains if your firewall allows
Change passwords from a clean device (or after confirming the system is clean):
Email, banking, password manager, social accounts, and cloud accounts
Enable multi-factor authentication on critical accounts
Update the operating system and all installed software
Reinstall trusted applications if needed (especially browsers and security tools)
If malware persists after scans:
Perform a system restore to a point before infection (if available and safe)
Use OS repair tools (where applicable)
Consider a full OS reinstall and restore only verified clean backups
For ransomware:
Do not pay the ransom
Preserve evidence (keep files, notes, and samples)
Try to restore from backups or use reputable decryptor tools
After cleanup:
Monitor for unusual behavior (unexpected pop-ups, slowdowns, new accounts, repeated detections)
Re-run full scans and confirm no threats remain
If you cannot remove it:
Seek help from a reputable incident response/security professional
Report the incident to your antivirus vendor or local authorities if required