Fix the machine · Windows

Clean & rebuild your Windows PC

Rescue your files safely, scan and inspect what the malware left behind, then reset or cleanly reinstall Windows so the infection is gone for certain.

A full scan plus a reset removes most commodity stealers; a clean install from USB is the belt-and-braces option when you want certainty. On a Mac instead? →

Do the account steps first. Cleaning the PC does nothing about already-stolen passwords or crypto. If you haven’t yet, work through the recovery protocol before rebuilding — that’s the live emergency; this page is the cleanup.

Step 1

Rescue your files — data only, never programs

An infostealer’s job was to live among your files, so a careless copy can carry the infection onto your rebuilt PC. The rule that keeps you safe: copy documents and media; leave anything that can run.

Safe to bring back (inert data)

Documents: .pdf .docx .xlsx .pptx .txt .csv
Photos & video: .jpg .png .heic .mp4 .mov
Audio: .mp3 .wav .flac

Leave behind (can run / re-infect)

Programs & installers: .exe .msi .msix .appx
Scripts & shortcuts: .bat .cmd .ps1 .vbs .js .hta .scr .lnk
Disk images: .iso .img · the hidden AppData folder · browser profile folders
Saved-password / wallet exports, key files

Windows hides extensions — turn them on first

By default Explorer hides file extensions, which is exactly how invoice.pdf.exe masquerades as a PDF. In File Explorer, open the View menu → Show → tick File name extensions. Be especially wary of .lnk shortcuts and anything ending .exe .scr .cmd .bat .hta. Don’t rescue credentials, wallet files, or recovery phrases — they’re compromised; reissue keys and migrate crypto to a new wallet on the clean PC.

Map the danger before you copy (read-only)

Run these in Windows PowerShell, offline. They only list — nothing is moved, deleted, or run. Right-click Start → Terminal or Windows PowerShell.

List programs & scripts hiding in your data folders

Get-ChildItem -Path "$env:USERPROFILE\Documents","$env:USERPROFILE\Desktop",
  "$env:USERPROFILE\Downloads","$env:USERPROFILE\Pictures","$env:USERPROFILE\Videos" `
  -Recurse -Include *.exe,*.msi,*.bat,*.cmd,*.ps1,*.vbs,*.js,*.hta,*.scr,*.lnk `
  -ErrorAction SilentlyContinue | Select-Object FullName

See exactly what was pasted into the Run box (the smoking gun)

Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"

That second command reads the Run dialog’s history. Windows records the last commands typed into Win+R there, so it usually still holds the exact malicious line you pasted — useful confirmation, and a clean indicator for your report. Anything mentioning mshta, powershell, curl, or a web address is the attack.

The selective-copy checklist

Tick as you go. (Ticks reset if you reload — this is a working list, not saved state.)

Show file extensions — Explorer → View → Show → “File name extensions,” so disguises can’t hide.
Plug in an external disk you can treat as quarantined; make a folder named e.g. Rescue-2026.
Documents & Desktop — copy data files; skip anything from the list above.
Pictures / Videos / Music — copy media files only.
Downloads — be ruthless. The likeliest reservoir of installers and droppers. Copy only documents/media you truly need.
OneDrive / cloud — don’t hand-copy. Re-sync on the clean PC instead of copying the local folder.
Eject and set aside the disk as untrusted until you scan it after the rebuild.

Step 2 — scan & inspect

Scan, and optionally inspect

Before rebuilding, a full scan can identify and quarantine the payload, and read-only checks reveal where it set itself to restart. None of this replaces the rebuild — it confirms and contains.

Run a full and an offline scan

Open Windows Security → Virus & threat protection → Scan options. Run a Full scan, then a Microsoft Defender Offline scan — the offline scan reboots and runs before Windows fully loads, which catches malware that hides while the system is running. A second opinion from Malwarebytes or the Microsoft Safety Scanner is worthwhile too.

Where it restarts itself (read-only checks)

Auto-start registry keys (per-user and machine-wide)

Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"

Scheduled tasks and the Startup folder

Get-ScheduledTask | Where-Object State -ne 'Disabled' |
  Select-Object TaskName, TaskPath
explorer "shell:startup"             # opens your Startup folder

What actually ran (PowerShell script-block log)

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; Id=4104} `
  -ErrorAction SilentlyContinue |
  Where-Object { $_.Message -match 'mshta|IEX|DownloadString|FromBase64' } |
  Select-Object TimeCreated -First 20

For a thorough one-screen view of every auto-start, the free Autoruns tool (Microsoft Sysinternals) is the responder standard — it lists Run keys, tasks, services and more, and lets you spot unsigned or oddly-pathed entries at a glance. Persistence most often sits in the Run keys, a scheduled task, or the Startup folder. The technical page has the full responder walkthrough.

Recommended — scan & monitor

A second-opinion scanner & a network monitor

Microsoft Defender is a solid baseline, but a second on-demand scanner catches what any single engine misses, and a network monitor shows you what your PC connects to after you rebuild.

Malwarebytes The second-opinion scanner most often recommended for ClickFix cleanup. Visit Bitdefender Top-rated real-time antivirus if you want always-on protection. Visit GlassWire Windows network monitor & firewall — the closest thing to Little Snitch. Visit

Step 3

Reset or reinstall Windows

The clean ending. Once your files are rescued, rebuild. Two routes, from quickest to most thorough.

Reset this PC — remove everything

Settings → System → Recovery → Reset this PC → Remove everything. When asked, choose Cloud download (pulls a fresh copy of Windows rather than reusing the possibly-tampered local image). This reinstalls Windows and wipes your data, apps and settings.

Sufficient for most commodity stealers. Make sure your files are already rescued — this is irreversible.

Clean install from USB — the belt-and-braces option

On another clean PC, use Microsoft’s Media Creation Tool to make a Windows install USB. Boot the infected PC from it, and during setup delete all existing partitions on the system drive before installing.

Deleting partitions removes anything hiding outside the normal Windows folders — the most certain wipe. Worth it given the malware had elevated access.

Don’t restore a system image made after the infection

Restoring a full system image or backup taken after you got hit can bring the malware right back. Rebuild fresh, then copy in individual data files from your rescue disk — never a whole-system restore.

Step 4

On the clean machine

Set a new Windows / Microsoft account password — do this from a clean device if you haven’t already.
Confirm Microsoft Defender is on and updated, and install Windows updates before doing much else.
Reinstall apps from official sources — don’t reuse installers from the rescue disk.
Re-sync OneDrive / cloud rather than copying old local folders.
Scan the rescue disk before using it — with Defender or Malwarebytes; upload anything you’re unsure about to VirusTotal.
Copy data back selectively, file by file — never a whole-disk drag — and finish any credential rotation from the recovery protocol.

That’s the machine closed out. Combined with the credential rotation and crypto migration, the incident is contained: stolen data is rendered useless by the new passwords, and the device is clean.