What to Do the Moment You Think You Have a Virus
Suspecting a virus is one of those moments where the wrong move makes everything worse. This guide walks you through exactly what to do, in order, from the second that sinking feeling hits, so you stop the damage before it spreads.
TL;DR: Stop what you're doing, disconnect from the internet, and do not turn the machine off yet. Run a scan from a known-clean tool, then decide whether you're dealing with it yourself or calling a pro. The first five minutes matter more than most people realize.
What You Need
- A USB flash drive (at least 8 GB, ideally one you haven't used in a while)
- A second, clean device to download tools if needed (phone works fine)
- Access to your router or modem to kill the internet connection
- About 30 to 90 minutes depending on how bad things look
- A recent backup, if you were smart enough to make one (more on that shortly)
You do not need to go buy anything. You do not need to call that number on the scary popup. (That number is a scam. I promise. We'll get to it.)
Step 1: Disconnect From the Internet Immediately
Pull the ethernet cable. Turn off Wi-Fi. If you're not sure how to do either fast enough, walk to your router and unplug it.
This is the single most important step and most people skip it because they're busy Googling "do I have a virus." Stop that.
A lot of modern malware is not just sitting there. It is actively phoning home, downloading more garbage, or waiting for instructions from a command server. Every second you stay online is a second it has to do more damage, steal more credentials, or pull in a second-stage payload.
Kill the connection first. Ask questions later.
Step 2: Do Not Restart or Shut Down Yet
I know. It feels like the right move. "Turn it off and on again." Not this time.
Some malware is designed to activate or complete its installation on reboot. Others delete evidence on shutdown. You may also be running in a state where a security scan can catch things in memory that would vanish after a restart.
Stay powered on. Stay offline. Move to the next step.
Step 3: Write Down What You Saw
This sounds boring. Do it anyway.
What was the first sign something was wrong? A popup? A browser redirect? A program you didn't install? Antivirus alert? System running slow out of nowhere? A ransom message? (That last one is a different situation entirely, and I'll address it below.)
Write it down or take a photo with your phone. When a tech looks at this later, that context saves real diagnostic time. "It started after I downloaded a PDF from an email" is a lot more useful than a shrug.
Step 4: Run a Scan With a Trusted Tool, Not Whatever Popped Up
If you already have a reputable antivirus installed and it's up to date, run a full scan now. Not a quick scan. A full scan.
If you don't have one, or you don't trust what you have, use Malwarebytes. The free version is legitimate and has been reliable for years. Download it on your clean phone, transfer it via USB, install it on the suspect machine, and run it.
Do NOT download a scanner from a popup or a random search result. Half those "free virus removal" tools you find that way are themselves malware. This is called scareware, and it is everywhere. The popup that says "YOUR COMPUTER HAS 47 VIRUSES, CLICK HERE TO FIX," that is not Microsoft, that is not your antivirus, that is the scam.
Microsoft's built-in Windows Defender is also a reasonable first pass. Open Windows Security from the Start menu, run a full scan. It's not the best tool out there but it's legitimate and it's already on your machine.
Let the scan finish completely before you do anything else.
Worried your business is one click from a breach? Get a security review
Step 5: Read the Results, Then Decide Your Next Move
Scan came back clean? Good. That either means you caught it early, the tool didn't find it, or you had a false alarm. Watch the machine closely for the next 24 to 48 hours. Weird behavior, slow performance, programs opening by themselves, those are signs to keep digging.
Scan found something and removed it? Do a second scan with a different tool to confirm it's actually gone. One scanner catching one thing doesn't mean that's all there is.
Scan found something it couldn't remove, or keeps finding the same thing over and over? That's a rootkit or a deeply embedded infection. Time to stop DIY-ing it. A good computer repair shop can boot from external media and clean things the operating system can't clean on itself.
Scan found a ransom note or your files are encrypted? Stop. Seriously, stop. Do not pay anything. Do not restart. Call a professional. Some ransomware strains have free decryptors available through No More Ransom, which is a legitimate resource from law enforcement and cybersecurity firms. But you need to identify the strain first before you do anything drastic.
Step 6: Change Your Passwords From a Different Device
Once you're offline and mid-scan is a good time to do this from your phone or a separate clean computer.
Start with email. Email is the master key to every other account. If someone has your email password, they can reset everything else. Then banking, then anything with payment info stored.
Do not change passwords from the infected machine until it's been fully cleaned and you're confident the keylogger, if there was one, is gone. Typing your new password into a still-infected machine is just handing the attacker your updated credentials.
Step 7: Check Whether You Have a Backup
If things go sideways and a full wipe is needed, you want to know right now what you have to fall back on.
External drive backup? Cloud backup? Windows backup? Nothing at all? (If it's that last one, file that information away and fix it once this is over. We can help with backups and disaster recovery for businesses, and the same principles apply for personal machines.)
Knowing your backup situation changes your options. If you have a clean backup from before the infection, a full reinstall and restore might be faster and cleaner than trying to surgically remove every trace of malware.
Step 8: Decide Whether This Is a DIY Job or a Pro Job
Be honest with yourself here.
DIY is reasonable if: the scan found and removed something minor, the machine is behaving normally afterward, and you're comfortable monitoring it yourself for a few days.
Call a pro if: the scan keeps finding the same thing, the machine is still acting strange after a clean scan, files are missing or encrypted, you saw a ransom message, or you're a business and any of this happened on a work machine.
For business owners specifically, one infected machine on a network is not just one problem. It's a potential entry point to everything else. That's not me being dramatic, that's how network-based infections work. If you run a business in South Florida and this happened on a work computer, get your business IT or cybersecurity situation looked at now, not after the weekend.
If you can't bring the machine in, we offer remote support for situations where a tech can connect directly and help you work through this live. Sometimes that's faster than driving anywhere.
Common Mistakes
Calling the number in the popup. Never do this. That is a tech support scam. The real Microsoft does not call you or show you a phone number in a browser popup. Hang up if you already called. Do not give anyone remote access to your machine from a cold contact like that.
Turning it off and on hoping it fixes itself. Already covered this. Some infections want you to reboot. Don't give them the opportunity until you've at least run a scan.
Downloading five different "virus removers" from random sites. One trusted tool at a time. Stacking sketchy scanners on top of each other causes conflicts and sometimes makes the original problem undiagnosable.
Waiting to see if it gets better. It won't. Malware does not self-correct. The longer you wait, the more it does.
Assuming a slow computer means a virus. Slow performance has a lot of causes, most of them not malicious. Don't jump to conclusions, but also don't ignore it completely. If you're not sure what's going on with your machine's performance, we can take a look.
Skipping the password changes. People run the scan, declare victory, and forget that the malware may have already logged everything they typed. Change the passwords. From a clean device.
Bottom Line
The moment you suspect a virus, disconnect from the internet, stay powered on, and run a scan with a tool you actually trust. Don't reboot, don't ignore it, and absolutely do not call any number that appeared on your screen uninvited.
Most infections are catchable and cleanable if you act fast and don't make things worse in the panic. The ones that aren't cleanable DIY-style still have solutions, they just need a tech who knows what they're looking at.
If you're in West Palm Beach or anywhere on the Treasure Coast and you're not sure what you're dealing with, bring it in or use our remote support service and we'll tell you straight what's going on. No upselling, no drama. Just an answer and a fix. You can book a time here.
Worried your business is one click from a breach?
Get a straight-talk security review from a local team that has cleaned up the aftermath more times than we'd like.
Frequently asked questions
Should I turn my computer off if I think it has a virus?
Not right away. Some malware activates or covers its tracks on shutdown. Stay powered on, disconnect from the internet first, and run a full scan before you reboot. Once you've scanned and assessed the situation, then restart if needed.
Is it safe to use my computer while waiting for the virus scan to finish?
Keep use to an absolute minimum. Don't type passwords, don't open email, and don't access banking or sensitive accounts from the machine until it's been cleared. Treat it as potentially compromised until the scan says otherwise.
A popup told me to call a phone number to remove my virus. Should I?
No. That is a tech support scam. Microsoft, Apple, and legitimate antivirus companies do not display phone numbers in browser popups. Close the browser tab, do not call the number, and do not give remote access to anyone who contacts you this way.
My antivirus keeps finding the same virus but can't remove it. What does that mean?
It usually means the infection is sitting somewhere the operating system can't touch while it's running, often a rootkit or a file that reinstalls itself. You need a tech to boot from external media and clean the drive from outside the OS. Bring it in or contact us for remote support.
Can a virus spread from my computer to other devices on my home or office network?
Yes, certain types of malware actively scan for other devices on the same network and attempt to spread. That's exactly why disconnecting from the internet and your local network is the first step. For business networks especially, one infected machine needs to be isolated immediately.
How do I know if my Mac can get a virus?
Macs can and do get malware, adware, and other infections. The myth that Macs are immune is outdated and gets people into trouble. The same basic steps apply: disconnect, scan with a trusted tool, and if you're unsure, bring it to someone who knows Mac internals.