Computer infection cleanups have shifted dramatically over the last few years. The old picture — somebody catches a virus, antivirus pops up, we run a scan, done — is mostly history. What we actually see on the bench now is a mix of cryptocurrency miners chewing CPU silently, browser hijackers that look like legitimate extensions, ransomware on small business machines whose backup setup was never tested, and an alarming number of customers who let a scammer take remote control of their computer because the caller "sounded like Microsoft." Each one needs a different approach.
This article covers what we actually do for each variant on Windows and Mac, the honest cost picture (including when not to pay a ransom), the post-cleanup hardening that prevents re-infection, and the specific case of post-scammer remote-access cleanup which is now one of the most common jobs we see. If you've just been scammed and need to act now, call (02) 4311 6146 immediately — the first hour matters for credential exposure. For everything else, book online or read on.
The infection categories we actually see
Standard adware and PUPs (Potentially Unwanted Programs). The most common bench job. Symptoms: pop-up advertisements on the desktop or as Windows notifications, browser homepage changed, new toolbars in the browser, search engine redirected. Cause: usually a free software install where the user didn't untick the "also install this bundled offer" checkbox during the wizard. Removal is straightforward — Malwarebytes plus AdwCleaner clean these reliably, plus we manually purge the browser extensions and reset the homepage and search engine.
Cryptocurrency miners (cryptojackers). Increasingly common. Symptoms: computer runs hot and fans spin loudly even when you're not doing anything, slow performance, electricity bill noticeably higher than it should be, Task Manager shows unfamiliar processes using significant CPU. The malware mines Monero or other cryptocurrencies in the background, generating money for the attacker at your computer's expense. Removal needs offline scanning because these are often configured to terminate antivirus processes — we boot from a clean USB and scan from outside the infected Windows install.
Browser hijackers and malicious extensions. Common on Chrome and Edge. The extension looks legitimate (often disguised as a "PDF converter" or "shopping helper"), but it injects ads, redirects search results, or harvests browsing data. Removal: identify and uninstall the bad extension, reset browser settings, clear the synced extension list (so it doesn't reinstall from the cloud when you sign back in), and re-evaluate the rest of the installed extensions.
Ransomware. Less common but devastating when it happens. Symptoms: files have unfamiliar extensions appended (.lockbit, .crypt, .encrypted, .ryuk), a ransom note appears on the desktop demanding payment in Bitcoin or Monero, important files can't be opened. We assess: which variant, is there a free decryptor available (we check the No More Ransom project's database), is there any backup or cloud-sync history that survived, and what's recoverable in practice.
Post-scammer remote-access compromise. The customer received a phone call or pop-up claiming to be from Microsoft, the bank, Telstra, or "computer support." The caller convinced them to install AnyDesk, TeamViewer, LogMeIn, or similar, took remote control, and either installed malware or stole credentials and money directly. This is a different category to ordinary malware because the priority isn't just cleanup — it's credential exposure assessment.
macOS adware. Less catastrophic than Windows malware but increasingly real. Symptoms: pop-ups in Safari, Bing or Yahoo showing as your default search engine, profiles installed under System Settings that you didn't add, suspicious "system helper" apps in the Applications folder. Removal: uninstall the malicious profile, clean up LaunchAgents and LaunchDaemons, remove the obvious app, scan with Malwarebytes for Mac to catch anything hiding.
How we actually do the cleanup
The standard Windows bench process: boot the computer normally, run an updated Malwarebytes full scan plus ESET Online Scanner (two engines, different detection signatures — catches what the other misses), examine running processes and scheduled tasks manually for anything suspicious that scanners missed, clean up browser extensions and reset browser settings, check Windows startup programs for malware persistence, and run Microsoft Defender's full scan as the final pass.
For stubborn infections that survive in-Windows scanning, we boot from a clean USB (typically Kaspersky Rescue Disk or ESET SysRescue) and scan the Windows installation from outside. This catches rootkits and miners that disable in-Windows antivirus. It adds 2-3 hours but is essential for anything that's actively hiding from scanners.
For ransomware specifically, the first step is not running a scanner. The first step is taking a forensic image of the infected drive before any cleanup — because if a free decryptor for that variant is ever published in the future, you'll need the original encrypted files. We then identify the variant (the file extensions plus the ransom note text usually narrow it to one of around 50 common families), check whether a decryptor exists at the No More Ransom project, and if not, assess whether any backup or shadow-copy history survived the attack.
For post-scammer cleanup, the technical work is the smaller half of the job. We remove whatever remote-access tools they installed (AnyDesk usually leaves traces in multiple locations), check for keyloggers or screen capture software, and audit Task Scheduler and Registry Run keys for persistence. The larger half is walking through credential exposure: which sites was the customer logged into during the remote session, what saved passwords are in their browser, did they read any emails or open any documents while the scammer was watching, and what accounts need their passwords changed (from a different clean device) and 2FA enabled urgently.
Ransomware: when not to pay
Australian government advice is consistent and explicit. The Australian Cyber Security Centre and the Australian Federal Police both recommend not paying ransomware demands. Three reasons matter:
Paying funds further attacks. Ransomware is a business — payments fund the development of the next variant that hits the next victim. Ransomware revenue in 2024-2025 globally was estimated in the hundreds of millions of dollars; that money is directly recycled into operational improvements that make the next attack harder to defend against.
Paying doesn't reliably work. FBI and private-sector research consistently finds that roughly 25-35% of ransomware victims who pay don't actually receive a working decryptor. Either the criminals never had a working decryptor to begin with (some ransomware encryption is buggy and can't be reversed even with the key), or they take the money and stop responding, or the decryptor they send corrupts files during decryption.
Paying marks you as a payer. Information about who pays circulates among ransomware groups, often informally through criminal forums. Victims who pay once are statistically more likely to be re-attacked within 12 months.
The realistic alternative path: assess what backup or cloud-sync survived (OneDrive, iCloud Drive, Dropbox and Google Drive often retain version history even on encrypted files — sometimes the cloud version is the original unencrypted file from before the attack), check if a free decryptor exists for your specific variant, accept whatever data loss is unrecoverable, wipe the system clean, and rebuild with proper backup and 2FA from the start. That conversation is uncomfortable but it's the honest one. We've walked through this with multiple small business customers in NSW over the past five years.
Got ransomware or just been scammed? Don't wait. Call (02) 4311 6146 immediately — for ransomware we image the drive before doing anything else (essential if a future decryptor is published), and for scammer cleanups the first hour of credential changes matters most. Book online for non-urgent cleanup.
Post-cleanup hardening that actually matters
Removing the infection is half the work; not getting re-infected is the other half. The hardening conversation we walk through after every cleanup covers behaviour and configuration in roughly equal measure.
On the configuration side: Windows Defender (or macOS XProtect plus Gatekeeper) is now genuinely good and doesn't need supplementing with paid antivirus for most users. Install Malwarebytes Free for occasional manual scans if you do anything risky. Install uBlock Origin in your browser — most malware infections start with a malicious ad, and a good adblocker prevents the majority of drive-by infections. Keep the OS updated and the browser updated. On Windows, the monthly cumulative update patches the security holes that ransomware groups are actively exploiting; on macOS, Safari and OS updates ship critical fixes regularly.
On the behavioural side: use a password manager (Bitwarden free is excellent) so every site has a unique strong password. Enable two-factor authentication on email and banking — email especially, because email access is the keys to the kingdom for password recovery. Don't install software from sources you don't trust, and pay attention to the install wizard checkboxes (most bundled adware is technically consented to during install because the user clicked Next without reading). And the critical one for Australian customers: no legitimate company will call you and ask to remote-access your computer. Microsoft doesn't. Telstra doesn't. The ATO doesn't. The bank doesn't. If anyone calls and asks, hang up and call the company back on a number you find independently (not the number the caller gives you).
The pricing reality
Honest guide figures by category:
Standard virus and malware removal (adware, PUPs, browser hijackers, miners) — $150-280 fitted, depending on stubbornness. Most jobs land in the $180-230 range. No-fix-no-charge applies — if we can't get the computer cleanly back to normal operation, you don't pay.
Stubborn infection requiring offline scanning — adds $80-150 to the standard rate because the offline-boot scan adds 2-3 hours of bench time.
Browser hijacker only (system isn't infected, just the browser is misbehaving) — $120-180.
macOS adware removal — $180-280. Generally less complex than Windows because there are fewer persistence mechanisms to hunt down.
Ransomware assessment — $250-450. This is just the assessment: identifying the variant, checking for available decryptors, evaluating backup options, taking a forensic image of the encrypted drive in case of future decryption availability. If a free decryptor exists, decryption work continues from here at an hourly rate (typically $120/hr). If wipe-and-restore is the path, we quote that separately based on data volume and source.
Post-scammer remote-access cleanup and audit — $200-380. Higher than standard malware cleanup because the credential exposure audit and the password-reset walkthrough add bench time on top of the malware removal. We treat this as a full security review, not just a scan.
No-fix-no-charge applies to standard infections where the work is straightforward. For ransomware and post-scammer work we charge for the assessment regardless of outcome because the work is substantive even when the answer is "your data is unrecoverable, here's how to rebuild safely."
Outside the Central Coast? Send the computer or remote-work it
Standard virus removal is regularly done via postal repair from Sydney, Newcastle and interstate. Workflow: call or message on (02) 4311 6146 with the symptoms and computer model, we confirm we can handle it, you post the laptop tracked and insured for replacement value (around $25-35 from most metro areas), we work on it within 24-48 hours of arrival, and ship back tracked the same day. Round-trip is usually 4-7 business days.
For post-scammer cleanups specifically, time matters — the credential exposure window is shrinking with every hour. In those cases we can sometimes start the credential-change walkthrough by phone immediately (we tell you which passwords to change on a different clean device first, which accounts to lock down, how to check email for unauthorised access) before the computer even arrives. The computer-side cleanup happens when it gets to us, but the high-stakes account protection starts within the hour.
Slow PC, pop-ups, ransomware, or post-scammer cleanup?
Every variant — adware, miners, browser hijackers, ransomware, remote-access compromise. Windows and Mac. Multi-engine scanning plus offline boot-disk removal for stubborn infections. No-fix-no-charge on standard work, postal Australia-wide.
Call (02) 4311 6146 Book OnlineCommon questions
How do I know if my computer actually has a virus?
Reliable indicators: pop-ups appearing outside the browser (on the desktop or as system notifications), the browser homepage changing without your input, search results being redirected to unfamiliar sites, the computer running noticeably hotter or louder than usual without obvious cause (often a cryptocurrency miner), files being inaccessible with strange extensions appended (.lockbit, .crypt, .encrypt — ransomware), accounts being locked because someone is trying to log in from elsewhere, or antivirus software being disabled or uninstallable. Less reliable indicators on their own: a generally slow computer (often just needs maintenance or an SSD upgrade), browser ads (most are legitimate but invasive — adblockers help), or a single suspicious email (phishing attempts are common but don't mean you're infected unless you clicked through). When in doubt, bring it in — we diagnose without charge.
How much does virus and malware removal cost?
Standard malware removal on Windows or Mac is typically $150-280 depending on how stubborn the infection is and whether the system needs an offline-boot clean. Browser hijacker cleanup alone (no system infection, just the browser is misbehaving) is usually $120-180. Ransomware recovery varies dramatically: if you have a current backup we can wipe and restore for around $250-400. If there's no backup and the data matters, we assess decryption feasibility — some ransomware variants are decryptable for free using published keys, others are not. Honest scenarios run $400-900 for assessment, recovery and hardening. Post-scammer remote-access cleanup (after a fake "tech support" call where you let someone control your screen) is $200-380 because the audit covers credential exposure, not just malware removal.
I let a scammer remote-access my computer — what do I do now?
First: disconnect the computer from the internet immediately (unplug the network cable or turn off WiFi). Don't use it for anything else, especially not banking or email. Then call us. The cleanup is not just removing whatever software they installed — it's auditing what they could have accessed: saved browser passwords, banking sessions, email account credentials, any files they viewed or copied. We'll guide you through changing passwords on a different (clean) device first, setting up two-factor authentication on the accounts that matter most (email, banking, MyGov), and reviewing recent activity for unauthorised changes. The computer itself needs to be cleaned of any remote-access tools they installed (AnyDesk, TeamViewer, LogMeIn, or worse) and checked for keyloggers. We've handled hundreds of these — the playbook is consistent.
My computer has ransomware — should I pay the ransom?
Generally no, and Australian government advice (ACSC and the Australian Federal Police) explicitly recommends against paying. Three reasons: paying funds further criminal activity, paying doesn't guarantee you get the decryption key (the FBI estimates around 30% of payers don't actually receive a working decryptor), and paying marks you as a payer for future attacks. The better path: check if you have any backup at all (cloud sync like OneDrive, Dropbox, iCloud often has historical versions even if you didn't run dedicated backup software), check whether your specific ransomware variant has had its decryption key published (the No More Ransom project at nomoreransom.org maintains free decryptors for many variants), and if neither works, wipe and start fresh from whatever data you can recover. We do this assessment work — sometimes recovery is possible, sometimes the realistic answer is "restore from what backup exists, accept the loss on the rest, and harden the next setup against repeat attack."
Will I lose my files during virus removal?
For standard malware infections (adware, browser hijackers, miners, most trojans), no — we clean in place and your files stay where they are. For more aggressive infections that have compromised system files or for cases where we determine the safest path is wipe-and-restore, we always copy your personal data off first (Documents, Pictures, Desktop, browser bookmarks, email archive, anything else you specify), clean or rebuild the system, then put your data back. For ransomware specifically, files encrypted by the ransomware are the issue — those need either a decryption key or a backup; we don't pretend we can magically decrypt files that need a key we don't have. Before any work that involves wiping, we explicitly confirm what's being preserved with you, in writing.
How long does virus removal take?
Standard infections: usually same-day if you drop off before 11 AM. The scan-and-clean process takes 2-4 hours of bench time but runs largely unattended, so we batch multiple jobs together. Stubborn infections requiring offline-boot scanning add another 2-3 hours. Ransomware assessment is variable — straightforward cases (we have a working decryptor or your backup is good) take a day. Cases needing more research (looking up specific ransomware variants, attempting partial recovery) can take 2-3 days. Post-scammer cleanups are typically same-day for the cleanup itself, but the credential-change-and-audit work continues over several days as you methodically work through every account that could have been exposed.
What antivirus should I use after the cleanup?
On Windows 10 and Windows 11, Microsoft Defender (built-in) is genuinely excellent now and we don't routinely recommend installing paid third-party antivirus on top of it. Add Malwarebytes Free for occasional manual scans if you do anything risky, and an adblocker (uBlock Origin) in your browser to reduce drive-by infection exposure. On macOS, the built-in XProtect plus Gatekeeper covers most threats and we recommend the same Malwarebytes Free for occasional scans. The bigger security improvements come from behaviour, not software: keep the OS and browser up to date, don't install software from unknown sources, don't grant remote-access to anyone who cold-called you, use a password manager so you have unique passwords per site, and turn on two-factor authentication on email and banking. We walk through this hardening with every customer after a cleanup.
Related: data recovery if files are inaccessible after a ransomware attack; external hard drive recovery if your backup drive is the issue; forensic data recovery if this is a business case with legal implications; Central Coast repairs overview for everything else.