Remote Access Trojan Cleanup Checklist 2026: Isolate, Remove and Recover Safely
By Omellody Editorial Team · Published · UpdatedDirect answer: what to do first if you suspect a RAT
Fast answer: disconnect the affected device from the network, stop using it for passwords or banking, change critical passwords from a clean device, preserve useful evidence, remove unknown remote-access tools, run a full malware scan, and decide whether a clean reinstall is safer than manual cleanup. Do not rely on deleting one suspicious app if the attacker may have created new users, browser sessions, startup tasks or cloud-account access.
Home users, families and small teams that saw suspicious cursor movement, fake support popups, unknown remote-control apps or unusual account alerts.
Move password changes and account recovery to a separate clean phone or computer before reconnecting the suspect device.
Payroll, tax files, healthcare records, customer data, business email or administrator credentials may have been accessed.
RAT triage table: how urgent is it?
| Signal | Risk level | Recommended action |
|---|---|---|
| Unknown AnyDesk, TeamViewer, ScreenConnect, RustDesk or support client installed recently | High | Disconnect the device, document the app name and install time, then use a clean device for account recovery before removal. |
| Mouse moves by itself, windows open, webcam indicator appears, or files are copied | High | Treat as active compromise. Unplug network, preserve evidence and consider professional incident-response help. |
| New browser extensions, changed search engine, disabled antivirus or unknown startup items | Medium | Run full scans, review extensions and startup entries, revoke sessions and monitor accounts for several days. |
| You allowed a one-time remote support session from a verified vendor and no other alerts appeared | Lower | Confirm the session tool is closed or removed, review downloads and enable MFA if not already active. |
Step-by-step cleanup checklist
- Isolate without destroying evidence. Turn off Wi-Fi, unplug Ethernet and disconnect external drives. If this is a company device, contact IT before wiping anything.
- Use a clean device for recovery. Borrow a trusted phone or computer and avoid logging into important accounts from the suspect machine until cleanup is complete.
- Change the keys to your digital life first. Update email, password manager, banking, cloud storage, mobile carrier, work, ecommerce and social passwords. Use unique passwords and do not reuse the old master password.
- Revoke existing sessions. In account security settings, sign out all devices, remove unknown recovery emails or phone numbers, rotate backup codes and review recent login locations.
- Inventory remote-access software. Look for known remote-support apps, unknown device-management agents, recently installed utilities, browser remote desktop extensions and new local administrator accounts.
- Run layered scans. Use your primary antivirus for a full scan, then a reputable second-opinion malware remover if symptoms continue. Keep detections and timestamps for your notes.
- Check persistence points safely. Review startup apps, scheduled tasks, login items, browser extensions and newly created users. Remove only what you can identify; if unsure, reinstall rather than guessing.
- Patch before reconnecting. Update the operating system, browsers, password manager, antivirus and commonly abused apps before the device returns to normal use.
- Make the reinstall decision. If admin credentials, work data, financial data or repeated reinfection is involved, back up only personal documents and perform a clean OS reinstall.
- Monitor for 7-30 days. Watch bank alerts, email forwarding rules, cloud file activity, password reset emails and identity-monitoring alerts after cleanup.
Recovery sequence: what to change first
| 1. Email account | Email controls password resets. Change the password, enable MFA, remove forwarding rules and verify recovery contact details. |
|---|---|
| 2. Password manager | Rotate the master password from a clean device, review active sessions and replace any passwords used while the RAT may have been active. |
| 3. Banking and payment apps | Change passwords, enable transaction alerts and contact the institution if transfers, cards or statements look unusual. |
| 4. Cloud storage and work apps | Revoke device sessions, inspect shared links and check whether confidential files were opened or downloaded. |
| 5. Social and messaging apps | Remove unknown linked devices, check recent messages and warn contacts if scam links may have been sent. |
When a clean reinstall is safer
Manual cleanup is reasonable for a low-risk home device when you caught the issue early, no sensitive accounts were used and scans come back clean. A clean reinstall is safer when the attacker had administrator privileges, business data was present, the device keeps reinstalling suspicious software, or you cannot explain how the remote-access tool arrived. A reinstall removes many unknown persistence paths at once, but it should be done carefully: back up only documents and photos you recognize, avoid restoring unknown executables, and reinstall apps from official sources.
If the device belongs to an employer, school or client, do not wipe it without permission. Logs may be needed for incident response, insurance, legal notice or audit requirements. In that case, isolate the machine and ask the responsible administrator how to preserve evidence.
After cleanup: hardening checklist
- Enable MFA on email, password manager, banking, cloud storage and work accounts.
- Use a password manager so every important account has a unique password.
- Turn on automatic OS, browser and security updates.
- Remove remote-support apps you do not actively need; if you need one, require approval prompts and strong account security.
- Keep local backups or cloud backups that version files, so ransomware or destructive remote actions are easier to recover from.
- Teach family or staff to verify support calls through official websites instead of phone numbers in popups or unsolicited messages.
Source snapshot and editorial notes
Snapshot date: 2026-05-15. This page was rebuilt during Omellody Red Mode as an existing-page quality rescue, not a new page expansion. The checklist aligns with common defensive guidance from incident-response practice: isolate affected systems, preserve evidence when needed, recover accounts from a clean device, remove unauthorized remote access and harden authentication.
Scope limits: We avoid exploit instructions and do not provide attacker tooling. Product names such as AnyDesk, TeamViewer, ScreenConnect and RustDesk are included only as examples of legitimate remote-support tools that can be abused when installed without informed consent.
Recommended next reads
FAQ
Can antivirus remove a remote access trojan?
Good antivirus can remove many RAT components, but cleanup should also include password rotation from a clean device, MFA review, startup-item checks, account-activity review and a reinstall decision for high-risk devices.
Should I factory reset after a RAT infection?
For business devices, administrator accounts, finance accounts or repeated reinfection, a clean reinstall is safer than trying to patch around unknown persistence. Preserve needed files and logs first, then restore only trusted data.
What passwords should I change first after RAT cleanup?
Change email, password manager, banking, cloud storage, mobile carrier, social, ecommerce and work passwords first from a clean device. Revoke old sessions and rotate recovery codes where possible.