If your PC is infected and you need to reinstall Windows, create the install USB from a clean device. Do not build recovery media on the same compromised Windows installation unless you have no other choice. A clean USB workflow reduces the risk of carrying malware, infected tools, or bad installers into the new system.
First checks before making a clean Windows USB
- Use another trusted computer. A friend, family PC, work IT device, or newly cleaned machine is safer than the infected PC.
- Download Windows only from Microsoft. Use the official Media Creation Tool or ISO page.
- Use a fresh or fully wiped USB drive. Do not keep old tools, cracks, drivers, or installers on it.
- Back up only personal files. Avoid old EXE, scripts, portable apps, and suspicious archives. Videos are usually safer than programs, but scan restored media and verify extensions with our MP4/M4V file safety guide.
| Use this guide when | Malware keeps returning, a file infector was detected, accounts were stolen, or Windows cannot be trusted. |
| Clean device means | A computer that did not run the suspicious file and is not showing account or malware symptoms. |
| Do not copy | Cracks, keygens, old installers, scripts, unknown EXE/DLL files, browser profiles, password exports. |
| Best result | Fresh Windows installation, official drivers/apps, passwords changed from a clean environment. |
When a clean install USB makes sense
You do not need to reinstall Windows after every blocked download. A clean install becomes reasonable when detections keep returning, a file infector such as Win32/Expiro appears, unknown scheduled tasks recreate themselves, a stealer abused accounts, or the system is too damaged to trust.
If Reset this PC says “There was a problem resetting your PC”
If Windows shows “There was a problem resetting your PC. No changes were made” after malware or serious system corruption, do not keep retrying random reset options. Treat it as a recovery-path failure first: the local Windows image, Windows Recovery Environment, update state, or recovery files may be damaged. The safest choice depends on whether the machine is still trustworthy.
- If Windows still boots and the malware risk is low: run Windows Update, then repair the system image with
DISM /Online /Cleanup-Image /RestoreHealthandsfc /scannow. You can also check Windows RE withreagentc /infoand re-enable it withreagentc /enableif it is disabled. - If the error appeared after an infostealer, file infector, recurring Defender alert, or unknown admin script: back up only personal files first, then prefer a clean USB reinstall from a trusted device instead of trusting the damaged local reset image.
- If you need one more repair attempt: try Reset this PC from Windows Recovery Environment and compare Cloud download versus Local reinstall. If both fail, stop and move to official installation media.
- If BitLocker is enabled: save the recovery key before repair, reset, or USB reinstall attempts. A clean install can make encrypted data unrecoverable without it.
For a non-malware Windows repair flow, use our automatic Windows repair checklist first. For a malware recovery flow, this page’s clean USB workflow is the safer endpoint: create media on a clean computer, reinstall Windows, update it, then scan restored personal files before signing back into sensitive accounts.
Step-by-step clean USB workflow
- Use a trusted computer that did not run the suspicious file.
- Download Windows from Microsoft’s official Windows download page [1].
- Use the Media Creation Tool or official ISO workflow.
- Use a blank USB drive or erase it completely during media creation.
- On the infected PC, back up personal files only.
- Boot from the USB installer.
- Delete Windows partitions during setup if you are doing a full clean reinstall.
- Install Windows, update it, then install drivers and apps from official sources only.
- Before logging into sensitive accounts, scan the restored personal files.
What not to back up from an infected PC
| Do not keep | EXE, MSI, DLL, SCR, BAT, CMD, PS1, VBS, cracks, keygens, old setup files, unknown portable apps. |
| Be careful with | ZIP/RAR/7z archives, game mod folders, emulator packs, browser profiles, old backup images. |
| Usually safe after scanning | Documents, photos, videos, spreadsheets, PDFs, exported bookmarks, project files you can inspect. |
How to verify a backup before restoring it
- Copy personal files to a clean external drive or cloud location, but leave programs, installers, cracks, scripts, and portable apps behind.
- Scan the backup from the newly installed Windows system before opening anything from it.
- Restore documents, photos, videos, spreadsheets, PDFs, and project files first. Do not restore
AppData,ProgramData, Startup folders, browser profile folders, or Task Scheduler exports from the infected PC. - Open a small sample of restored documents first and watch for unexpected macros, scripts, shortcut files, or password-protected archives.
- Install apps again from official sources only. If an old backup contains an EXE you cannot verify, replace it instead of trusting it.
CISA’s ransomware recovery guidance emphasizes tested backups and restoring from trusted copies, which fits home cleanup too: a backup is useful only if it can be restored without bringing the infection back [2].
What about external drives?
If an external HDD or USB drive was connected during the infection, scan it from the clean Windows installation before opening files. Do not run old software from the drive. If the malware was a file infector, replace programs from official installers instead of trusting old EXE files.
After first boot: scan before restoring files
Once Windows is updated, install only official drivers and security tools, then scan the backup and any external drives before opening restored files. Gridinsoft Anti-Malware can help check restored folders, removable drives, and leftover startup entries before you sign back into important accounts.
If suspicious services, scheduled tasks, or miner-like CPU usage return after reinstall, follow the Windows service miner cleanup checklist before restoring more apps.
When to change passwords
If the infection involved a stealer, fake update command, crack, game mod, or account compromise, change passwords from a clean device before using the reinstalled PC for sensitive work. Start with email and password manager accounts, then Microsoft/Google, Discord, Steam, banking, and crypto accounts.
Related guides
- Win32/Expiro Virus Removal
- Can Malware Activate Later? What to Do
- Infostealer After Downloading a Game or Mod
- Fake Chrome Update Virus: Terminal Opened
If the infected media contains course-note-looking executables such as DERS NOTLARI.exe, clean the PC and USB drive first; our DERS NOTLARI.exe Worm.Autorun guide explains what to keep and what not to back up.
For a removable-drive alert such as Trojan:Win32/Sfone!pz on an external drive, recover only known personal files, scan the backup, and format the drive only when cleanup does not hold.
FAQ
Can I create the USB on the infected PC?
Use a clean device if possible. If there is no alternative, download only from Microsoft, use a fresh USB, and do not copy extra tools or files onto it.
Should I format all drives?
Format the Windows system drive for a clean reinstall. For data drives, scan first and avoid keeping executable files from the infected system.
Can malware infect the Windows installer USB?
A properly created official installer on a clean USB is unlikely to be infected. The bigger risk is adding old tools, drivers, cracks, or scripts to the same USB.
Do I need Rufus or Media Creation Tool?
Microsoft’s Media Creation Tool is the simplest official path. Rufus can be useful with an official ISO, but the source of the ISO matters most.
References
- Microsoft Support. “Create installation media for Windows.” Microsoft, accessed June 2, 2026. https://support.microsoft.com/en-us/windows/create-installation-media-for-windows-99a58364-8c02-206f-aa6f-40c3b507420d
- Microsoft Support. “Reset your PC.” Microsoft, accessed June 2, 2026. https://support.microsoft.com/en-us/windows/reset-your-pc-0ef73740-b927-549b-b7c9-e6f2b48d275e
- Microsoft Learn. “REAgentC command-line options.” Microsoft, accessed June 2, 2026. https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options?view=windows-11
- Cybersecurity and Infrastructure Security Agency. “#StopRansomware Guide.” CISA, accessed June 2, 2026. https://www.cisa.gov/stopransomware/ransomware-guide
- Microsoft Support. “Help protect my PC with Microsoft Defender Offline.” Microsoft, accessed June 2, 2026. https://support.microsoft.com/en-us/windows/help-protect-my-pc-with-microsoft-defender-offline-9306d528-64bf-4668-5b80-ff533f183d6c
If you are reinstalling because Microsoft Safety Scanner showed infected files but finished clean, first compare the final result with the MSERT log and scan-result explanation. A clean log may point to a preliminary counter, while repeated warnings or account compromise still justify stronger recovery steps.
For Steam users, a clean reinstall is safest when you reinstall games from your Library and handle cloud saves separately; see the Steam Cloud malware-risk guide before restoring game progress from an infected old PC.
