Malware Removal for CompTIA A+ 220-1102

Common signs a system is infected: Unusual pop-ups or ads appearing on the desktop or within browsers. Browser homepage or default search engine changed without user action. Unexpected toolbars or extensions installed in the browser. System is significantly slower than normal. Disk activity when the computer is idle. Network activity when no programs should be communicating. Programs crashing or behaving unexpectedly. Security software disabled (malware disables antivirus to avoid removal). New, unrecognized user accounts appearing. Files encrypted or renamed (ransomware indicator). Antivirus alerts or quarantine notifications. Security Certificate errors on trusted websites (could indicate MitM or DNS hijacking). Task Manager, Registry Editor, or Command Prompt disabled (malware self-protection).

CompTIA A+ defines a specific malware removal procedure: Step 1 — Investigate and verify malware symptoms. Confirm the system is actually infected (not just slow from legitimate causes). Step 2 — Quarantine the infected system. Disconnect from the network (ethernet and Wi-Fi) to prevent further spread or communication with C2 servers. Step 3 — Disable System Restore. Prevents malware from hiding in restore points and re-infecting after removal. Step 4 — Remediate the infected system. Update anti-malware definitions. Run scans in safe mode (prevents malware from loading during scan). Use multiple tools (Windows Defender, Malwarebytes, etc.). Quarantine or delete detected threats. Step 5 — Schedule scans and run updates. Ensure real-time protection is active and up to date. Step 6 — Enable System Restore and create a restore point. Step 7 — Educate the end user on how the infection occurred and prevention best practices.

Why scan in Safe Mode: malware often loads at startup and hides from running scans. Safe Mode loads only essential drivers — most malware does not start in Safe Mode. Safe Mode options: Minimal (most restrictive, no network). Network (with networking — needed if antivirus needs to update definitions). How to boot to Safe Mode: Windows 10/11: Settings → Recovery → Advanced startup → Troubleshoot → Advanced Options → Startup Settings → Restart → F4 (Safe Mode) or F5 (Safe Mode with Networking). Or: hold Shift and click Restart. From sign-in screen: hold Shift and click Power → Restart. Or run `msconfig` → Boot → Safe boot (Minimal or Network). After removal, restart normally to verify the system is clean.

Windows Defender / Microsoft Defender Antivirus: built into Windows 10/11, provides real-time protection and on-demand scanning. Windows Defender Offline scan: boots to a pre-OS environment to scan before Windows loads — effective against rootkits. Run from: Windows Security → Virus & threat protection → Scan options → Microsoft Defender Offline scan. Malwarebytes Anti-Malware: industry-standard second-opinion scanner. Free version allows on-demand scanning. Excellent at detecting PUPs (potentially unwanted programs), adware, spyware. Autoruns (Sysinternals): identifies all autostart locations — find suspicious entries that survive reboot. Process Explorer (Sysinternals): detailed process information — identify malicious processes. Bootable antivirus tools: Kaspersky Rescue Disk, Avira Rescue System — scan offline from external boot media (effective against rootkits).

Rootkits are the most difficult malware to remove because they modify the OS to hide themselves. Standard antivirus running within Windows cannot always detect or remove rootkits (the rootkit hides from them). Approaches: Windows Defender Offline scan: boots outside Windows to scan. Bootable antivirus rescue disk: scans from a clean OS environment on USB/DVD. DISM /RestoreHealth and sfc /scannow: repairs corrupted system files that rootkit may have modified. If all else fails: complete OS reinstallation is the only guaranteed remediation. Format and reinstall ensures no rootkit remnants remain. Back up personal data first (from offline environment to avoid copying malware). Restore only data files (not executables or program files) to avoid reinfecting the clean OS.

After removal: Run a second scan with a different tool to confirm clean status. Check Task Manager and Autoruns for suspicious processes. Verify browser settings: homepage, default search engine, extensions. Test that security tools (antivirus, Task Manager, Registry Editor) are functional again. Change passwords for all accounts — credentials may have been stolen. Enable System Restore and create a new restore point. Prevention education for users: Don't click suspicious email links or attachments. Download software only from official sources. Keep OS and applications updated (patch vulnerabilities). Use a standard user account for daily tasks (not admin). Enable and maintain antivirus real-time protection. Use a password manager to avoid credential reuse. Enable multi-factor authentication on important accounts.