Malware Troubleshooting for CompTIA A+ 220-1102

Malware symptoms vary by type. Performance-based indicators: System significantly slower than baseline, unusual disk or network activity at idle, CPU at sustained high percentage with no user-initiated tasks. Browser-based indicators: Homepage or default search engine changed without user action, unexpected toolbars or extensions installed, browser redirects to unexpected sites, excessive pop-ups even on trusted sites. Security-related indicators: Antivirus software disabled or refusing to update, cannot access security websites (antivirus vendors' sites), new or suspicious user accounts in User Accounts. File system indicators: Files missing, renamed, or encrypted (ransomware), .exe or .bat files appearing in unexpected locations, desktop wallpaper changed to ransom demand. Network indicators: Unusual outbound connections in netstat -a, DNS queries to unfamiliar servers, traffic to known malicious IPs. System behavior: Programs crashing, UAC prompts appearing unexpectedly, Task Manager or Registry Editor disabled, system processes with misspelled names (svchost.exe vs scvhost.exe).

Windows Security / Windows Defender: primary built-in scanner. Update definitions first, then run full scan. Malwarebytes Free: excellent second-opinion scanner. Detects PUPs, adware, browser hijackers. Run after Defender in Safe Mode. Autoruns (Sysinternals): shows all autostart locations. VirusTotal integration highlights suspicious entries. Uncheck to disable without deleting (for safe testing). Process Explorer (Sysinternals): verify each process's digital signature, identify processes hiding behind legitimate names. HijackThis / AdwCleaner: browser hijacker detection and removal. TCPView (Sysinternals): real-time network connections — identify unusual outbound connections. netstat -b (admin): show which process owns each network connection. Windows Defender Offline: pre-OS scan, most effective for rootkits. Access: Windows Security → Virus & threat protection → Scan options → Microsoft Defender Offline scan (requires restart). Google's "run a safety check" in Chrome: checks for harmful extensions and settings.

Browser hijacker: change homepage/search engine in browser settings, remove suspicious extensions, run AdwCleaner. Check HKCU\Software\Microsoft\Internet Explorer\Main for DefaultSearch. Ransomware: disconnect from network immediately (prevent further encryption and C2 communication). Do NOT pay the ransom — no guarantee of key delivery. Restore from clean backup (most reliable). Check No More Ransom (nomoreransom.org) for free decryptors for known ransomware families. Cryptominer: causes sustained high CPU usage. Check Task Manager and Process Explorer. Miners often hide as legitimate process names. Rootkit: requires offline scanning (Defender Offline, bootable rescue disk). May require OS reinstallation. PUP (Potentially Unwanted Program): bundled software installed without clear consent. AdwCleaner or Malwarebytes detects most PUPs. Fileless malware: lives in memory or registry, no files to detect. EDR solutions with behavioral analysis are most effective. Check unusual PowerShell processes in Autoruns and Process Explorer.

Malware uses persistence mechanisms to survive reboots. Common persistence locations: Registry Run keys: HKLM and HKCU \SOFTWARE\Microsoft\Windows\CurrentVersion\Run and \RunOnce. Startup folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (all users) and C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (current user). Scheduled tasks: Task Scheduler — check for tasks with suspicious names or pointing to non-standard executables. Services: malware creates a Windows service for persistence. Check services.msc for suspicious services. Browser extensions: persist in browser even after OS malware removal. DLL hijacking: malware places a DLL in a location where a legitimate process will find it before the real DLL. WMI event subscriptions: advanced persistence — attacker creates WMI events that trigger malware execution. Remove with specialized tools. Check all these locations when removing malware — missing one persistence mechanism causes reinfection.

Escalation triggers: rootkit confirmed and resistant to removal attempts. Fileless malware suspected (may require specialized EDR tooling). Ransomware where restoring from backup is not possible and decryptor not available. System remains unstable after multiple removal attempts. High-value or sensitive system where complete certainty of clean status is required. Suspicious of APT (Advanced Persistent Threat) — nation-state or sophisticated attacker. OS reinstallation procedure: back up personal data to external storage (from a known-clean boot environment if possible). Verify backup files are not infected (scan before restoring). Wipe and reinstall Windows from official installation media. Restore only personal data files (not program files, executables). Reinstall applications from original sources. Re-enroll in MDM if applicable. Change all passwords on accounts that the infected machine could have accessed.