Malware removal questions on the A+ Core 2 exam test whether you know the CompTIA-defined six-step malware removal process and can put the steps in the correct order. The exam often presents the steps out of order and asks you to sequence them, or describes a scenario and asks which step comes next.
The Six Steps (CompTIA Official Order)
- Investigate and verify malware symptoms
- Quarantine the infected system
- Disable System Restore in Windows
- Remediate the infected systems
- Schedule scans and run updates
- Enable System Restore and create a restore point in Windows
- Educate the end user
Note: CompTIA's current objectives list 7 steps in some versions, with step 6 split. Refer to the specific exam objective version you are studying. The core sequence is the same.
Step 1: Investigate and Verify Malware Symptoms
Before touching anything, confirm you are actually dealing with malware. Some symptoms that look like malware have other causes (hardware failure, OS corruption, user error).
Research the symptoms: search for error messages, pop-ups, or process names. Identify the specific malware type if possible — different malware requires different remediation.
Step 2: Quarantine the Infected System
Isolate the infected machine immediately to prevent malware from spreading to other systems on the network. Disconnect from the network (unplug Ethernet, disable Wi-Fi).
Exam trap: some candidates want to run a scan or remove the malware first. Quarantine comes before removal because the malware may be actively communicating with a C2 server or spreading to other machines. Isolate first.
Step 3: Disable System Restore
Windows System Restore can preserve malware in restore points. If you remove the malware but System Restore is still active, the malware may be restored when a user reverts to a previous restore point.
Disable System Restore before remediation to prevent this. In Windows, right-click Computer → Properties → System Protection → turn off protection.
Exam trap: candidates often skip this step or put it after remediation. Disabling System Restore must happen before removing the malware.
Step 4: Remediate the Infected System
Remove the malware using antivirus/antimalware tools. Steps:
- Update malware definitions before running scans (if possible — may not be possible if the system is quarantined from internet)
- Run scans in Safe Mode if the malware is hiding from normal mode scans
- Boot from a trusted external source if the malware has compromised the OS
- Manually remove malware files, registry entries, and scheduled tasks if automated tools fail
For severe infections, reimaging (reinstalling the OS from a clean image) may be faster and more reliable than attempting to clean a heavily compromised system.
Step 5: Schedule Scans and Run Updates
After removal, ensure the system is protected going forward:
- Update the operating system with all security patches
- Update antivirus/antimalware definitions
- Configure scheduled scans
- Verify that security software is running and up to date
Step 6: Enable System Restore and Create a Restore Point
Re-enable System Restore (which was disabled in step 3) and immediately create a new restore point. This gives the user a clean restore point to revert to if needed, without the risk of restoring the malware.
Step 7: Educate the End User
The final step is education — help the user understand how the infection occurred and what behaviour to avoid:
- Do not click links in unexpected emails
- Do not install unauthorised software
- Verify USB drives before plugging in
- Report suspicious activity immediately
Education is always the last step, not an optional one. The exam may ask "which step is last in the malware removal process" — the answer is educating the end user.
Common Exam Question Types
"A technician finds malware on a Windows workstation. What should be done immediately after confirming the infection?" — Quarantine (isolate) the system.
"After quarantining and before removing malware from a Windows system, what step should be performed?" — Disable System Restore.
"After successfully removing malware, what is the next step?" — Depends on context. If scans/updates are not done: run updates and schedule scans. If updates are done: enable System Restore and create a restore point. If all technical steps are done: educate the user.
Practice A+ malware removal questions with sequencing scenarios to lock in the correct order.
Real-World Step 2 Decision — When to Quarantine How
Step 2 is "quarantine the infected system" — but the exam and real world both require more nuance about what quarantine means.
Physical cable disconnect: Immediately effective. No network access at all. The infected system cannot communicate with C2 servers, cannot spread via network shares, cannot receive commands. Use this when you need certainty — you pull the Ethernet cable and you know it is isolated. Downside: some malware detects sudden network loss and triggers destructive payloads or activates self-destruct routines as a fail-safe.
Disable Wi-Fi (software or physical): Effective for wireless-connected systems. The device driver disables the adapter (or you turn the hardware Wi-Fi switch off). This is faster than hunting for a cable but leaves the system powered and alive for memory forensics.
VLAN isolation: Rather than disconnecting the device entirely, network team moves the port to a quarantine VLAN with no routing to the rest of the network but with routing to the forensics workstation. Advantage: the infected system still has network connectivity for remote analysis, but it cannot reach production systems or the internet. The malware's C2 connection attempt will fail, but the system remains reachable.
What the exam tests vs what matters in practice: The A+ exam almost always expects the answer "disconnect from the network" or "quarantine" without specifying the method. In real practice, VLAN isolation is often preferred because it allows continued remote analysis without physically touching the machine. For the exam, any of these methods satisfies "quarantine."
Step 4 Remediating — Tools and When to Nuke vs Clean
Cleaning tools:
- Windows Defender (Windows Security): built-in, updated via Windows Update, reasonable at catching common malware. May miss advanced threats, particularly rootkits and fileless malware.
- Malwarebytes: Commonly used as a second-opinion scanner alongside Windows Defender. Different signature database and heuristic engine means it may catch what Defender misses.
- Boot-time scanner: Runs before Windows loads, scanning the disk from outside the normal OS context. This bypasses rootkits that hide within a running OS. Some antivirus products include this capability.
When reimaging is better than cleaning:
If the malware is a rootkit — stop trying to clean it. Rootkits modify core OS components. Even after "removal," you cannot be certain the system is clean. Reinstall the OS.
If the system is heavily infected with multiple malware families — the remediation effort exceeds the value. Reimage.
If the infection is old and the system has been running compromised for an extended period — attacker persistence mechanisms may be buried throughout. Reimage.
If you need certainty for a regulated environment (healthcare, finance) — "probably clean" is not acceptable. Reimage and restore from pre-infection backup.
The rootkit cleaning problem specifically: Tools that claim to clean rootkits sometimes leave behind fragments of the rootkit that remain functional. The operating system has been modified at a deep level. Even if the visible rootkit files are removed, driver modifications, API hooks, and boot sector modifications may remain. The only truly reliable fix for a rootkit is a full OS reinstall.
Ransomware-Specific Removal Guidance
When the malware is ransomware, the removal process has specific considerations.
Never pay. Not because payment is ethically wrong (though it is), but because it does not reliably work. Ransomware operators are criminals — there is no guarantee they will send a decryption key, send a working key, or not delete the key after a few uses. The FBI estimates only about half of ransomware victims who pay recover their data.
Check for decryptors before deciding. After identifying the ransomware family from the ransom note, file extension, or online tools like ID Ransomware, check NoMoreRansom.org. Law enforcement and security vendors have cracked the encryption of many ransomware families and released free decryptors. If a decryptor exists for your variant, you do not need to pay or lose data.
The backup recovery sequence: Identify the backup that predates the infection. Verify the backup is clean — ransomware often runs for days before triggering, specifically to infect recent backups. Check backup files for encryption (try opening them). Wipe the infected system. Restore from the clean backup. Update and patch before reconnecting to the network.
If backups are also encrypted: This is the worst case. Evaluate paying as a last resort only if the data loss is genuinely business-ending and no decryptor exists. Even then, engage a reputable ransomware negotiation firm before making contact with the attackers.
Registry Cleanup After Malware Removal
Even after scanning and removing malware files, persistence mechanisms may remain in the Windows Registry. These will reload the malware on next boot.
Key locations to check:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run — Programs launched for the current user on login. Any unknown entry here is suspicious.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run — Programs launched for all users on login. Malware commonly uses this key.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce — Executes once on next boot. Used by some malware to reinstall itself.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce — Same, user-level.
Scheduled Tasks: Check Task Scheduler for tasks created by the malware. Malware commonly creates scheduled tasks to relaunch itself or maintain persistence. Look in *C:\Windows\System32\Tasks* or through Task Scheduler GUI. Delete any tasks created by unknown programs around the time of infection.
Startup folder: C:\Users[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup — Anything in here launches on login. Check it.
Services: Some malware installs itself as a Windows service. Services can survive reboots and run with system privileges. Check Services.msc for unfamiliar services, particularly ones with vague names or pointing to executables in temp directories or user profile folders.
Malware Persistence Mechanisms Beyond the Obvious
DLL hijacking: The malware places a malicious DLL with the same name as a legitimate one in a location that Windows searches before the legitimate location. When the legitimate application loads, it loads the malicious DLL instead. No autorun entry needed — the legitimate application's launch triggers the malicious code.
COM hijacking: Windows Component Object Model (COM) objects are identified by GUIDs in the registry. A malware author can register a fake COM object in HKCU (user-writable) that overrides a legitimate one in HKLM. When software invokes the COM object, the malicious version runs.
WMI subscriptions: Windows Management Instrumentation can be configured to run scripts in response to events. A WMI event subscription (created in the WMI repository) can trigger malicious code on specific events (user login, system uptime, specific process launch) without any file on disk and without appearing in Run keys or scheduled tasks. This is a fileless persistence mechanism.
Boot sector persistence: UEFI bootkits modify the boot sequence itself. Even if Windows is reinstalled, the bootkit survives on the firmware or EFI partition. Removal requires flashing clean firmware or reformatting the EFI partition.
Exam context: These mechanisms appear in Security+ more than A+, but the A+ exam's "where does malware hide" topic covers at minimum the registry Run keys, scheduled tasks, startup folder, and services. Know those four for the A+ exam.