Skip to main content
Revy's Tech Journey, powered by Revtek
Back to Study
A+ Core 2 · CompTIA 220-1202 V15 · Objective C2-2.6

Given a scenario, implement procedures for basic SOHO malware removal

Drill flashcardsFocused quizBrowse all objectives (sidebar view)

Objective 2.6: Given a scenario, implement procedures for basic SOHO malware removal

Cert: CompTIA A+ Core 2 (220-1202) V15 Domain: 2.0 Security Weight: Part of the 28% Security domain Depth: Given a scenario, implement. The candidate must execute the canonical 10-step malware removal procedure in order.

What this objective tests

You should be able to execute the malware removal procedure in the correct sequence. CompTIA tests this as ordered steps, so the order itself is testable.

The 10-step procedure mirrors CompTIA's published malware-cleanup workflow. Memorize the sequence.

Key facts

Step 1 - Investigate and verify malware symptoms:

  • Confirm the symptoms before treating. False positives waste time; missed real infections leave the door open.
  • Common symptoms: unexpected pop-ups, browser redirects, slow performance, unfamiliar processes, AV alerts, file encryption with ransom notes, network spikes.
  • Tools: AV scan reports, EDR alerts, Task Manager (processes), Resource Monitor (network), Event Viewer (security log).

Step 2 - Quarantine infected system:

  • Disconnect from the network (unplug Ethernet, disable Wi-Fi) to prevent spread.
  • Do NOT shut down immediately if you need to preserve memory evidence for investigation.
  • Notify the user the device is being isolated; coordinate any urgent file recovery.

Step 3 - Disable System Restore in Windows Home:

  • System Restore points can contain copies of the malware. If you restore from one, you reinfect.
  • Disable: Control Panel > System > System Protection > Configure > Disable. Delete existing restore points.
  • This is the Windows Home edition note in the V15 objectives. Pro+ editions also benefit but the explicit step is called out for Home.

Step 4 - Remediate infected systems:

  • Apply the actual cleanup. Run AV/anti-malware scans, remove detected items.
  • For deeply embedded threats (rootkits, persistent fileless): boot to safe mode or a clean environment; sometimes only a full reimage works.

Step 5 - Update anti-malware software:

  • After remediation, update AV signatures and engine versions. The infection may have been recent and your current signatures may have missed parts of it.
  • Reflects the principle: never rely on the same defenses that just failed.

Step 6 - Scan and removal techniques (safe mode, preinstallation environment):

  • Some malware loads at boot and blocks AV. Boot into Safe Mode (limited services and drivers) so the malware doesn't load.
  • For more stubborn malware, boot from Windows PE (Preinstallation Environment) on a USB stick. The PC's OS isn't running, so nothing's hiding.
  • Run AV/anti-malware scans from this clean boot environment.

Step 7 - Reimage / reinstall:

  • If the malware can't be fully removed, or there's any doubt about the system's integrity, reimage from a known-good baseline.
  • For rootkits, firmware infections, or multiple-infection cleanup, reimage is the only reliable cleanup.

Step 8 - Schedule scans and run updates:

  • Set up regular scheduled AV scans (weekly is common).
  • Configure Windows Update and the AV product to update automatically.
  • Goal: catch any re-infection quickly and keep defenses current.

Step 9 - Enable System Restore and create a restore point in Windows Home:

  • Re-enable System Restore that was disabled in step 3.
  • Create a fresh restore point so the user has a known-clean snapshot to roll back to.

Step 10 - Educate the end user:

  • Talk to the user about what happened and how. Did they click a phishing link? Visit an untrusted site? Plug in a strange USB drive?
  • Provide tailored advice: phishing recognition, password manager, MFA, what to do if it happens again.
  • The user is part of the next defense layer.

Common gotchas

  • Reconnecting to the network before cleanup is complete. Malware spreads to other devices. Stay isolated until you're sure.
  • Skipping step 3 (System Restore disable). Restore from a point captured during the infection, reinfect immediately.
  • Trusting a single AV scan as "clean." Especially for rootkits or fileless threats. Use multiple tools (AV + Malwarebytes + EDR) and consider reimage when in doubt.
  • Skipping step 10 (user education). Same user, same behavior, same infection next week.
  • Restoring user files from infected backups. Verify backup integrity before restoring; some malware encrypts backups too.
  • Forgetting to re-enable System Restore in step 9. User has no rollback option for the next year.

Real-world context

For an MSP, this procedure is the canonical incident response playbook. Document each step:

  1. Symptom verification (screenshot the AV alert, log Event Viewer entries).
  2. Isolation (note time and method).
  3. Restore disable (record any existing restore points purged).
  4. Remediation steps (which tools, what they found).
  5. Reimage decision (and why if applicable).
  6. Update verification (signatures, engine version, Windows Update status).
  7. User conversation (what was clicked, what was learned).

Post-incident:

  • Root-cause review: what defense layer failed?
  • Patch any vulnerability used.
  • Adjust user training if the entry was social engineering.
  • If credentials were compromised, force password resets and review what those credentials could access.

For ransomware specifically: don't pay. Restore from clean backups. Report to law enforcement (FBI IC3 in the US). Notify affected parties if data was exfiltrated (many jurisdictions require notification).

Sources

  • [CompTIA A+ 220-1202 Exam Objectives Version 4.0, Section 2.6](../../../../../../30-RevyTechJourney/CompTIA%20A%2B%20220-1202%20Exam%20Objectives%20%284.0%29.pdf)
  • [CISA: Stop Ransomware](https://www.cisa.gov/stopransomware)
  • [Microsoft Learn: Safe Mode](https://support.microsoft.com/en-us/windows/start-your-pc-in-safe-mode-in-windows-92c27cff-db89-8644-1ce4-b3e5e56fe234)
  • [Microsoft Learn: Windows PE](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-intro)