Identify malware infection signs, execute safe removal procedures, and prevent reinfection. This is where Tier 2 begins — security knowledge that separates you from Level 1.
Malware is any software designed to damage, disrupt, or gain unauthorized access to systems. At Tier 2, you need to identify malware types quickly because removal approach varies by type. A ransomware incident requires immediate isolation. A browser hijacker just needs an adware cleaner. Treating them the same wastes time and can make things worse.
| Type | Behavior | Common Vector | Severity |
|---|---|---|---|
| Virus | Attaches to legitimate files; spreads when file is shared | Infected USB, email attachment | Medium |
| Worm | Self-replicates across network without user action | Network vulnerabilities | High |
| Trojan | Disguises as legitimate software; installs backdoor | Fake downloads, pirated software | High |
| Ransomware | Encrypts files and demands payment | Phishing email, RDP exploit | Critical |
| Spyware | Monitors keystrokes, screenshots, data silently | Bundled software, phishing sites | High |
| Adware | Injects ads, hijacks browser searches | Free software bundles, fake updates | Low-Medium |
| Rootkit | Hides deeply in OS, masks other malware | Trojan droppers, exploit kits | Critical |
| Keylogger | Records all keystrokes including passwords | Phishing, RAT software | High |
Users rarely know what malware looks like — they just know something feels wrong. Your job is to translate vague complaints into specific malware indicators.
| User Complaint | Possible Malware Indicator |
|---|---|
| "My computer is really slow all of a sudden" | Cryptominer, worm, or heavy adware consuming CPU/memory |
| "I'm getting tons of popups even when I'm not on a browser" | Adware or trojan with ad injection |
| "My homepage changed and searches go to a weird site" | Browser hijacker / PUP (Potentially Unwanted Program) |
| "My files have weird extensions and I can't open them" | Ransomware — isolate immediately |
| "My antivirus turned itself off" | Trojan or rootkit designed to disable security software |
| "I'm seeing login prompts for accounts I didn't open" | Spyware or credential theft malware |
| "Random processes are using a lot of CPU in Task Manager" | Cryptominer or worm activity |
If a user reports files with strange extensions (.locked, .encrypted, .WNCRY) or a ransom demand screen, disconnect the machine from the network immediately — pull the Ethernet cable or disable Wi-Fi. Do NOT run a scan first. Ransomware can spread across mapped network drives and shared folders before a scan completes. Isolation stops the spread. Then escalate to security team before attempting removal.
Use this procedure when a user reports suspected malware, or when antivirus flags a threat. Isolation and documentation are as important as the scan itself. Never skip the verification step.
Ask the user: Are files inaccessible with strange extensions? Is there a ransom note on screen? If yes — disconnect network immediately (pull cable or disable adapter). Document the time of isolation. Do NOT proceed with scanning — escalate to the security team now. For all other malware types, proceed to step 2.
Note all symptoms, when they started, and what the user did recently (installed software, clicked a link, plugged in a USB). Take screenshots of any error messages, unusual processes in Task Manager, or browser changes. This documentation is critical for post-incident analysis and any security reporting.
Restart and boot into Safe Mode with Networking (hold Shift → Restart → Troubleshoot → Advanced Options → Startup Settings → F5). This prevents most malware from loading while allowing you to download scanner updates and definitions. Many threats cannot run in Safe Mode.
Open Windows Security → Virus & threat protection → Scan options → Full scan. Let it complete fully — do not interrupt. Quarantine or remove all detected threats. Note all threat names detected for documentation. If Defender was disabled by malware, this may need to be re-enabled first via Settings or Group Policy.
Download and run Malwarebytes Free as a second-opinion scanner — it catches different threat signatures than Defender. Run a full scan. Quarantine and remove all threats found. Using two scanners significantly increases detection coverage because no single scanner catches everything.
Open Task Manager → Startup tab and disable any unfamiliar startup entries. Open msconfig → Services tab → check "Hide all Microsoft services" → look for unknown services. Check Registry Editor at HKCU\Software\Microsoft\Windows\CurrentVersion\Run for suspicious entries. Also check C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
For browser hijacking: In Chrome go to Settings → Reset and clean up → Restore settings to their original defaults. In Edge: Settings → Reset settings. Uninstall any suspicious browser extensions. Change the homepage and default search engine back to intended values. Clear browsing data including cookies and cached content.
Reboot normally (not Safe Mode) and confirm symptoms are resolved. Run Windows Update to apply any outstanding patches. Ensure Windows Defender real-time protection is enabled and up to date. Educate the user briefly on the infection vector (phishing, bad download) so they can recognize it in the future. Document the full incident in the ticket.
| Scenario | First Action |
|---|---|
| Ransomware suspected | Disconnect network → escalate to security team |
| Popups / browser hijack | Safe Mode → Defender scan → Malwarebytes → browser reset |
| Slow PC, high CPU | Task Manager → identify process → run full scan |
| Antivirus disabled | Re-enable via Settings → scan → check persistence |
| Malware keeps returning | Escalate — likely rootkit or undetected persistence |
| Field | Your Entry |
|---|---|
| Malware Type | |
| Infection Vector | |
| Threats Detected | |
| Steps Taken | |
| Resolution | |
| Prevention Advice |
"A user reports that their files have changed extensions and there's a message on screen demanding payment. What do you do first?"
The first thing I do is disconnect the machine from the network immediately — pull the Ethernet cable or disable the Wi-Fi adapter. This is critical because ransomware actively encrypts files and can spread to mapped network drives and shared folders. Running a scan first would allow it to continue encrypting. After isolation, I document the time, the user's name, machine name, and any visible details from the ransom screen, and escalate to the security team before touching anything else. The decision to pay, restore from backup, or attempt decryption is a security and management decision — not a Tier 2 call.
"What tools do you use for malware removal and why do you use more than one?"
I use Windows Defender as the primary scanner — it's built-in, updated regularly, and has good general coverage. Then I use Malwarebytes as a second-opinion scanner because different tools use different signature databases and heuristic engines. No single scanner catches 100% of threats. Malwarebytes is particularly good at adware, PUPs, and newer threats that traditional AV may miss. Using both significantly increases detection coverage. I also check for persistence mechanisms manually — startup entries, scheduled tasks, and registry run keys — because scanners sometimes clean the active threat but miss the dropper that reinstalls it.
"What is the difference between a virus and a worm?"
A virus requires a host file and human action to spread — it attaches itself to a legitimate file, and spreads when that file is executed or shared (via email, USB, etc.). A worm is self-replicating and spreads autonomously through network vulnerabilities without needing a user to do anything. This distinction matters for response: a virus on one machine needs that machine cleaned; a worm may already have spread to other machines on the network before you're even called. Worm infections often require checking other network-connected devices and involving the network team.