Skip to main content

CompTIA A+

PC Security Symptoms Part 2

22 min read

In CompTIA A+ Core 2 (220-1202), Domain 3.0, Objective 3.4, you're expected to spot security trouble fast, because early recognition can save time, protect data, and limit repair costs. A symptom is the visible sign something is wrong (what you observe on the PC), while a root cause is the underlying reason it's happening (what you confirm through testing). This Part 2 section focuses on file and OS behaviors that often appear after malware, account abuse, or misconfigurations, even when the system still boots and "seems fine." You'll learn how to recognize altered files, missing or renamed files, inability to access files, unwanted OS notifications, and OS update failures, then separate normal admin activity from indicators of compromise. The goal isn't theory or long checklists; it's practical triage you can repeat on exam day and on real endpoints. Expect quick, hands-on checks such as validating file attributes and permissions, reviewing recent changes, confirming update and notification settings, and noting patterns that point to tampering versus user error. By the end, you should be able to describe each symptom clearly and choose the next best verification step before you attempt a fix.

Altered Files

For CompTIA A+ Core 2 (220-1202), Domain 3.0, Objective 3.4, altered system or personal files are a key PC security symptom because they show up early and often. File tampering can look small at first, like a single document that "feels off." However, patterns usually emerge once you check timestamps, versions, and recent system activity. Your goal in triage is simple: confirm whether the change matches normal use, or whether it suggests unauthorized access.

Quick signs your files were changed without permission

Start with what you can see without special tools. A common clue is a Modified date that does not match your work pattern. For example, a report shows edits at 3:12 a.m. while the PC was supposedly asleep, or dozens of files share the same timestamp within a minute.

Next, pay attention to content changes that do not fit your workflow. A Word document may open with odd extra pages, new hyperlinks, or missing sections. Excel files can carry hidden risk because macros can be added or changed without obvious visual cues, especially if the file still "works." In addition, look for files that suddenly fail to open, prompt for a password you never set, or display unusual error messages.

File name and extension changes also matter. Attackers and some types of ransomware may rename files or append a new extension, so you might see patterns like:

  • Renamed extensions: familiar files end in unexpected suffixes, or icons change across many files at once.
  • Unexpected duplicates: "Budget (1).xlsx" appears repeatedly, often tied to sync conflicts or automated changes.
  • New shortcuts or strange files: unfamiliar .lnk files on the Desktop, or text files that claim your data was "locked."

System level changes can point to unauthorized access. New local users, new "admin" accounts, or changed sign-in options can show up alongside altered files. Similarly, watch for apps you didn't install, especially "optimizer," "PDF," or "codec" tools that appear shortly before the changes.

A short scenario helps connect the dots: a student downloads a "free PDF tool" from a random site. The installer finishes quickly and nothing seems wrong. Later that day, their essays and notes show new modified times they cannot explain, and a few documents open with extra pages and odd links. That combination, unexpected software plus unexplained file changes, is a classic symptom pattern worth treating as suspicious.

A single strange file can be a mistake. A cluster of strange changes in the same hour is a signal.

Fast, safe checks in Windows before you touch anything

When you suspect active tampering, think triage, not repair. The first steps should reduce risk and preserve clues. If files keep changing while you watch, assume something is still running.

Begin with a short, safe sequence:

  1. Disconnect from Wi-Fi (and unplug Ethernet if used). This limits further remote access and can slow down malware that phones home.
  2. Open Windows Security and review Protection history. Look for recent detections, blocked actions, or items that were allowed.
  3. Check recent installs in Settings. Go to Apps (or Installed apps) and sort by date to spot software added right before the symptoms.
  4. Review startup apps in Task Manager. In Task Manager, open the Startup section and note unfamiliar entries, odd publishers, or items with high impact.
  5. Scan Event Viewer at a high level. You are not hunting every log. Instead, look for a cluster of errors or warnings around the time changes started (for example, repeated application crashes, service failures, or sign-in anomalies).

After that, use built-in versioning to compare what "good" looked like. If you use OneDrive, open the file in OneDrive on the web and check Version history. For local recovery, review File History (if enabled) to compare earlier copies. This step is valuable because it answers two questions quickly: did the file change once, or did it change repeatedly, and do older versions look normal?

Keep your actions light. Avoid reinstalling apps, running random cleaners, or deleting "weird" files during this pass. Those moves can destroy evidence and make recovery harder.

When altered files point to malware vs a normal mistake

Not every file change is hostile. In practice, you separate normal causes (messy but explainable) from patterns that behave like an attack. Normal issues often involve one user, one app, or one folder, and they usually stop once the triggering condition ends. Malicious activity often spreads, repeats, or undermines security controls.

This quick comparison helps you sort signals:

What you observeMore consistent with a normal mistakeMore consistent with malware or account abuse
A few files updatedAuto-save, background indexing, routine app behaviorEarly-stage tampering, staging files for theft
Duplicates and "(1)" copiesSync conflicts, shared edits, cloud mergeAutomated copying to new locations
Many files changed fastBulk rename, restore, or legitimate batch actionRansomware style mass edits or encryption activity
File extensions changedUser renamed, wrong "Save as type" choiceRandom extensions across many folders
Changes stop after rebootTemporary app glitch, stalled sync clientSome threats persist, but not all
Changes return after rebootLess common, could be sync loopPersistence, scheduled tasks, startup entries
Security settings changedAdmin policy changesSecurity tools disabled or exclusions added

Non-malicious causes often include auto-save features, cloud merge behavior, shared accounts, or a bad shutdown that corrupts open files. Sync tools can also rewrite timestamps during reconciliation, which looks alarming if you do not expect it.

On the other hand, several patterns should raise your alert level. Many files changing at once, strange extensions across multiple folders, or security tools that appear turned off are not typical user mistakes. Repeated changes after every reboot also suggest something persistent.

When the signs point to malware, stop "fixing" and switch to escalation steps that protect data and support a clean investigation:

  • Isolate the PC (disconnect networking).
  • Document what you see (timestamps, file names, screenshots of alerts, recent installs).
  • Inform the right person (your instructor, help desk, or security lead) before making major changes.

If you can't explain the pattern and it keeps happening, treat it as active compromise until proven otherwise.

Missing Files

For CompTIA A+ Core 2 (220-1202), Domain 3.0, Objective 3.4, missing or renamed files matter because they can signal anything from a simple mistake to malware activity. In practice, you want to sort the symptom into three buckets: deletion, hiding or renaming, or encryption. Each bucket has different clues, and each leads to a different next step.

A helpful mental model is to treat your files like books in a library. A deleted file is a book removed from the shelves, a hidden file is a book shelved behind a curtain, and an encrypted file is a book with its pages glued shut. The goal is to identify which situation you face before you click, restore, or reinstall.

Common reasons files "disappear" that are not an attack

Most "missing file" reports on home and small office PCs come from routine behavior, not attackers. First, confirm the basics that create the illusion of loss.

Files often get moved instead of deleted. For example, a user drags a folder into another folder while cleaning the Desktop. Similarly, an application may save to a default path you did not expect, such as Documents instead of Desktop. In addition, Windows Search can help, but only if you search for a distinctive part of the file name.

Next, check for view and sort confusion. File Explorer can group by date, type, or author, which can make items look absent. A filter can also hide items, such as showing only "Pictures" or only "Today." When in doubt, switch to a simple view and sort by Name, then look again.

Cloud sync adds another common twist. A file may be saved to OneDrive (or another sync folder) instead of local storage, or it may exist as an online-only placeholder. That can feel like deletion when the device is offline. Also, if the PC has multiple accounts, the file may sit under a different Windows user profile, which changes the Documents and Desktop paths.

Finally, storage management can remove items without obvious drama:

  • Recycle Bin: deleted files may still be recoverable until the bin is emptied.
  • External drive letters: a USB drive might change from E: to F: after a reboot or when other devices connect.
  • Storage cleanup tools: Disk Cleanup, Storage Sense, or third-party "cleaners" can remove downloads, temp files, or previous versions.

When only one folder looks affected, think "location" before "malware."

Signs of hiding, renaming, or file extension tricks

If files still exist but you can't see or recognize them, hiding and renaming become likely. Windows supports a Hidden attribute and a System attribute. Either one can prevent files from appearing in normal views. That matters in security triage because some unwanted programs hide payloads the same way Windows hides system files.

Start with File Explorer settings. Turn on Show hidden files and disable "Hide protected operating system files" only if policy allows and you understand the risk. Also enable Show file extensions, because extensions are part of the file's identity. Without extensions visible, Windows can make a dangerous file look harmless.

Renaming can be innocent (a user changed a name), but it can also be a trick. Watch for extension spoofing, where the name implies one type, but the real extension indicates another.

This lesson is part of ExamWizardz Pro

Unlock every lesson, unlimited practice tests, and the AI tutor.

See Pro pricing

or start with a free account