CCNA Malware Types and Removal Questions

30 questions · Malware Types and Removal · All types, answers revealed

1
MCQhard

A technician is investigating a computer that has been sending spam emails from the user's account without their knowledge. The user has not installed any new software recently. The technician finds a process running that matches a known botnet client. Which two steps should the technician take first to mitigate the threat?

A.Disconnect the computer from the network and terminate the malicious process.
B.Run a full antivirus scan and then update the firewall rules.
C.Change the user's email password and run a malware scan.
D.Reboot the computer into Safe Mode and then run a scan.
AnswerA

Disconnecting stops the botnet's command-and-control communication, and terminating the process halts the spam.

Why this answer

The immediate priority is to disconnect the computer from the network to stop the botnet communication and prevent further spam. Then, the technician should identify and terminate the malicious process. Scanning without disconnecting may allow continued data exfiltration.

2
MCQmedium

A user reports that their computer is displaying a message claiming their files are encrypted and they must pay 0.5 Bitcoin to a specific address to regain access. The user cannot open any documents or photos. What is the first step the technician should take to respond to this incident?

A.Pay the ransom to recover the files immediately.
B.Disconnect the computer from the network.
C.Run a full antivirus scan to remove the malware.
D.Reboot the computer into Safe Mode.
AnswerB

Isolating the system prevents the ransomware from spreading to other networked devices.

Why this answer

The first step in a ransomware incident is to isolate the infected system from the network to prevent the malware from spreading to other devices. Attempting to decrypt without tools or paying the ransom are not recommended initial actions.

3
MCQmedium

A technician is troubleshooting a Windows 10 computer that exhibits strange behavior: system files are missing, and the computer fails to boot normally. A boot-time virus scan detects a virus that infected the Master Boot Record (MBR). Which tool should the technician use to repair the MBR?

A.System Restore
B.Bootrec.exe /FixMbr
C.SFC /Scannow
D.CHKDSK /F
AnswerB

This command rewrites the MBR, fixing boot issues caused by MBR viruses.

Why this answer

The Bootrec.exe tool with the /FixMbr switch is used to repair the Master Boot Record in Windows. System Restore, SFC, and CHKDSK do not specifically repair the MBR.

4
MCQmedium

A user reports that their web browser's homepage has changed to an unfamiliar search engine, and new toolbars have appeared without their consent. They have not installed any new software recently. Which type of malware is most likely responsible?

A.Trojan horse
B.Worm
C.Browser hijacker
D.Ransomware
AnswerC

Browser hijackers specifically alter browser settings like homepage and add toolbars without user consent.

Why this answer

A browser hijacker modifies browser settings like the homepage and adds unwanted toolbars. It often installs silently through drive-by downloads or bundled with other software. Removal requires resetting the browser and scanning with anti-malware tools.

5
MCQeasy

A customer reports that their desktop computer is running extremely slowly, and they see frequent pop-up advertisements even when no browser is open. Task Manager shows a process named 'svch0st.exe' consuming 95% CPU. Which type of malware is most likely causing these symptoms?

A.Ransomware
B.Adware
C.Rootkit
D.Spyware
AnswerB

Adware displays unwanted ads and often runs processes that impersonate legitimate ones, matching the symptoms described.

Why this answer

Adware displays unwanted advertisements and often masquerades as legitimate processes. The misspelled 'svch0st.exe' mimics a Windows system process, a common adware tactic. This malware type is best removed using a dedicated anti-malware tool.

6
MCQeasy

During a routine security audit, a technician discovers that a user's workstation has a program that records keystrokes and periodically sends the data to an external server. The user denies installing any software recently. Which type of malware is this?

A.Trojan horse
B.Worm
C.Keylogger
D.Ransomware
AnswerC

A keylogger specifically records keystrokes and sends them to an attacker, exactly as described.

Why this answer

A keylogger is a type of spyware that records keystrokes to capture sensitive information like passwords. It often operates stealthily without the user's knowledge, matching the scenario where the user did not install anything. Spyware is the broader category, but keylogger is the specific variant described.

7
MCQmedium

A small business owner reports that all their Microsoft Office documents are now encrypted with a '.crypt' extension and a ransom note demands payment in cryptocurrency. They have a backup from last week stored on an external drive that was disconnected after the backup. What is the best recovery strategy?

A.Pay the ransom to obtain the decryption key.
B.Restore the files from the disconnected external backup after removing the malware.
C.Run a decryptor tool downloaded from a random website.
D.Use System Restore to revert the system to a previous state.
AnswerB

An offline backup is immune to ransomware encryption; restoring it after cleaning the system recovers data safely.

Why this answer

Since the backup is offline and not encrypted, restoring from it is the safest and most reliable recovery method. Paying the ransom is discouraged as it funds criminals and may not work. The system should be cleaned of malware before restoration.

8
MCQmedium

During a security incident, a technician discovers that a user's computer has a program that hides its processes from Task Manager and allows an attacker to remotely control the system. The technician suspects a rootkit. Which removal method is most effective for a rootkit?

A.Run a system restore to a point before the infection.
B.Use an antivirus boot disk to scan and remove the rootkit.
C.Reinstall the operating system from a trusted source.
D.Delete the rootkit's files manually in Safe Mode.
AnswerC

A clean installation ensures all traces of the rootkit are removed.

Why this answer

Rootkits are deeply embedded and often cannot be removed by standard tools. The most reliable removal method is to wipe the drive and reinstall the operating system from a trusted source.

9
MCQhard

A technician is tasked with removing malware from a Windows 10 computer that has a Trojan horse that downloaded additional payloads. The technician has already run a full antivirus scan and removed the Trojan, but the computer still exhibits suspicious network activity. What should the technician do next?

A.Reimage the computer immediately.
B.Run a second opinion malware scanner such as Malwarebytes.
C.Reset the web browser settings to default.
D.Disable all startup programs in Task Manager.
AnswerB

A second scanner can find residual malware or backdoors that the primary tool missed.

Why this answer

After removing the initial malware, additional payloads or backdoors may remain. Running a second opinion scanner like Malwarebytes can detect remnants that the primary antivirus missed. Reimaging is drastic if not yet necessary, and resetting the browser or disabling startup items may not address hidden threats.

10
MCQhard

A technician is investigating a security incident where multiple workstations on the same network are showing signs of infection: slow performance, unusual network traffic, and the presence of a file named 'svch0st.exe' in the Startup folder. The technician suspects a worm that spreads through network shares. What is the most effective containment strategy?

A.Run a full antivirus scan on all workstations simultaneously.
B.Disable network shares and isolate infected workstations from the network.
C.Update the antivirus definitions on one workstation and scan it.
D.Reboot all workstations into Safe Mode with Networking.
AnswerB

This stops the worm from spreading via file shares and prevents further infection.

Why this answer

A worm that spreads via network shares requires immediate network segmentation to stop propagation. Disabling the network shares on all workstations and isolating infected systems from the network prevents the worm from reaching other devices. Patching the vulnerability used for spread (e.g., SMB) is also critical, but containment is the priority.

11
MCQhard

A technician is investigating a security breach where sensitive customer data was exfiltrated. The only malware found is a hidden driver that intercepts keystrokes and sends them to a remote server. Which malware type is responsible, and what is the best removal strategy?

A.Spyware; remove by running a standard antivirus scan.
B.Keylogger; use a rescue disk to boot and run an anti-rootkit scanner.
C.Ransomware; restore from backup.
D.Adware; uninstall suspicious programs from Control Panel.
AnswerB

A keylogger that operates as a rootkit needs a boot-time scan to bypass its stealth mechanisms.

Why this answer

A keylogger records keystrokes to steal credentials and sensitive data. As a kernel-level rootkit, it hides from standard scans. Booting from a rescue disk and using a specialized anti-rootkit tool is necessary to remove it without reinstalling the OS.

12
MCQhard

During a routine security audit, a technician discovers that a user's computer has a program that opens a backdoor on port 4444 and allows remote control. The program was installed alongside a free PDF converter the user downloaded last week. Which malware type is this, and what is the most effective removal method?

A.Worm; use a network-based firewall to block port 4444.
B.Trojan horse; boot into Safe Mode and run a full anti-malware scan.
C.Ransomware; pay the ransom to regain control.
D.Rootkit; perform a clean installation of Windows.
AnswerB

The program is a Trojan that came bundled with freeware; Safe Mode scanning can remove it.

Why this answer

A Trojan horse disguises as legitimate software (the PDF converter) but contains malicious code. This Trojan opens a backdoor (a RAT). Removal requires disconnecting from the network, booting into Safe Mode, and using an updated anti-malware scanner to eliminate the Trojan and its persistence mechanisms.

13
MCQmedium

A technician is tasked with removing a persistent malware infection that survives reboots and re-infects the system even after a full antivirus scan in Safe Mode. The malware appears to hide in the Master Boot Record (MBR). Which removal method should the technician use?

A.Run a system file checker (sfc /scannow) from within Windows.
B.Use the Windows Recovery Environment to run bootrec /fixmbr.
C.Perform a clean installation of Windows without formatting the drive.
D.Disable System Restore and delete all restore points.
AnswerB

This command rewrites the MBR, removing the malware that resides there.

Why this answer

MBR malware infects the boot sector, loading before the operating system, which allows it to survive standard scans and Safe Mode. The most effective removal is to use the Windows Recovery Environment (WinRE) with bootrec /fixmbr and bootrec /fixboot commands. This overwrites the infected boot sector.

If that fails, a full reinstall may be necessary.

14
MCQeasy

A small business owner calls for support because all of their files on the server have been renamed with a .encrypted extension, and a text file named 'README_TO_DECRYPT.txt' appears on the desktop demanding a Bitcoin payment. What is the first step the technician should take?

A.Pay the ransom to get the decryption key immediately.
B.Disconnect the server from the network.
C.Run a full antivirus scan on the server.
D.Restore files from a recent backup immediately.
AnswerB

Disconnecting the server stops the ransomware from encrypting additional files and spreading to other systems.

Why this answer

The first step in a ransomware incident is to isolate the infected system from the network to prevent the malware from spreading to other devices. Paying the ransom is discouraged as it does not guarantee data recovery and funds criminal activity. After isolation, the technician can assess the damage and attempt recovery from backups.

15
MCQeasy

A technician is configuring a new Windows 11 workstation for a user who frequently downloads free software. To reduce the risk of malware infections from bundled applications, which security setting should be enabled?

A.Enable Windows Defender Application Guard.
B.Set User Account Control to always notify.
C.Turn on Windows Firewall with advanced logging.
D.Enable BitLocker drive encryption.
AnswerB

UAC prompts before any software installation, allowing the user to reject unwanted bundled programs.

Why this answer

Windows Defender Application Guard and controlled folder access are useful, but the most direct protection against unwanted bundled software is User Account Control (UAC). UAC prompts for permission before installing software, giving the user a chance to decline bundled items.

16
MCQhard

A technician is dealing with a zero-day malware infection that has evaded all signature-based antivirus scans. The malware is polymorphic, changing its code each time it infects a new system. Which approach is most likely to detect and remove this type of malware?

A.Update the antivirus to the latest signature definitions and run a full scan.
B.Use a bootable antivirus rescue disk to scan the system before the OS loads.
C.Employ a heuristic-based or behavior-based malware removal tool.
D.Reinstall the operating system from a known-good backup.
AnswerC

Heuristic tools analyze behavior and code patterns, allowing them to detect polymorphic malware that changes its signature.

Why this answer

Polymorphic malware changes its signature, making signature-based detection ineffective. Heuristic analysis and behavior-based detection tools, such as those used by advanced endpoint detection and response (EDR) solutions, can identify malware based on suspicious actions rather than static signatures. Running a tool that uses heuristic scanning can detect the malware's behavior, such as file encryption or unauthorized registry changes.

17
MCQhard

A user reports that their computer is sending out a large amount of network traffic even when they are not using the internet. The antivirus detects a file named 'expl0rer.exe' in the startup folder. What type of malware is most likely causing this behavior?

A.Spyware
B.Botnet
C.Virus
D.Trojan
AnswerB

Botnet malware uses the infected machine to perform coordinated activities, causing unusual network traffic.

Why this answer

A botnet is a network of infected computers that are remotely controlled to perform tasks like sending spam or launching DDoS attacks. The unusual network traffic and startup file indicate the machine is part of a botnet. Removal requires disconnecting from the network and scanning with updated anti-malware.

18
MCQmedium

A technician is troubleshooting a computer that displays a fake security alert claiming the system is infected and urging the user to call a toll-free number. The alert cannot be closed and appears on top of all other windows. What is the best removal approach?

A.End the process 'svchost.exe' in Task Manager.
B.Restart the computer and press F8 to boot into Safe Mode with Networking, then run a malware scan.
C.Call the toll-free number to get help removing the alert.
D.Use System Restore to revert to a previous restore point.
AnswerB

Safe Mode loads minimal drivers and services, preventing the scareware from running and allowing removal.

Why this answer

This is a tech support scam, a form of scareware that uses a persistent pop-up. Booting into Safe Mode with Networking allows the technician to run an anti-malware scan without the rogue process interfering. Safe Mode loads only essential drivers, preventing the scareware from starting.

19
MCQeasy

A customer reports that their Windows 10 computer is running very slowly, and they see frequent pop-up ads even when no browser is open. They also notice a new toolbar in their browser that they did not install. What type of malware is most likely causing these symptoms?

A.Ransomware
B.Adware
C.Virus
D.Worm
AnswerB

Adware generates pop-up ads and installs unwanted toolbars, matching the described symptoms exactly.

Why this answer

Adware displays unwanted advertisements and often installs browser toolbars, slowing down the system. Unlike a virus or worm, adware does not self-replicate, and ransomware would demand payment rather than show ads.

20
MCQeasy

A user reports that their computer is infected with a virus and they have been trying to remove it using a free online scanner, but the problem persists. The technician suspects the malware may have disabled the antivirus software. Which safe mode should the technician use to run a full system scan?

A.Safe Mode
B.Safe Mode with Command Prompt
C.Safe Mode with Networking
D.Last Known Good Configuration
AnswerC

This mode provides network access, allowing the technician to download updated tools while keeping malware disabled.

Why this answer

Safe Mode with Networking allows the technician to boot with minimal drivers and services while still having network access to download updated antivirus definitions or removal tools. Safe Mode alone does not provide network access, which is often needed to get the latest malware signatures. This mode also prevents many malware variants from loading, making removal easier.

21
MCQmedium

A technician is cleaning a computer that has been infected with a rootkit. After running a standard antivirus scan, the malware is still detected on reboot. Which step should the technician take next to ensure complete removal?

A.Perform a clean installation of Windows.
B.Boot from a rescue disk and run a malware scan.
C.Disable System Restore and run the antivirus again.
D.Run the antivirus in Safe Mode.
AnswerB

A rescue disk boots a trusted OS, bypassing the rootkit and enabling effective removal.

Why this answer

Rootkits load before the operating system and can hide from standard scans. Booting from a rescue disk (e.g., a bootable anti-malware USB) loads a clean OS environment, allowing the scanner to detect and remove the rootkit without interference.

22
MCQeasy

A user reports that their system is running very slowly, and they see frequent pop-up ads even when no browser is open. They also notice that their default search engine has changed without their permission. Which type of malware is most likely causing these symptoms?

A.Virus
B.Adware
C.Ransomware
D.Rootkit
AnswerB

Adware is known for displaying unwanted advertisements and modifying browser settings, matching the user's symptoms.

Why this answer

Adware is designed to display unwanted advertisements and can modify browser settings, causing pop-ups and search engine hijacking. Unlike a virus or worm, adware does not typically replicate itself or require a host file to spread. The symptoms described—pop-ups outside the browser and unauthorized search engine changes—are classic signs of adware infection.

23
MCQhard

A user reports that their computer is infected with a virus that has encrypted all their personal files and left a text file with instructions to pay a ransom. The technician has verified the infection is ransomware. The company has a backup policy. What is the best course of action to recover the data?

A.Pay the ransom and hope the decryption key is provided.
B.Use a ransomware decryption tool from a reputable source.
C.Restore the files from a recent backup after removing the malware.
D.Reinstall the operating system and hope the files become accessible.
AnswerC

Restoring from backup is the most reliable way to recover data without paying the ransom.

Why this answer

The best approach for ransomware recovery is to restore files from a known clean backup after removing the malware. Decryption tools are not always available, and paying the ransom is discouraged. Reinstalling the OS is needed only if the system is compromised, but data recovery is the priority.

24
MCQmedium

A user reports that their computer has been acting strangely: files are missing, and the mouse cursor moves on its own, opening programs and typing messages. The technician suspects a remote access Trojan (RAT). What is the most effective immediate action to stop the unauthorized access?

A.Run a full antivirus scan while the user is logged off.
B.Disconnect the Ethernet cable and disable Wi-Fi.
C.Change the user's password and log off.
D.Restore the system to a previous restore point.
AnswerB

Disconnecting the network immediately stops the remote attacker from controlling the computer.

Why this answer

A RAT gives an attacker remote control of the system. The immediate action is to disconnect the computer from the network, which cuts off the attacker's connection. After isolation, the technician can run scans and remove the malware.

Continuing to work while connected risks data theft or further damage.

25
MCQeasy

During a routine security audit, a technician finds that a user's computer has an unknown program running that is sending keystrokes and screenshots to a remote server. The user did not install this program. Which type of malware is this?

A.Rootkit
B.Worm
C.Keylogger
D.Ransomware
AnswerC

A keylogger records keystrokes and often captures screenshots, matching the described behavior.

Why this answer

A keylogger records keystrokes and can capture screenshots, sending data to an attacker. This is a form of spyware, not a worm, rootkit, or ransomware, which have different behaviors.

26
MCQeasy

During a security incident, a user's files have been renamed with a '.encrypted' extension, and a ransom note demands Bitcoin to restore them. The user has no backups. What is the most appropriate immediate action?

A.Pay the ransom to regain access quickly.
B.Disconnect the computer from the network immediately.
C.Run a full antivirus scan to remove the malware.
D.Restart the computer in Safe Mode and attempt file recovery.
AnswerB

Isolating the system stops the ransomware from encrypting network drives or spreading to other devices.

Why this answer

Ransomware encrypts files, and paying the ransom does not guarantee decryption. The correct first step is to isolate the infected system to prevent the malware from spreading to network shares or other devices.

27
MCQmedium

A user calls the help desk because their computer is running slowly and they see a fake antivirus program warning that their system is infected. The user cannot close the warning window. Which type of malware is this, and what is the best removal approach?

A.Ransomware; pay the fee to remove the warning.
B.Spyware; run a full scan in normal mode.
C.Rogue antivirus; boot into Safe Mode with Networking and run Malwarebytes.
D.Adware; uninstall the program from Control Panel.
AnswerC

Safe Mode prevents the malware from loading, and a dedicated tool can remove it.

Why this answer

Rogue antivirus (scareware) displays fake warnings to trick users into paying for unnecessary software. The best approach is to boot into Safe Mode with Networking and run a legitimate malware removal tool, as the malware may block normal mode.

28
MCQmedium

A technician is troubleshooting a Windows 10 workstation that displays a fake security alert claiming the system is infected and prompting the user to call a toll-free number. The user cannot close the alert window or open Task Manager. Which type of malware is causing this behavior, and what is the best removal approach?

A.It is a rootkit; use a rootkit removal tool from within Windows.
B.It is ransomware; pay the fee to remove the alert.
C.It is a tech support scam; boot into Safe Mode with Networking and run an anti-malware scan.
D.It is a worm; disconnect the network and reinstall the operating system.
AnswerC

Safe Mode prevents the scam from running, and an anti-malware scan can remove the associated files and registry entries.

Why this answer

This is a classic tech support scam, a form of scareware that locks the browser or desktop to trick users into calling a fake support number. The best removal approach is to boot into Safe Mode with Networking, then run a malware removal tool like Malwarebytes. This bypasses the malware's ability to block Task Manager and allows the technician to clean the system.

29
MCQmedium

A technician is removing malware from a Windows 10 PC and wants to ensure that no remnants remain in the registry or startup folders. After running an antivirus scan and deleting infected files, which additional step should the technician perform?

A.Run the Windows Memory Diagnostic tool.
B.Check and clean startup entries using MSConfig or Autoruns.
C.Disable System Restore to free up disk space.
D.Update all device drivers to the latest versions.
AnswerB

Startup entries are a common persistence mechanism; cleaning them ensures the malware does not restart with the system.

Why this answer

After removing malware, it is critical to check and clean startup entries using tools like MSConfig or Autoruns to prevent the malware from reloading on reboot. Malware often adds entries to the registry Run keys or the Startup folder to persist. Simply deleting files may leave these entries intact, allowing the malware to reinstall itself.

30
MCQmedium

A small business owner reports that all their employees are receiving emails from each other containing a link that, when clicked, downloads a file that installs a program that spreads to other contacts. The emails appear to come from known senders. What type of malware is this?

A.Virus
B.Worm
C.Trojan horse
D.Rootkit
AnswerB

A worm spreads independently, often by sending copies of itself through email or network connections.

Why this answer

A worm self-replicates and spreads automatically, often via email or network shares, without needing to attach to a host file. This behavior distinguishes it from a virus, Trojan, or rootkit.

Ready to test yourself?

Try a timed practice session using only Malware Types and Removal questions.