H
hjlbx
Thread author
Hello,
So your security software alerts that your system is infected. You try to use the antivirus' built-in disinfection\malware removal routine...and no dice - the infection remains.
What to do?
First typical response is: Panic !
You immediately freak-out and just want the infection removed. To make matters worse, you soon realize that posting on a malware removal forum can be a long drawn-out affair.
You want your system cleaned...and right now!
Really, no need to get bent out-of-shape as there is one thing that you can do to greatly reduce data theft risk until you can get to a malware removal assistance forum (like here at MalwareTips).
The approach I take it to treat any detected infection as active\live (whether it is or not).
You need to block the malware's ability to transmit data.
"I only have one PC and if I turn off the internet then I can't get on-line help," you say.
No problem. You don't need to completely disable the network - and thereby lose internet functionality.
Although, if you have a second PC it would be best if you simply shut the infected PC down and didn't use it until you've enlisted the help of a malware removal expert.
The guide below is deliberately simplistic without covering all the intricate details and exceptions. It is the best you can do under the circumstances.
Following this simple guide you can generally block malware network access while at the same time preserve internet functionality. There are exceptions -and I'm sure someone will point that fact out. In any case, the important point is...
First-and-foremost the priority is to stop any malware from transmitting any of your valuable data:
Block all firewall traffic (both inbound/outbound) for the detected infection.
Go to your firewall interface and locate the application's rule. Set the malware's rule to "Block" or "Disable."
NOTE:
Locate the file name in the antivirus detection entry (log). It looks something similar (but not exactly) to these entries from a hypothetical MalwareBytes scan log:
Files Infected:
C:\Program Files\Microsoft Works\cpitv.dll (cpitv.exe in firewall rules)
C:\Program Files\Microsoft Works\pix1t3lkmv.js
C:\SWSetup\MSWorks\PFiles\MSWorks\Skype.exe
c:\WINDOWS\system32\antiwpal.vbs (tricky, Microsoft.exe in firewall rules)
c:\documents and settings\Cameron\local settings\application data\Install.exe
c:\system volume information\_restore{8b2f06d7-77fb-4358-8bf8-d0decbd3c1dc}\RP8\A0000921.Dll
c:\system volume information\_restore{8b2f06d7-77fb-4358-8bf8-d0decbd3c1dc}\RP8\A0000922.Dll
In this example, you would find all firewall rules that match the red-highlighted entries and set them to "Block" or "Disable."
It is important to keep in mind there will not always be an identical or one-for-one match... or as Alex points out below, there will be no firewall rules and/or firewall will be disabled by malware. In that case, the only protection option you have is to shut down the machine\sever the connection.
With a laptop you can enable "Airplane Mode" which turns off the network adapter. In this case you can use your PC, but there will be no internet.
Better to have no PC for a while than to have your bank account wiped out (worst-case scenario).
NOTE:
Do this step if a firewall rule remains even if the antivirus indicates that only "remnants" (e.g. registry entries) remain.
That's it.
Now get to the MalwareTips malware removal sub-forum !
So your security software alerts that your system is infected. You try to use the antivirus' built-in disinfection\malware removal routine...and no dice - the infection remains.
What to do?
First typical response is: Panic !
You immediately freak-out and just want the infection removed. To make matters worse, you soon realize that posting on a malware removal forum can be a long drawn-out affair.
You want your system cleaned...and right now!
Really, no need to get bent out-of-shape as there is one thing that you can do to greatly reduce data theft risk until you can get to a malware removal assistance forum (like here at MalwareTips).
The approach I take it to treat any detected infection as active\live (whether it is or not).
You need to block the malware's ability to transmit data.
"I only have one PC and if I turn off the internet then I can't get on-line help," you say.
No problem. You don't need to completely disable the network - and thereby lose internet functionality.
Although, if you have a second PC it would be best if you simply shut the infected PC down and didn't use it until you've enlisted the help of a malware removal expert.
The guide below is deliberately simplistic without covering all the intricate details and exceptions. It is the best you can do under the circumstances.
Following this simple guide you can generally block malware network access while at the same time preserve internet functionality. There are exceptions -and I'm sure someone will point that fact out. In any case, the important point is...
First-and-foremost the priority is to stop any malware from transmitting any of your valuable data:
Block all firewall traffic (both inbound/outbound) for the detected infection.
Go to your firewall interface and locate the application's rule. Set the malware's rule to "Block" or "Disable."
NOTE:
Locate the file name in the antivirus detection entry (log). It looks something similar (but not exactly) to these entries from a hypothetical MalwareBytes scan log:
Files Infected:
C:\Program Files\Microsoft Works\cpitv.dll (cpitv.exe in firewall rules)
C:\Program Files\Microsoft Works\pix1t3lkmv.js
C:\SWSetup\MSWorks\PFiles\MSWorks\Skype.exe
c:\WINDOWS\system32\antiwpal.vbs (tricky, Microsoft.exe in firewall rules)
c:\documents and settings\Cameron\local settings\application data\Install.exe
c:\system volume information\_restore{8b2f06d7-77fb-4358-8bf8-d0decbd3c1dc}\RP8\A0000921.Dll
c:\system volume information\_restore{8b2f06d7-77fb-4358-8bf8-d0decbd3c1dc}\RP8\A0000922.Dll
In this example, you would find all firewall rules that match the red-highlighted entries and set them to "Block" or "Disable."
It is important to keep in mind there will not always be an identical or one-for-one match... or as Alex points out below, there will be no firewall rules and/or firewall will be disabled by malware. In that case, the only protection option you have is to shut down the machine\sever the connection.
With a laptop you can enable "Airplane Mode" which turns off the network adapter. In this case you can use your PC, but there will be no internet.
Better to have no PC for a while than to have your bank account wiped out (worst-case scenario).
NOTE:
Do this step if a firewall rule remains even if the antivirus indicates that only "remnants" (e.g. registry entries) remain.
That's it.
Now get to the MalwareTips malware removal sub-forum !
Last edited by a moderator: