How to Remain Calm when an Infection is Detected

H

hjlbx

Thread author
Hello,

So your security software alerts that your system is infected. You try to use the antivirus' built-in disinfection\malware removal routine...and no dice - the infection remains.

What to do?

First typical response is: Panic !

You immediately freak-out and just want the infection removed. To make matters worse, you soon realize that posting on a malware removal forum can be a long drawn-out affair.

You want your system cleaned...and right now!

Really, no need to get bent out-of-shape as there is one thing that you can do to greatly reduce data theft risk until you can get to a malware removal assistance forum (like here at MalwareTips).

The approach I take it to treat any detected infection as active\live (whether it is or not).

You need to block the malware's ability to transmit data.

"I only have one PC and if I turn off the internet then I can't get on-line help," you say.

No problem. You don't need to completely disable the network - and thereby lose internet functionality.

Although, if you have a second PC it would be best if you simply shut the infected PC down and didn't use it until you've enlisted the help of a malware removal expert.

The guide below is deliberately simplistic without covering all the intricate details and exceptions. It is the best you can do under the circumstances.

Following this simple guide you can generally block malware network access while at the same time preserve internet functionality. There are exceptions -and I'm sure someone will point that fact out. In any case, the important point is...

First-and-foremost the priority is to stop any malware from transmitting any of your valuable data:

Block all firewall traffic (both inbound/outbound) for the detected infection.

Go to your firewall interface and locate the application's rule. Set the malware's rule to "Block" or "Disable."

NOTE:

Locate the file name in the antivirus detection entry (log). It looks something similar (but not exactly) to these entries from a hypothetical MalwareBytes scan log:

Files Infected:

C:\Program Files\Microsoft Works\cpitv.dll (cpitv.exe in firewall rules)
C:\Program Files\Microsoft Works\pix1t3lkmv.js
C:\SWSetup\MSWorks\PFiles\MSWorks\Skype.exe
c:\WINDOWS\system32\antiwpal.vbs (tricky, Microsoft.exe in firewall rules)
c:\documents and settings\Cameron\local settings\application data\Install.exe
c:\system volume information\_restore{8b2f06d7-77fb-4358-8bf8-d0decbd3c1dc}\RP8\A0000921.Dll
c:\system volume information\_restore{8b2f06d7-77fb-4358-8bf8-d0decbd3c1dc}\RP8\A0000922.Dll

In this example, you would find all firewall rules that match the red-highlighted entries and set them to "Block" or "Disable."

It is important to keep in mind there will not always be an identical or one-for-one match... or as Alex points out below, there will be no firewall rules and/or firewall will be disabled by malware. In that case, the only protection option you have is to shut down the machine\sever the connection.

With a laptop you can enable "Airplane Mode" which turns off the network adapter. In this case you can use your PC, but there will be no internet.


Better to have no PC for a while than to have your bank account wiped out (worst-case scenario).

NOTE:

Do this step if a firewall rule remains even if the antivirus indicates that only "remnants" (e.g. registry entries) remain.

That's it.

Now get to the MalwareTips malware removal sub-forum !
 
Last edited by a moderator:

Alexstrasza

Level 4
Verified
Mar 18, 2015
151
Hello there Big X (you'll probably recognize me from another forum),

Sometimes it's better just to cut the internet connection (pull the ethernet cable/switch off wifi) as some infections like Zbot can turn off your firewall entirely so no point in setting up rules.

And also do not try to run any more tools on your own - you might cause more damage to the machine than helping it!

That's all.

Regards,
Alex
 
H

hjlbx

Thread author
Hello there Big X (you'll probably recognize me from another forum),

Sometimes it's better just to cut the internet connection (pull the ethernet cable/switch off wifi) as some infections like Zbot can turn off your firewall entirely so no point in setting up rules.

And also do not try to run any more tools on your own - you might cause more damage to the machine than helping it!

That's all.

Regards,
Alex

Hello Alex,

Hehehehe... I was waiting for someone to point out an exception. You are absolutely correct.

That's why I suggested system shut-down if user has access to second machine.

However, most users only have 1 PC.

I only cover reasonable steps for the "typical" infection.

No way possible to cover every single type and what to do...

Thanks, Buddy !
 

frogboy

In memoriam 1961-2018
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
First off i would panic but then when calmed down i would reboot and restore my PC with a image created less than a week ago as i always back up at least once a week. I think we all should keep backups for this reason.
 
H

hjlbx

Thread author
First off i would panic but then when calmed down i would reboot and restore my PC with a image created less than a week ago as i always back up at least once a week. I think we all should keep backups for this reason.

My attitude is to reset or restore PC as I don't care if anything is lost. I have back-ups.

Average user, though... that is different story.

They have no back-up plan.

So they refuse to reset/restore.

"Restore? What's that?" :D
 
  • Like
Reactions: Behold Eck

tallorder

Level 6
Verified
Jan 15, 2015
267
First off i would panic but then when calmed down i would reboot and restore my PC with a image created less than a week ago as i always back up at least once a week. I think we all should keep backups for this reason.
First typical response is: Panic !
That's what I would do, and then: unplug! Have done that more than once when Router seemed taken over by outside forces! Then: look for answers..
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Actually in such infection, you will be panic because from the first place you run a program where you feel already there's something wronf and suddenly occurred already because of curiosity.

Of course system restore will be your first step but if it fails then make a full reformat which some users who wanted to solve it immediately. ;)
 

tallorder

Level 6
Verified
Jan 15, 2015
267
Actually in such infection, you will be panic because from the first place you run a program where you feel already there's something wrong and suddenly occurred already because of curiosity.

Of course system restore will be your first step but if it fails then make a full reformat which some users who wanted to solve it immediately. ;)
You are right! you will be in a panic from the word 'go', because usually, there are little hints of infection, then a few more, the that sinking feeling: OMG!
 
  • Like
Reactions: Behold Eck

Behold Eck

Level 15
Verified
Top Poster
Well-known
Jun 22, 2014
717
LOL! Expresso! With Scotch!

It`s the scotch in the coffee that can lead to a serious computer infection in the first place.:D

Anyway first thing after OMG, WTF ...etc I would run Hitman Pro as it`s incredibly fast and accurate imo.If HMP gets unexpectantly closed down then I know it`s pretty serious and so next would be a reboot into an AV rescue cd, followed by boot into safe mode with networking for a Malwarebytes scan and then back into the system proper and scan, scan, scan.

Regards Eck:)
 
  • Like
Reactions: tallorder

Alexstrasza

Level 4
Verified
Mar 18, 2015
151
I wouldn't use Safe Mode to scan unless the computer cannot boot into normal mode, as security solutions cannot load their drivers in Safe Mode and are thus less powerful.

One more tip for those that got hit with crypto ransomware: Don't format the HDD! If you are going to try and remove the ransomware yourself, only quarantine (don't delete) what the program found.

Why? Because chances that a solution is found (similar to CoinVault) and you might need the information from the ransomware (i.e. bitcoin wallet address, registry key). I've seen people with PClock getting frustrated because they reformatted or deleted the registry key needed to decrypt their files.

Also try to memorize the name (crypto ransomware have different names for their notes) or save a copy of the ransom note, as it can be useful in identifying what ransomware you had in case a solution become available for it later.
 
  • Like
Reactions: tallorder

Behold Eck

Level 15
Verified
Top Poster
Well-known
Jun 22, 2014
717
I wouldn't use Safe Mode to scan unless the computer cannot boot into normal mode, as security solutions cannot load their drivers in Safe Mode and are thus less powerful.

This might be true for some full AV`s but Ive never had a problem with on demand scanners.Also "safe mode" can stop the malware from loading their drivers and acting on your system giving you the chance to locate and remove the infection without any interference.

Regards Eck:)
 

Alexstrasza

Level 4
Verified
Mar 18, 2015
151
Depends on the malware - if you get Alureon 4th generation for example, then booting into Safe Mode won't change anything.

Do you know that Emsisoft products do not kill malicious processes before cleaning?
 
  • Like
Reactions: tallorder

Tony Cole

Level 27
Verified
May 11, 2014
1,639
I have a quick question, I run Kaspersky 2015, HitmanPro.Alert, Malwarebytes Pro, Malwarebytes Anti-Exploit Pro and CryptoPrevent Premium is there anything else I can add to protect against cryptolocker type infections?
 

Behold Eck

Level 15
Verified
Top Poster
Well-known
Jun 22, 2014
717
Yep some ransomware are still active in the safe mode that`s why I`d try an AV rescue disc first before attempting anything else.

So long as the malware can`t kill Emsisoft first because that would be my worry i.e. how good it or any AV is at protecting itself during an infection.

A self protection rating chart for AV`s might be a good thing ?

Regards Eck:)
 
  • Like
Reactions: tallorder

Behold Eck

Level 15
Verified
Top Poster
Well-known
Jun 22, 2014
717
I have a quick question, I run Kaspersky 2015, HitmanPro.Alert, Malwarebytes Pro, Malwarebytes Anti-Exploit Pro and CryptoPrevent Premium is there anything else I can add to protect against cryptolocker type infections?

Yes keep any teenage relatives away from your system otherwise I cant see much getting through your fortress-like defences.

Regards Eck:)
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
I have a quick question, I run Kaspersky 2015, HitmanPro.Alert, Malwarebytes Pro, Malwarebytes Anti-Exploit Pro and CryptoPrevent Premium is there anything else I can add to protect against cryptolocker type infections?
I'm going to assume it's the free version, right?
 
  • Like
Reactions: tallorder

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top