When faced with malware attack in progress how do you handle it?

[legacy7955]

I really haven't seen a really good all encompassing thread on this anywhere that I can think of.

For example you go to visit what you think is a secure website, upon loading you notice that your browser starts to hiccup and freeze, perhaps you see the dreaded PHONY 2012 Security boxes pop up.

How do you handle it?

Pull the power cord IMMEDIATELY?
Try to kill browser .exe in the task manager
Turn the system off with the power button?
Other approach?

Also when you go to restart the PC what line of attack do you use after booting in safe mode?

Really like to hear from the gurus on this too.

Thanks.

 

[gregrocker]

I would shut down and run Malwarebytes in Safe Mode or Windows Defender in Boot mode, or one of the other free AV rescue disks.

Then after repeat disinfection comes up clean, if necessary repair System Files.

You may have to do more repairs, System Restore, or even copy out your files to quarantine and then run Factory Recovery or Clean Reinstall.

All of the above steps have tutorials collected here: Troubleshooting Windows 7 Failure to Boot - Windows 7 Forums

 

[legacy7955]

@gregrocker:

But what would your preferred method of shut down be?

My logic tells me that although it is not great to pull the power cord, it is the fastest way you can stop the infection..because the moment the power is lost no more damage can be done. Correct?

Usually even pressing the power button the system takes a few seconds extra to react.

 

[gregrocker]

You can do a hard shut down by holding the power button so no more damage can be done if it's taking forever to Shut Down.

If this is a frequent thing I'd want to know why you're getting infected. Are you using MSE with Windows Firewall keeping Updates current? Running free Malwarebytes and perhaps SuperAntiSpyware scans monthly? If that's not enough I'd add Malwarebytes Real Time paid protection, and perhaps SAS as well.

 

[legacy7955]

You can do a hard shut down by holding the power button so no more damage can be done if it's taking forever to Shut Down.

If this is a frequent thing I'd want to know why you're getting infected. Are you using MSE with Windows Firewall keeping Updates current? Running free Malwarebytes and perhaps SuperAntiSpyware scans monthly? If that's not enough I'd add Malwarebytes Real Time paid protection, and perhaps SAS as well.

Greg:

Just to let you know, I haven't been infected YET. I just want to refresh my recollection of what to do if, and when something like I mentioned above might happen.

I actually think that because I have been so diligent and cautious about preventing infection that I've have forgotten about specifics when it might occur.

 

[wanchoo]

Everyone has different ways of handling a virus attacks of the type that you have described. As for me, I am paranoid about viruses. I shall do the following.

01. I shall shut down the PC any which way. Perhaps by first disconnecting it from the Net, but it is not really important.

02. As I work with back-up images, I shall reboot the PC with the imaging boot CD and restore the immediately previous image. I should be up and running in about 10 to 15 minutes with all traces of the attacking virus gone.

03. I would then avoid the web-site that did me in like the plague.

04. I shall look into the possibility of changing my Anti-Virus Program that was not able to prevent the attack in the first place. Normally all good A-V Programs should have been able to do it.

If however I had not been working with images then I would still reformat the drive and do a clean re-install of Windows 7 and immediately create am image of it. After that I shall install all my third party programs like A-V, Word Processor etc and when done create another image. This may take up to 6 hours or more depending upon how many third party programs one would have to install once again. With that done I would feel secure enough from any virus attack in the future that should most likely not have occurred if I was using a good A-V Program.

 

[profdlp]

Depending on the type of attack (and you may not have the luxury of taking the time to figure it out unless it's obvious), I might be tempted to go for the network cable first. If you're on a wireless connection and are right next to the router I'd pull the power plug on that.

 

[gregrocker]

Most serious infections can require a Clean Reinstall, Factory Recovery or Reimaging - hopefully you have your latest data set backed up externally, since resueing it from an infected install is risky in itself.

Wanchoo has a good reminder that the modern way to do reinstalls or recovery is to keep a System image of your installation so it can be back up and running in 20 minutes - then adding in the latest data set, or having it on another HD is even better.

Backup Complete Computer - Create an Image Backup
Macrium - Image your system
System Image Recovery
User Folders - Change Default Location
Library - Include a Folder - Windows 7 Forums

 

[Sir George]

I really haven't seen a really good all encompassing thread on this anywhere that I can think of.

For example you go to visit what you think is a secure website, upon loading you notice that your browser starts to hiccup and freeze, perhaps you see the dreaded PHONY 2012 Security boxes pop up.

How do you handle it?

Pull the power cord IMMEDIATELY?
Try to kill browser .exe in the task manager
Turn the system off with the power button?
Other approach?

Also when you go to restart the PC what line of attack do you use after booting in safe mode?

Really like to hear from the gurus on this too.

Thanks.

Using the keystroke combination "Alt+F4" will immediately close the window that has mouse focus. The benefit of using the keystorke combo is, it will not cause any background applications to close unexpectedly while processing data. The process of pullling the plug, and forcing all applications to close without properly shutting down, can create problems of its own.

 

[Britton30]

I also recommend the ALT+F4 method, it has saved me from a fake AV scan. Sometimes using the X to close a window not only won't work but will "allow" the fake scan to keep on going. Physically disconnecting from the outside world anyway you can is also a great idea.

After wards there are the previous good steps to follow, especially the scans in Safe Mode then in Windows normally.

 

[F5ing]

Slightly off-topic, but I've often wondered about the ALT+F4 keystroke. Does anyone know, for a fact, that it interacts directly with the operating system/kernel, bypassing any interaction/interception with the app/window itself? Kind of like the CTRL+ALT+DEL keystroke?

Back on topic, I would never attempt clicking any of the buttons on the offending window (the "X", cancel, close, or whatever). No telling what they've programmed those buttons to do. I would try ALT-F4 then Taskmanager for the kill. I also like the idea of killing of the network connection.

Still have to look for the unusual though, even after you think you've killed it (as noted in the prior posts). Never know how much of the malicious code got downloaded.

If I think it would take a hard shutdown to truly kill it, I would do it.

 

[CanIHaz]

For me, I simply just terminate everything running in Sandboxie. Since, i run most of my internet facing program in sandboxie, i don't really have to worry about it getting through.

 

[elstupido]

For me, I simply just terminate everything running in Sandboxie. Since, i run most of my internet facing program in sandboxie, i don't really have to worry about it getting through.

Yes, flush Sandboxie and get back to surfing

 

[Shamone]

Hi Legacy7955.. that thought come to my mind to.. I use this addon, it works for FF & IN9., not sure on other browsers
it shows safe sites, bad, caution, Safe Browsing Tool | WOT (Web of Trust)

 

[jimbo45]

Hi there

One good reason for only ever connecting to the Internet via a "Virtual Machine" if it becomes infected -- then just delete that VM it and load up a new one.

However it's not possible for a lot of people.

On Malware - I'd just boot from a bootable backup / restore program like Acronis, delete your old OS and restore a known virus free image.

That's why it's important to have decent backups takem regularly.

I DON'T EVER trust any malware removal software -- How do you know what the malware has done BEFORE It's removed.

Imagine you had to repair a power cable but the only tool you had was one where the electrical insulation was faulty.
Would you use the Faulty tool to repair the cable.

Same with your computer -- would you allow an OS that had been compromised in some way to be used to "Repair itself".

I would never trust a computer that had been infected and "cleaned". Only a fresh install or restore from a clean backup would satisfy me.

IF you take decent backups a RESTORE should only take around 15 mins -- job done.

Q.E.D

(MSE does a decent job IN REAL TIME protecting against this sort of stuff. Post analysis software is USELESS -- unless protection is done in REAL TIME you might just as well not bother with A/V software at all).


Cheers
jimbo