What to do if infected file has been found?

Archive
1

Hi all,

 delphinium has provided a highly valuable post in his post on this board.

So I thought to add some common instructions:

 

This is a good advice to people who have been warned by their AV program that an infected file has been found.

 

                                                 What to do if infected file has been found ?                 

 

Don't panic!
Open up a text editor like notepad / similar application or note down on a physical note pad and type detailed answers to the next questions according to the 10 steps proposed.

  1. Whats your operating system version including patch? What all security softwares were there installed during the detection?
  2. How was it detected? What was scanning, you yourself / on-demand or the back-ground / real time / heuristics scanner?
  3. When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.? A capture of the message screen as image can be helpful or what the message says and where the suspicious file was detected.. Visit KB articles of the security software  and see what ot removed. (Only detected file or registry entries or other related files)
  4. What was the source of the file, where did the file come from?.: e.g. address, URL, source. Was it reliable?
  5. When was it downloaded or received? (Ie, newly downloaded or resisded on system for a long time undetected?
  6. What is the exact file name with extension?
  7. What was the exact wording of the message that the AV program  came up with? This is important for later. It can be found on logs or history sections and may be in Qurrantine section also.
  8. Now go back and do nothing yet. Scan the particular file once again with your AV product(note to perform an update of AV before this step) to recheck for False Positive. The message is in the same wording: maybe positive alert. If the message is not in the same wording or the scan does not find  up anything this could be a  false positive.
  9. Check with an on line scanner or update to Virustotal for a second opinion.

                                          VT resides at http://www.virustotal.com/index.html


10.  Note: You can do an URL scan or file-scan. Also give the MD5 hash that is given further down the scan result page under additional information. This can help to identify the malware file.
URLs: Other scan results can be found for a suspicious URL or link at:

                vscan        http://vscan.urlvoid.com/file/
                Sucuri       https://sucuri.net/

FILES: For filescans alternative scanners are:

                VirSCAN   http://virscan.org/
                Metascan http://www.metascan-online.com/

11.Go get informed ask a Virus Encyclopedia or Virus Central. Remember Google is your best friend, also put a question on a forum.

12. Make an informed decision on the basis of what you have found.

13. Inform others about what you have learned, if the file came from a reliable source, author, programmer etc. send a friendly e-mail with your findings.  If you send a suspicious file there for detection password zip this as an attachment and put the password in the mail only if suggested. Most security product sites have their own method of submission. This will help all and in case of a non-detect they will add it to detection database for next update or in the case of a false positive remove that with a next virus update.

14.Do not play with malicious files. Handle them cautiously.

 

courtesy : partially to polonus in avast webforums, edited by me to include more detail and readablity.