Disconnect the local network from Internet immediately.
Kill the local network or block ports that are commonly used by malware (see the description of a malware that you are disinfecting or a malware similar to it on our Virus Description Pages), disable network file and printer sharing.
If this is not possible or malware is already detected by F-Secure Anti-Virus, set the on-access scanner to "Disinfect Automatically" on all computers. This will protect clean workstations from re-infection.
However this is not an ideal method, because a malware will still try to spread itself. In case it uses exploits (LSASS exploit for example), many computers in the local network will continue restarting and that will make disinfection more difficult.
Scan all computers with F-Secure Anti-Virus and the latest updates. If some workstations do not have the latest updates, transfer them via removable media. The files with the latest updates can be downloaded from:
• Tools & Services | Definition Databases
If F-Secure Anti-Virus is not detecting your malware infection, please attempt to locate the malware's file or files and send them to our Security Lab for analysis.
• Sample Analysis System
Malware files usually generate a large amount of network traffic, occupy a lot of system resources, install themselves to Windows or Windows System folders and create startup keys for their files in the System Registry. If you are unable to find any malicious files, please send a message to our Support Team describing the virus incident and ask for instructions on locating an unknown malware.
For certain malware we have special disinfection tools. Please see the description of a malware that you are disinfecting for the links to disinfection tools or check our removal tools page:
• Removal Tools
Disinfect all infected computers. F-Secure Anti-Virus will rename all infected files. If renaming could not be performed when using the "Disinfect Automatically" action, please use the "Rename" disinfection action. You can use the "Delete" disinfection action as well, just make sure that no important files are deleted (mailboxes for example, as sometimes antivirus can find infected messages within them).
Restart cleaned computers and delete the renamed infected files. It is recommended to scan clean computers one more time to make sure that no infected files are left.
If some infected files ended up in the System Restore folders, then System Restore needs to be temporarily disabled and a computer has to be restarted. After restart the infected files inside System Restore folders should be gone. Instructions on how to disable System Restore feature can be found from Microsoft:
• Instructions for Windows XP
• Instructions for Windows Vista
Install a firewall on the Internet gateway or to all workstations if a gateway firewall is not available. If you already have a firewall, configure it to block ports used by malicious software (except commonly used ports, e.g. port 80).
Install all the security patches and service packs to all workstations that do not have them. This is very important to prevent further re-infections.
If you were hit by a malware that spreads to network shares or by a password stealing trojan, please change passwords for all important applications, set strong passwords for shared network resources.
Re-connect to the local network and enable the Internet connection. Monitor traffic for a period of time to make sure that the infection doesn't return.
BE SURE