3 Replies Latest reply on Mar 22, 2010 9:47 PM by ryanjonesv

    Question about Firewall

      I have a huge problem so i need a quick answer please. Apperantly i downloaded a file that injected my pc with a virus worm whatever you call it. But it is now connecting to and outside i.p. which was not there. When i searched it i found out other users who had downloaded this file and also had the same conection ports open. I tired to shut the port down but there is no settings on Mcafee total protection 2010 only options are restore default and turn on-off. Also for some reason the firewall always says its off i i go in to try to change settings and the button says turn on. And the windows 7 firewall is being controlled by Mcafee so i cant change those setting either. I need some help guys please. I dont want to uninstall Mcafee just to close that port because im scared there is even a bigger risk. THanks in advance. Hoping to get a responce soon.

       

      Windows 7 64 bit

      Mcafee Total Protection 2010

        • 1. Re: Question about Firewall
          Peacekeeper

          BTW the firewall can block an IP this for 2010 version

          Go to web and  email protection

          Firewall

          Connections and add the ip as blocked.

          Of course with the firewall disabled better to clear virus first.

           

          I think you need to uninstall Mcafee asap and reinstall. Do this via

          http://service.mcafee.com/FAQDocument.aspx?lc=1033&id=TS100507

           

          BUT First follow the below steps

           

          Step 1: Ensure Windows and McAfee are up to date

          Run Windows Update, and also update on your McAfee software. SecurityCenter must be green and show that protection is enabled. If it is red, please post what item shows not protected.

           

          Step 2: Run the FakeAlert Stinger

          The most common malware is referred to as FakeAlert. It looks like valid security software.

          1. Please read this and follow all instructions: Important notice if you think you have a virus
          2. Please also read this and follow all instructions: Recognizing and avoiding Rogue Software or FakeAlert Trojans

           

          If you're still having problems, try, the following:

           

          Step 3: Run diagnostic scanners

          1. Restart your computer and press F8 repeatedly while booting up. You'll see a boot screen with choices.
          2. Using your cursor keys, select Safe Mode. Your PC will boot in a low resolution state and most processes will not be run.
          3. Go to My Computer (in XP) or Computer ( in Vista / 2007),
          4. Right-click the hard drive and select Scan from the drop-down menu. You'll notice an extra taskbar icon. If you hover over it, it will display a progress report.
          5. After the scan completes, make a note of anything it detected.
          6. Run the Stinger you downloaded from the instructions above, but this time set the options to Report Only, and set Artemis to VERY HIGH.  
          7. Post to the community what (if anything) the Safe Mode scan reported, and also paste in the report from Artemis.

           

          Step 4: Submit a sample to McAfee Labs

          If you know which file is infected, please upload it using any of the methods described here: How to submit a sample to McAfee Labs.

           

          There is always a gap in protection between when a new threat hits the Internet and a security vendor such as McAfee becomes aware of the threat and and combats it. McAfee uses Artemis technology to narrow that gap, but if we miss something, we must receive a sample of it. It could be a new variant that hasn't been discovered yet. If we have a DAT for it, the automated system will send you that DAT. If we don't yet, your sample will be assigned to a McAfee Labs Engineer for investigation.

           

          Step 5: Remove the Virus:

          Self Virus Removal

          McAfee provides many free tools to assist you. In addition to our Virus Information Library: http://vil.nai.com/vil/default.aspx, where you can find information on thousands of viruses and malware, you can download diagnostic tools here: http://vil.nai.com/vil/averttools.aspx.

           

          There are also many freely available tools on the Internet. McAfee urges caution in their use and assumes no liability for them.

           

          Two of the most commonly downloaded tools are:

          http://www.malwarebytes.org/mbam.php (This can also be downloaded and run from Safe Mode with Networking Support)

          http://www.superantispyware.com/superantispywarefreevspro.html

          Be sure to use the free versions.

           

          IMPORTANT: Neither of these tools is intended for use as a full protection virus scanner. They are best used for specific times when new malware, or a new malware variant, has released and conventional methods of removal have not worked.

           

          McAfee Assisted Virus Removal

          McAfee provides a fee-based Virus Removal Service which can be accessed here:

          http://service.mcafee.com/SpecializedServiceHome.aspx?lc=1033&sg=VR

          If no virus is detected, the fee will be refunded to you.

           

          Community Support

          Our volunteer and employee moderators are happy to assist you within our best efforts here in the community. Please perform the initial steps 1-3 above and post the reports they generate in your initial thread. That way hopefully, we can get right to the troubleshooting.

           

           

          Message was edited by: Peacekeeper on 21/03/10 8:27:59 PM
          • 2. Re: Question about Firewall

            I did just about everything you told me the thing is the this coder is some real pro or something i've done a scan with three scanners McAfee Kasperky and virustotal and it came out false positive. I have no clue what to do anymore im no coder or anything so i dont know how to fix this. I do know how it works because i saw a post in another blog from people go the same virus from the same place but apperantly this guy changes his methods frewuently because diffirent people have diffirent connection to diffirent ports in diffirent ways. So im just completly lost. Acording to a person the proof that it is a virus is that it writes iteself into the  following directorys:
            %APPFOLDER% (c:/programm files) under the name ffqsdff and under the  name Cerebrus or other names to which he changes frequently

            Both folders are hidden.
            The explorer.exe gets code injected.
            as soon as your explorer runs, your system establishes the connection to  the ip-adress!!


            and no, the ip-adress is not an auth server. cuz as soon as you turn on  your pc, the explorer.exe establishes the connection to the ip.

            Im not sure if its a worm or what but i need to know how i can get rid of this or block the port from acces. If Mcafee has some options or programs specificlly for this

            or is this my problem now? Should i submit the file for inspection? Will Mcafee clean it once it is aware of it? Im just lost i need some help anything will be appreciated. Huge thanks in advance.

            • 3. Re: Question about Firewall
              Peacekeeper

              Submit the file asap the submision path is here if they say nothing there reply asking for deeper manual inspection and say why.

               

              I showed how to IP block and  port blocking can be done in a router and system ports blocked  by

              Block access to an existing system service port

              You can close an existing port when you want to block remote network access for a system service on your PC.

              Task
              1Open the Firewall settings page.
              2Click Ports and System Services.
              3From the list of system services, clear the checkbox next to the port that you want to close.
              4Click Save.


              Unsure if this helps