At the danger of incurring the wrath of my buddy “Angry” Andy Parkes again by being too techie three blog posts in a row – we had an “interesting” problem reported by a client this morning that I thought I’d share.
Despite having a fully up-to date and working Trend Worry Free Business Securityclient in place, they’d “somehow” got themselves infected with what they thought was a virus.
We won’t investigate the events leading up to the “somehow” but instead concentrate on what effect the infection had on the laptop.
In a nutshell the problem was that Internet Explorer kept intermittently re-directing their web-browsing to the dodgy search engine web-site windowsclick(dot)com.
We advised the client we could deal with the problem, and so grabbed our AV tools and went to work. Except non of our usual toolkit did work – both Trend and Symantec didn’t find any infections during Live Scans, and every time we went to visit Windows Update, Trend or Symantec sites or run any other AV tools – nothing – the site or application simply failed to run at all. We got 404 Errors or simply no GUI appearing.
We’d normally turn to some live tools such as Bart’s PE to help kill the virus outside of an active Windows session, but in this case I was intrigued to what was happening to prevent any AV tools running.
A bit of research later and we found some reports of success using the tools provided by http://www.malwarebytes.org/to clean this threat – and so off we went and grabbed a copy of their Anti-Malware application to see what it could find.
It installed ok on the infected laptop – but then failed to run, just like the other AV tools we had tried. So I tried something different – I renamed the Anti-Malware executable file slightly. Voila! This time the software loaded and allowed me to run an update, do a malware scan, find the baddies (in this case, a Virus called Rogue.XPPoliceAntiVirus) and remove them successfully.
So – I’m unsure whether any other tools would work in the same way, but in this particular case, simply installing Malwarebytes Anti-Malwareand after installation re-naming the executable mbam.exe within C:Program FilesMalwarebytes’ Anti-Malware (in this case to mbyam.exe) worked a treat!
And another addition to the AV Toolkit – Malwarebytes’ Anti-Malware.