{"id":1039,"date":"2010-07-02T22:12:40","date_gmt":"2010-07-02T12:12:40","guid":{"rendered":"http:\/\/mingersoft.com\/blog\/?p=1039"},"modified":"2010-07-03T09:36:00","modified_gmt":"2010-07-02T23:36:00","slug":"when-all-else-fails-use-malwarebytes","status":"publish","type":"post","link":"https:\/\/mingersoft.com\/blog\/2010\/07\/when-all-else-fails-use-malwarebytes\/","title":{"rendered":"When All Else Fails, Use Malwarebytes"},"content":{"rendered":"<p>Today, a work colleague and friend of mine had an issue with her computer being overcome by a nasty piece of malware formally known as PolyCrypt and commonly disguised as &#8220;<a title=\"Remove Security Master AV (Uninstall Guide) | BleepingComputer.com\" href=\"http:\/\/www.bleepingcomputer.com\/virus-removal\/remove-security-master-av\" target=\"_blank\">Security Master AV<\/a>&#8221; (which looks a lot like the Windows Security Centre). The computer was still operational and remote accessible via LogMeIn (which I have covered in a <a title=\"LogMeIn \u2013 Remote Desktop Made Easy | Boydo's Tech Talk\" href=\"http:\/\/mingersoft.com\/blog\/2010\/04\/logmein-remote-desktop-made-easy\/\" target=\"_blank\">prior blog post<\/a>).<\/p>\n<p>These days, there are so many vectors for malware to get into a computer. Not only do we have to think about the media that we insert into the computer like floppies (if anyone still uses them), optical discs, external hard drives and USB sticks but things that arrive over the Internet like e-mail, webpages, torrents and instant messages. Long gone are the days where we had computers operate in complete isolation.<\/p>\n<p>Malware can easily overrun your system by taking advantage of unplugged or undiscovered security holes in the software you use including your browser, e-mail client and operating system. It only takes one piece of software to succumb to a security exploit despite the rest being fully patched and all bets are off. That&#8217;s why it is really important to do accept the Windows Update notifications at a minimum.<\/p>\n<p>Anyway, the malware in question had disabled McAfee (the resident antivirus) and had also suppressed Windows Defender (the resident anti-spyware software). I was not prevented from accessing the registry but I think this was due to the <a title=\"User Interface Privilege Isolation | Wikipedia\" href=\"http:\/\/en.wikipedia.org\/wiki\/User_Interface_Privilege_Isolation\" target=\"_blank\">User Interface Privilege Isolation (UIPI) functionality in Windows Vista<\/a>. This function prevents lower\u00a0privileged\u00a0processes (such as the malware) from controlling higher privileged ones.\u00a0Internet Explorer would also close as soon as it would attempt to load a webpage but I found a way around this by right clicking on it then clicking on &#8220;Run as administrator&#8221; (which was then insulated from the malware as a result of UIPI).<\/p>\n<p>Eventually, I found the manual steps for removing PolyCrypt but thought that the system really needed a thorough inspection. Since the already\u00a0installed\u00a0anti-spyware was non-functional I had to find an alternative.<\/p>\n<p>Enter <a title=\"Malwarebytes' Anti-Malware\" href=\"http:\/\/www.malwarebytes.org\/mbam.php\" target=\"_blank\">Malwarebytes&#8217; Anti-Malware<\/a>.<\/p>\n<p>I used the free version in this instance which provides access to the on-demand malware removal functionality but if you stump up for a license at US$25 unlocks\u00a0real-time\u00a0protection as well as scheduled scanning and updating. It can scan an entire system fairly quickly and provides detailed logs as to what was found as well as the steps it took to remove any discovered malware. It has yet to let me down when a system is riddled with viruses and other rubbish.<\/p>\n<p>At any rate, the affected system was back up and running later this morning (after a System Restore to fix the broken networking). However, you can only ever truly guarantee that a system is clean by reformatting and reinstalling from scratch or restoring from a known good back up (you are backing up, aren&#8217;t you?). however, to get by until that can be carried out then Malwarebytes&#8217; Anti-Malware is very useful.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, a work colleague and friend of mine had an issue with her computer being overcome by a nasty piece of malware formally known as PolyCrypt and commonly disguised as &#8220;Security Master AV&#8221; (which looks a lot like the Windows Security Centre). The computer was still operational and remote accessible via LogMeIn (which I have &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/mingersoft.com\/blog\/2010\/07\/when-all-else-fails-use-malwarebytes\/\">Continue reading<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[677,252,66,109,63,78,173,196,93,67,112,152,151,94,64,205,92,18,156],"tags":[686,2257,682,681,2258,2269,417,678,685,256,679,680,684,157,683,2279],"class_list":["post-1039","post","type-post","status-publish","format-standard","hentry","category-anti-malware","category-antivirus","category-bittorrent","category-browsers","category-communications","category-connectivity","category-email","category-flash","category-hard-drive","category-instant-messaging","category-internet-explorer","category-microsoft-operating-systems-technology","category-operating-systems","category-optical","category-p2p","category-security-technology","category-storage","category-technology","category-windows-vista","tag-anti-malware-2","tag-bittorrent","tag-e-mail","tag-floppy-disk","tag-instant-messaging","tag-internet-explorer","tag-logmein","tag-malware","tag-malwarebytes","tag-mcafee","tag-polycrypt","tag-security-master-av","tag-uipi","tag-windows","tag-windows-update","tag-windows-vista","item-wrap"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/mingersoft.com\/blog\/wp-json\/wp\/v2\/posts\/1039","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mingersoft.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mingersoft.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mingersoft.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mingersoft.com\/blog\/wp-json\/wp\/v2\/comments?post=1039"}],"version-history":[{"count":0,"href":"https:\/\/mingersoft.com\/blog\/wp-json\/wp\/v2\/posts\/1039\/revisions"}],"wp:attachment":[{"href":"https:\/\/mingersoft.com\/blog\/wp-json\/wp\/v2\/media?parent=1039"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mingersoft.com\/blog\/wp-json\/wp\/v2\/categories?post=1039"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mingersoft.com\/blog\/wp-json\/wp\/v2\/tags?post=1039"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}