I spent half a day last weekend to help my friend to battle with a computer infected with trojans. Lots of them. They were persistent and difficult to remove. Malwares like AntiVirus 2008 or AntiVirus 2009 as described in this post were easier to remove compared with the ones I encountered last week. Basically, AntiVirus 2008 and AntiVirus 2009 are malware that uses scare tactics to make users to buy their own virus removal software. The ones I encountered at my friend’s house turned out to be a kind called “rootkit.”

According to wikipedia, “A rootkit is a software system that consists of a program, or combination of several programs, designed to hide or obscure the fact that a system has been compromised… An attacker may use a rootkit to replace vital system executables, which may then be used to hide processes and files the attacker has installed, along with the presence of the rootkit. Access to the hardware, e.g., the reset switch, is rarely required, as a rootkit is intended to seize control of the operating system.” This is a serious threat.

The computer in question has a good working McAfee Virus scan and its On Access scan window keeps popping up saying that trojan was found and deleted. That’s how my friend found about their existence. The reason he asked my help was that it looks like it was catching the same gourp of files again and again, even though the virus scan said it had deleted them. Some of the files were in windows\system32\drivers. They were systemntmi.sys, amd64si.sys, i386si.sys, amd64si.sys, and lots of others.

So, there I was. Trying various other software. I tried Malwarebytes’ Anti-Malware. It found a bunch of infections. Like over 50. It said it had removed them. Reboot. Scanned again. Strange. It found them again. Removed. Reboot. I used Avast! Reboot. I used Trend Micro Rootkit Buster. Reboot. As I said earlier, the trojans were persistent. I decided to take a break at that point to do more research on the issue.

What I will do this weekend is to do an OS reinstall this weekend. As the wikipedia article says, “Even if the nature and composition of a rootkit is known, the time and effort of a system administrator with the necessary skills or experience would be better spent re-installing the operating system from scratch.”

Oh well. I’m looking at two system restore projects within a week!

Antivirus 2008 is malware and is becoming rampant. It is extremely annoying and oftentimes makes a computer unoperable with its pop-ups and fake warnings. According to Wikipedia, Malware is “software designed to infiltrate or damage a computer system without the owner’s informed consent.” Most people get infected with Antivirus 2008 by installing a fake codec for audio or video files or by installing software that hides malicious software in the package. You can remove Antivirus 2008 with free software called “Anti-Malware” by Malwarebytes. So, do not buy software that Antivirus 2008 recommends.

Infections
It has many variants but the main characteristics of this malware is to rely on scare tactics (about virus infection on the PC) and to convince the user to buy Virus removal software online. When Antivirus 2008 gets installed on a computer, it will start giving warnings about viruses on the computer. It will ask the user to scan the computer with Antivirus and will show the results. All the infections shown in the result window are actually fake, planted by Antivirus 2008 itself. When the user tries to remove infections, he/she will be notified that the removal capability is disabled with the free version of Antivirus and only the purchased version will be able to remove the infections.

Here are a few screenshots of the Antivirus warnings.

Removal
It is possible to remove Antivirus 2008 manually; however, it is a complicated process and can be intimidating if you are not familiar with computers. There is excellent software that can take care of Antivirus 2007/2008/2009 infections and other malware problems. The software is free for basic uses, and you don’t need to buy an upgraded paid version. Please go to Malwarebyte’s home page, download Anti Malware, install it, scan your computer, and follow the directions. I’ve used this software many times on my and my friend’s computer. It is effective and easy to use.

Additional software for precaution and regular maintenance
I also recommend to use Lavasoft’s Ad-Aware. One note of caution for this software is that their latest version seems to be a bit buggy, at least on my computer. This software scans for spyware and other malware that can cause problems.