My DigitalZone

Ah. The annoyance started about 30 min. ago. AVAST!, Malwarebyte’s excellent software for detecting/removing malware, started to detect tons of tons of trojans, especially Win32:Delf-MZG, like crazy. I took it seriously and started a full scan. Then, it recommended to do a memory scan after a reboot. I did it. I chose to remove all the suspicious ones. I think it detected over 30. Most of the files were audio/video-related. Some dlls for SUPER (video conversion software) and GoldWave (audio editor).

I took a note …. Win30: Delf-MZG…. did a google search after the reboot. It sounds like it’s the update from AVAST! has some problem. Some people started to discussed it about an hour ago over at Yahoo Answers, and one poster suggested to go to the AVAST user forum. Overall, it sounds like a lot of them are just false positives but I’ll keep an eye on it. I’m heading to the AVAST/Malware bytes’ site right now.

It’s really annoying. It’s happening for many people today, Dec. 2nd, 2009 at around 10 p.m., U.S. Central time.

Update
Guess it was too late. It looks like all of the alerts were false positive. See this. I tried to use GoldWave and Super but they didn’t work because I chose to delete suspicious files. The deleted files are not in the recycle bin, so I need to reinstall those programs. So far, my laptop itself is working fine.

So, ignore the AVAST warnings and take NO action. Do not choose to delete files!

I spent half a day last weekend to help my friend to battle with a computer infected with trojans. Lots of them. They were persistent and difficult to remove. Malwares like AntiVirus 2008 or AntiVirus 2009 as described in this post were easier to remove compared with the ones I encountered last week. Basically, AntiVirus 2008 and AntiVirus 2009 are malware that uses scare tactics to make users to buy their own virus removal software. The ones I encountered at my friend’s house turned out to be a kind called “rootkit.”

According to wikipedia, “A rootkit is a software system that consists of a program, or combination of several programs, designed to hide or obscure the fact that a system has been compromised… An attacker may use a rootkit to replace vital system executables, which may then be used to hide processes and files the attacker has installed, along with the presence of the rootkit. Access to the hardware, e.g., the reset switch, is rarely required, as a rootkit is intended to seize control of the operating system.” This is a serious threat.

The computer in question has a good working McAfee Virus scan and its On Access scan window keeps popping up saying that trojan was found and deleted. That’s how my friend found about their existence. The reason he asked my help was that it looks like it was catching the same gourp of files again and again, even though the virus scan said it had deleted them. Some of the files were in windows\system32\drivers. They were systemntmi.sys, amd64si.sys, i386si.sys, amd64si.sys, and lots of others.

So, there I was. Trying various other software. I tried Malwarebytes’ Anti-Malware. It found a bunch of infections. Like over 50. It said it had removed them. Reboot. Scanned again. Strange. It found them again. Removed. Reboot. I used Avast! Reboot. I used Trend Micro Rootkit Buster. Reboot. As I said earlier, the trojans were persistent. I decided to take a break at that point to do more research on the issue.

What I will do this weekend is to do an OS reinstall this weekend. As the wikipedia article says, “Even if the nature and composition of a rootkit is known, the time and effort of a system administrator with the necessary skills or experience would be better spent re-installing the operating system from scratch.”

Oh well. I’m looking at two system restore projects within a week!