Hello,
I haven’t posted much if at all here on this forum.
I just recently upgraded to Avast 5.0 from Avast 4.8.
Today while browsing on my laptop I came upon a website where a pop-up shows up and won’t
let you close down the site. I didn’t click the " ok" but went rather re-booted.
When it showed up again I decided I could be infected with some malware.
I ran a quick scan with my Avast and came up with three viruses.
I tried to move them to the chest but the access was denied.
I did a search and saw a suggestion to disable system restore and reboot.
Tried that. Re-scanned with Avast and the viruses were still there.
Ran a Full Scan with Malwarebytes, and there were NO viruses that showed up.
Did the same with Windows Defender, and there were NO viruses that showed up.
I did try a Boot-Time Scan and I was given a option when the viruses showed up, one of them moved to the chest,
the other one came up with a " do you really want to move to chest, this is part of a Windows Folder."
I exited without deleting.
Thank you Evangelist for this information. Since it is not really a rootkit, would it harm my system to leave it on?
Malwarebytes and Windows Defender don’t seem to be bothered .
First this got Sony into real hot water, by this underhand/morally corrupt/ they installed this rootkit on your system without your permission, simple fact. I have not bought another Sony product since that time and that isn’t easy.
Yes you should get rid of it, once it was identified it was/is possible for malware to actually hid from detection by taking advantage of the Sony Rootkit to actually hide it.
Sony were effectively forced to provide a removal tool to remove this, so I somehow doubt that its removal would stop certain CDs from Sony, unless those CDs were produced at the time of this sony rootkit, which was many years ago. See this on how to check if your CD is affected http://www.bleepingcomputer.com/forums/topic34904.html#oncd.
Read the wikipedia Extended_Copy_Protection article that Jtaylor83 posted the link for.
I have a question. I’m just getting back to dealing with this DRM Sony virus. (it’s terrible when these things occur during
a busy season such as Thanksgiving! )
The instructions gives both a manual removal and a the Official patch removal.
I don’t see a manual removal for Vista. Also in the manual removal it says after rebooting to
Reboot your computer
Delete C:%WinDir%\system32$sys$filesystem\aries.sys (Replace %WinDir% with the directory that Windows is installed on your computer)
Where do I find this to delete and how do I replace with the %WinDir%
You don’t have to replace anything, it just means where windows is installed, which is likely to be just C:\Windows on your system. It is just used as a form of shorthand for wherever windows is, it could differ on other OSes.
Well I went in and followed the manual removal instructions.
Went to run…and typed in sc delete $sys$aries, rebooted and ran the
Avast scan, and there they were… the same three problems showing up.
When I went onto the link you sent Evangelist, and chose the Removal tool by Sony,
it brought up a page with MULTIPLE options. What to choose…do you have a direct link for the patch?
I would say that the detection is likely to be good given what has been said about the some rootkit and the matching file names. The problem is that rootkits hide from the normal system applications like explorer, which presumably you are using to try and find it.
Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.
Whilst the above works for conventional hidden files I don’t know if it will work this or not.
