davePremium,MVM
join:2000-05-04
not in ohio
kudos:7 Reviews:
 ·Verizon FiOS
 ·Verizon Online DSL
| reply to K McAleavey
Re: Handyperson's guide to removal of SONY ROOTKIT That completes the "CurrentControlSet" ... expect to go through a repeat of the above for EACH user's individual "ControlSet" until you've done them all. How many depends on how many "users" on the machine. This is incorrect, and I think it's a lot simpler to deal with it correctly.
ControlSets are not related to any user.
The various control sets are used by the last-known-good mechanism to recover from a configuration that's so borked up the system cannot run.
CurrentControlSet is a symbolic link to one of the ControlSetNNN keys, and it's the only one that's used.
The rest are just sitting there unused and won't do you any harm. There's no need to modify them, and in fact, I'd suggest that you don't do that - you're jeopardising your ability to recover from any editing mistakes you make in CurrentControlSet.
After having made all the changes suggested by Kevin, you should reboot and log in. At that point, the modified (Sony-free) CurrentControlSet will be declared to be the "last known good" configuration, and you're done. Old entries in other control sets aren't going to come back and haunt you, even if you have to use LastKnownGood for some reason in the future. |
Reviews:
·Verizon Online DSL
1 edit | Was about to call it a night, but let's go back here for a second. ANY "control set" that is logged into will cause the fuzza to go copy itself to the OTHERS ... Our OWN answer to nasties of course, is the "current" ... however, the other "controlsets" will bear the mark of satan. 
I was more concerned about the "I'm in here cleaning, let's get rid of it ALL" and if I see ANY of it, I'll complain. Heh. While you're correct, I was thinking more of the tin-foil brigade. I'm also one of those "it ain't running, it can't run, it cannot be a threat anymore even if some scanner finds the entrails and does that "kitty with a mouse butt, it's a PRESENT! LOVE me!" thingy. Heh. But generally, folks want it GONE and seemingly prefer (so I see here) to go through all sorts of rituals to "make it gone." I'm merely trying to honor the apparent "rituals." 
So yeah, a bit anal, but the procedure I self-tortured over does work the best for most people. And after you do the first one, it's like ... "been there, done that, know this" and folks feel better. But considered what the "norms" are for "gotta futz registry, w00t!" and went for it. (grin)
But like I said, if I didn't wear FULL METAL HELMET, there'd be folks wanging that I'm an asshat and don't know what I'm talking about should I suggest not to do *every* registry entry there might be. Again, "expected" ritual honors to the ghods of registry items lost. Heh. There's always a price on "free advice" and it tends to be charged to the giver. Moo.
(edit - refining choice of words in descriptions)
--
Kevin McAleavey support@nsclean.com (Makers of BOClean - BOClean means never having to do an HJT log again)
»www.nsclean.com |
