Reviews:
 ·Verizon Online DSL
1 edit | reply to K McAleavey
Re: Handyperson's guide to removal of SONY ROOTKIT Since this article has filtered down to a number of places that I don't have access to and since this seems to be the common reference, a few "expert opinions" offered by some others that don't do this to the degree that I do might put some folks into a position of being scared off. Therefore, wanted to stop back for a minute and further explain a few things in order to reduce people's concerns. I stand by the original directions and shall explain a few misguided concepts that I've seen on SpyBot's site and a few others.
In his original article, Russinoff (sp?) had mentioned that the "cure" provided by SONY was a truly bad idea in that THEIR solution actually tried to stop the ARIES.SYS, and in doing so could cause all sorts of bad things to potentially happen. Referring back to my instructions above, I had noted that the ARIES.SYS file is *not* protected and therefore you can simply delete it. This REMAINS correct. AND safe!
By deleting the file, and then rebooting, you are NOT stopping the so-called "service." It is already loaded into memory and executing from there. The file from which it starts is actually unprotected and irrelevant and therefore can be safely deleted without any impact on the system. Several people appear to be under the misimpression that we're stopping it, and just wanted to clarify that we're merely making it _missing_ upon the next reboot. And if it's not there, it can't start in the first place and therefore when you proceed after that reboot, no potential harm can occur. So the original instructions are quite safe to do.
I also wanted to explain that there is a way to avoid having to edit the REGISTRY as well if you leave TWO of the files in the package behind and DON'T delete them. The two files to leave INTACT if you don't feel up to registry editing are:
crater.sys and
$sys$cor.sys (this latter one is in system32\drivers)
The above two files will do nothing beyond passing their hooks back to the rest of your driver stack since there is no longer the DRMSystem executable to "talk to" after you've done your removals.
However, you DO have to do a process killing on two other files in order to delete those as well, and they're quite stubborn:
C:\WINDOWS\CDProxyServ.exe and
C:\WINDOWS\SYSTEM32\$sys$filesystem\$sys$DRMServer.exe
Once the above two have been shutdown and removed, then those remaining two files that are part of the Lowerfilter and Upperfilter in the registry can stay, and you won't have to edit the registry. Perhaps the free "killbox" utility will handle it, I'm used to our BOClean just handling this. But with those two gone, the remaining crater.sys and $sys$cor.sys are quite harmless for those who wish to avoid editing the registry.
Preferably, my original directions are what you want to do in order to completely rid the machine of this. However, for those who are timid (and for good reason) about editing the registry, this alternative means will get the job done and put the bad boy to sleep without having to do all of that registry editing as a result of the rest of this intrusion being removed. It's an acceptable "shortcut" for those so inclined. The remaining two pieces become inactive without their "hosts" and won't interfere with proper operation if left behind.
--
Kevin McAleavey support@nsclean.com (Makers of BOClean - BOClean means never having to do an HJT log again)
»www.nsclean.com |
