 John2gQui Tacet ConsentitPremium
join:2001-08-10
England | reply to Paranoid20004
Re: Handyperson's guide to removal of SONY ROOTKIT! said by Paranoid20004: said by K McAleavey :
Next stop is the "Enum" area - IDE or SCSI depending on what you have...
An interesting writeup - but instead of editing registry entries to remove the crater.sys filter, why not use Windows Device Manager to delete the controller that the CD-ROM is connected to and then use "Add/Remove Hardware" to force Windows to redetect the CD-ROM and recreate the necessary registry entries? (mentioned in Castlecops: Hidden files and directories - DRM or trojan?). This should be far easier. Yeah right!
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
| reply to K McAleavey
Re: Handyperson's guide to removal of SONY ROOTKIT I tried the first part of this, but once I remove aries my CD drives disappear!:(:( |
|
 ZOverLordPremium
join:2003-10-20
Minneapolis, MN
1 edit | reply to John2g
Re: Handyperson's guide to removal of SONY ROOTKIT! said by John2g:said by Paranoid20004: said by K McAleavey :
Next stop is the "Enum" area - IDE or SCSI depending on what you have...
An interesting writeup - but instead of editing registry entries to remove the crater.sys filter, why not use Windows Device Manager to delete the controller that the CD-ROM is connected to and then use "Add/Remove Hardware" to force Windows to redetect the CD-ROM and recreate the necessary registry entries? (mentioned in Castlecops: Hidden files and directories - DRM or trojan?). This should be far easier. Yeah right! Agree, you would need to make DARN sure you had NO other filters installed on that CD/DVD drive otherwise, ANY software you had, and there are MANY that use filters for Backup, and CD/DVD burning.
Those filters may or may NOT be capable of being re-installed automatically when you go to use that software.
Here is a QUICK and Dirty utility that will LIST all your filters present, you can do the same using the device manager, but this is much easier.
»www.k0lee.com/dc3000/utils/devfilter.htm
It works for all Windows 32 bit systems. It will NOT remove anything, but it will show you what you have.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
| reply to K McAleavey
It has recently come to our attention that some individuals and companies are offering various instructions and tools to uninstall the XCP content protection software from computers. Please be advised that we have already made available a proper uninstaller at »cp.sonybmg.com/xcp/english/updates.html. This is the only safe and secure method for removing the protection components of which SONY BMG is aware. SONY BMG assumes no responsibility for use of any other uninstaller tool or instructions.
For any questions about XCP content protection software used on SONY BMG discs please go to »cp.sonybmg.com/xcp/english/home.html.
Thank you.
SONY BMG |
|
| Re: Handyperson's guide to removal of SONY ROOTKIT That's a gutsy post! It has *recently* come to your attention?
Woof! I would not want to be in your damage control shoes, but good luck to you.
Does this one actually work without creating more security vulnerabilities?
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
 jbobReach Out and Touch SomeonePremium
join:2004-04-26
Little Rock, AR | reply to sonybmg
And from recent events I don't think many people would want anything from Sony/BMG on or near their computers.
So you are accepting responsiblity for the other uninstallers that Sony/BMG has put out that caused even more issues?
This has to be a troll post! |
|
|
|
| said by jbob:This has to be a troll post! No, I think it is really a *Sony* post, but I would be surprised if he posts a reply to our questions really. It sounds pretty canned and not very informative or interactive...as in *damage control*
We've been out here for weeks with no solution other than those that we have been able to come up with (no thanks to Sony)
Has someone tested this tool put out by Sony that they recently concocted?
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
 WFOPremium
join:2001-08-27
San Ramon, CA | reply to K McAleavey
Sonybmg posted the same canned response over at PlanetAmd64.com. I haven't seen any independent confirmation their new tool works. Until then, I think Kevin posted the best solution for those afflicted. 
--
Sager NP4750-V Mobile Athlon 64 3700+, Mobility Radeon 9700, 2GB RAM, 100GB Seagate 7200 rpm HD. 17" Widescreen WXGA TFT LCDTriple-boot x64, XP Pro x32 and Suse 10.0 |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:7 Reviews:
 ·Verizon FiOS
 ·Verizon Online DSL
| reply to sonybmg
said by sonybmg:This is the only safe and secure method for removing the protection components of which SONY BMG is aware. Ah, it was implemented by the same engineering team that built your other uninstallers, then? Checked out by the same QA team?
I'm sure we're all filled with confidence that it's "safe and secure", since it's got the trustworthy Sony BMG seal of approval! |
|
 catseyenuAck PfftPremium
join:2001-11-17
Fix East | reply to sonybmg
Keep him covered boys while I go get a rope... |
|
 EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7
 ·Callcentric
| reply to sonybmg
Until I see proof positive from recognised independent sources that the newest remover works to my satisfaction, I'll just stick with their recommendations.
Also, with no EULA posted on the provided link, I have no idea what that I'm agreeing to with that uninstaller until I've opened that untrusted zip file. that's too late for me. If there is a EULA for the uninstaller, please provide it. If you have no helpful answer, I consider this a troll post.
--
In Memoriam -NRK 1 FEB 1918 - 6 NOV 2005B-17 pilot -50 missions over Europe and North Africa - 347th Squadron, 99th Bomb Group - Husband, Father, Grandfather, Great Grandfather, friend --- A knight and gentleman gone to peace |
|
 salzanExperienced OptimistPremium
join:2004-01-08
WA State | reply to K McAleavey
Please install our latest rootkit So now they've got some poor person going from site to site, registering and pasting that canned message. Imagine how many forums have threads about this mess.
I think it's called damage controll |
|
1 edit | reply to sonybmg
Re: Handyperson's guide to removal of SONY ROOTKIT said by sonybmg:It has recently come to our attention that some individuals and companies are offering various instructions and tools to uninstall the XCP content protection software from computers. Please be advised that we have already made available a proper uninstaller at » cp.sonybmg.com/xcp/english/updates.html. This is the only safe and secure method for removing the protection components [|] of which SONY BMG is aware. SONY BMG assumes no responsibility for use of any other uninstaller tool or instructions. For any questions about XCP content protection software used on SONY BMG discs please go to » cp.sonybmg.com/xcp/english/home.html. Thank you. SONY BMG [Emphasis and [|] added]
Just what do they really mean by "of which SONY BMG is aware"? What part of the sentence is it modifying?
1) Sony is aware that people will have liquids in their mouths while reading their above post.
2) Sony is also aware that damage to electronic equipment, work product papers, other valuable property, and nasal tissue, can, and will be caused by liquids expelled under pressure from such post readers mouths, and noses... 
Assuming this most ridiculous "assistance" flows from Sony, of course.....
[edit: clarity, after wiping down monitor]
--
How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach |
|
Reviews:
·Verizon Online DSL
| reply to sonybmg
Based upon your challenge to *MY* honor with your post, I made it a point to test and examine your claim as to this "removal tool's functionality" and as a result, I am *compelled* by your comments to reply. I am greatly dishonored. 
We took a pristine "lab rat" and installed the Van Zant album, "Get right with the man" once again. After installation was completed, we then applied the "complete removal" tool liked to in YOUR reply. And, after applying our own internal BOClean monitoring lab tools, we then followed the instructions to reboot.
IMMEDIATELY upon a reboot, after your "program" had completed its "removal" of the rootkit (we did not bother to opt for "removal of the cloaking" but rather opted for COMPLETE removal as claimed) BOClean INSTANTLY detected the existence of "SONYXCP" TROJAN (CDPROXYSERV.EXE) as SOON as the machine was rebooted, purportedly following COMPLETE removal. Repeated second detection occurred, whereupon it was removed.
*ALL* of the other files detected by BOClean remained, as well as ALL of the registry entries described in my written "Handyperson's guide to removal of SONY rootkit" REMAIN valid, and the alleged "removal" program offered by SONY/BMG is an absolute *LIE* ... your "removal tool" *FAILS* to remove the offending trojan.
For those who have our software, the reality remains that any claims that the official SONY removal tool is preferable to the use of BOClean or the manual removal steps we outlined, PARTICULARLY our insistence that if you are uncomfortable with registry editing, to LEAVE the "$sys$crater" and "$sys$cor" entries alone as they have no meaning unless your rootkit remains functional are *BOGUS* with respect to this so-called "removal tool."
It DOES NOT remove your rootkit, in fact it leaves it *COMPLETELY* operable.
BOClean HAS (since the summer of 2004) defeated this madness and defecation on people's computers. We are not ABOUT to remove detection and defeating of your trojan, particularly after this "dishonor" to my former employer's spirit.
PERMISSION GRANTED to post this to other sites regarding this nonsense.
--
Kevin McAleavey support@nsclean.com (Makers of BOClean - BOClean means never having to do an HJT log again)»www.nsclean.com |
|
4 edits | reply to sonybmg
Re: Handyperson's guide to removal of SONY ROOTKIT! said by sonybmg:Please be advised that we have already made available a proper uninstaller at » cp.sonybmg.com/xcp/english/updates.html. This is the only safe and secure method for removing the protection components of which SONY BMG is aware. Hey, thanks!
Everybody has had a field day with Sony BMG's handling of this issue but, of course, it's very reassuring to know that you are the only ones to provide a guaranteed cure for your infection.
We might as well ask the Sober guys for an AV signature for their product. It'd most surely be the most "safe and secure method".
Thanks a lot, but I've stopped buying Sony BMG's CDs, and so are my relatives, friends, neighbours and everybody I know who is interested in music. Some of them even say it's safer to download music from P2P than buying one of your CDs, what do you know?
At the end of the day, your masters might have done P2P the biggest favour since the original Napster.
Best regards
--
From the GSV "Ethics Gradient" |
|
| reply to K McAleavey
Re: Handyperson's guide to removal of SONY ROOTKIT Sure 100% positive way to remove this pest. Low level Format drive |
|
hamlet
join:2001-05-23
Naval Air Station/ Jrb, TX | reply to Martinus
Thanks Kevin. I was looking at that Sony "removal program" site this morning and wondering whether it actually would work or not. Now I don't have to wonder.
Yes, I have a Sony computer infected with the Sony rootkit from the VanZant cd. I am also a BOClean user. I started to follow the manual removal instructions posted by Kevin, but found it a bit over my head after a while.
Oh, I also live in Texas, where the attorney general filed a lawsuit against Sony. Right now, I am waiting to see what happens with that lawsuit. Then I am going to simply reformat my computer and start from scratch.
This is very frustrating.  |
|
jbobReach Out and Touch SomeonePremium
join:2004-04-26
Little Rock, AR
1 edit | reply to K McAleavey
said by K McAleavey:BOClean HAS (since the summer of 2004) defeated this madness and defecation on people's computers. We are not ABOUT to remove detection and defeating of your trojan, particularly after this "dishonor" to my former employer's spirit. PERMISSION GRANTED to post this to other sites regarding this nonsense. What's up with the removal of detection and defeating remark?
Whoops just noticed I misread the statement. I thought it said ABOUT to remove. I missed the NOT! Whew. I'm relieved. |
|
WFOPremium
join:2001-08-27
San Ramon, CA | reply to K McAleavey
Thanks Kevin! I was waiting for you or Mark to test the new removal tool and you confirmed my suspicions. |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:7 Reviews:
·Verizon FiOS
·Verizon Online DSL
| reply to K McAleavey
I sure hope sonybmg  comes back here to discuss your findings in technical detail!
On the other hand, he's sure looking a lot like a drive-by poster... |
|
