The following lines were added (+) and removed (-):
An interesting part of the rootkit is the $sys$DRMServer service created by its installation. This pseudo system service is not a true service and does not respond to the 'NET STOP' commando. Once the part of the DRM rootkit that hides the files from you is disabled, you will be able to see a $sys$filesystem directory in the system32 path under c:\windows which will contain the pseudo service along with other embedded files.This is a very touchy process that is executed incorrectly your system could be rendered unbootable. This process is not guaranteed by any means, and due to variants and reports of opportunistic virii, even if executed correctly, something could go wrong. Just be advised before you begin, and make sure you have completed a comprehensive system backup.[http://www.dslreports.com/forum/remark,14817570 Handyperson's guide to removal of SONY ROOTKIT] best illustrates the manual removal process. Credit goes to Kevin McAleavey who posted this guide on an Internet forum. It is imported here for permanency retention. * Then, as you continue to FIND more $sys$ items, BE CAREFUL! Some can be deleted, SOME HAVE TO BE EDITED!* In "WBEM\WDM" you'll spot some UUID's and there will be crater.sys. Any such references that DON'T have IMAPI are safe to just delete. This will be the first one you encounter after the above. DELETE. Same for the one in WBEM\WDM\DREDGE ... DELETE!* The next stop will be under various "ControlSet00x" keys. You'll stop at the "CoDeviceInstallers" ... for each "$sys$caj.dll" you encounter. Usually it is the first UUID entry and the last. Look for the $sys$caj.dll entry and remove ONLY that particular value for a UUID where it appears and do NOT delete anything else.* Next is the "Enum" area - IDE or SCSI depending on what you have. Look for an entry on the right side that says "LowerFilters" ... but don't delete anything. Double-click on the "LowerFilters" name. That will bring up an EDIT screen. In the EDIT screen, what you need to do is move the cursor up where it says "$sys$crater" and CAREFULLY remove it, and pull any lines below it up. NORMALLY the line below will be IMAPI.SYS but could be something else, and more following. The OBJECTIVE is to remove the $sys$crater ONLY and then pull the line below it up to where the crater.sys WAS. Objective is to leave everything ELSE intact and JUST lose $sys$crater!:* Should you encounter a "LowerFilters" that *ONLY* contains "$sys$crater," then you can DELETE it, but usually the "LowerFilters" has another item. Make certain that the top item isn't blank!* Now search to "UpperFilters" and remove "$sys$cor." If "$sys$cor is the ONLY entry, then you can delete that item. If there is anything ELSE in there, then you must edit OUT the "$sys$cor" as was done with "$sys$crater." Each system is different and thus the uncertainty here. You ONLY want to get rid of "$sys$crater" and "$sys$cor". :* Be careful not to remove anything else or you will lose access to your CDROM drive(s).::* $sys$cor will show up in other places, under the name "ActiveChannel." You can DELETE that whole value too. ::* ANY place where only $sys$cor or $sys$crater shows up as a value can be DELETED as LONG AS there are no other "dependencies" listed. ::* If there are other items, you MUST edit OUT the $sys$whatever and LEAVE THE OTHERS INTACT by removing the entire line which contains either $sys$crater or $sys$cor ...* Search to the "ROOT" entries! You'll see the following KEYS which need to be deleted::* LEGACY_$SYS$ARIES:* LEGACY_$SYS$DRMSERVER:* LEGACY_$SYS$LIM:* LEGACY_$SYS$OCT::* Just delete the entire KEYS themselves, so the above are GONE.* search to the "SERVICES" entries! You'll see the following keys next::* $sys$aries:* $sys$cor:* $sys$crater:* $sys$DRMServer::* Just delete the entire KEYS themselves, so the above are GONE.* That completes the "CurrentControlSet" ... expect to go through a repeat of the above for EACH user's individual "ControlSet" until you've done them all. How many depends on how many "users" on the machine.* click on the HKEY_LOCAL_MACHINE hive and select PERMISSIONS from the dropdown menu and remove the checkbox for "everybody" that granted "everyone" "FULL CONTROL."* reboot the system* When the system comes back up, GO to that $sys$filesystem folder and delete the remainder - you'll now have permissions to do so. And finally, wipe THESE files from your SYSTEM32 folder::* $SYS$CAJ.DLL:* $SYS$UPGTOOL.EXE It is a lot of work and a bit risky to your system, but you have completed the removal process.