[Cicero]

The Sophos rootkit detection and removal tool is at:

http://www.sophos.com/support/disinfection/rkprf.html

Use at your own risk, but it is recommended by several reliable sources. I certainly wouldn't use any Sony removal tools, given their record so far.

[dickmc]

Seems to be a lot of confusion as to whether anything is 'removed' by the AVs or simply 'uncloaked'.

Per Mark Russinovich's Sysinternals site who discovered all this:

Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit.

Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality.

Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash.

While they post disclaimers on their web sites to that effect, they should use the safe alternative that I described a couple of posts ago, which is to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots:

1. Open the Run dialog from the Start menu

2. Enter “cmd /k sc delete $sys$aries”

3. Reboot

Much more detail at his site here.

[Tennessee_Bob]

I've heard that after running the Sony Rootkit Remover, your computer will only boot up in CP/M.

let's see what kind of internet rumor we can get started here..