Make your own free website on Tripod.com

Get Rid Of SonyBMG Rootkit

Home
Technical Opinion
Downloads
Contact Me

Okay, this isn't some fancy website. I created this website because I had this same problem, and googling it just wasn't working, because everyone was talking about it, but never solving it, I did some research, and put my computer skills to work, and I have solved this so called mystery of removing sony's rootkit. Here's the answer.




How to manually remove SonyBMG's Rootkit from your XP machine.


First unplug your source of internet. Then hit ctrl+alt+del, and click the process tab. Find $sys$DRMserver.exe and end this proccess.

Go to start, then run, type in "regedit" and then enter.


Delete these keys:


HKEY_Local_Machine\SYSTEM\CurrentControlSet\Services\$sys$DRM

HKEY_Local_Machine\SYSTEM\CurrentControlSet\Services\$sys$Crater

HKEY_Local_Machine\SYSTEM\CurrentControlSet\Services\$sys$Cor

HKEY_Local_Machine\SOFTWARE\$sys$References

HKEY_Local_Machine\SONYBMG

Go to www.sysinternals.com download pstools, unzip them, and then put them in C:\Windows\System32. Not in a folder, but all the individual files. You will be asked if you want to replace the dll file, and say yes, or yes to all.

Then close regedit if it's open, and type this in run psexec -s -i -d regedit.exe(this will open regedit in a special way that allows you to delete the following registry keys.)

HKEY_Local_Machine\SYSTEM\CurrentControlSet\Enum\IDE\(your cd-rom drive(s), and then delete LowFilters that says beside it either "$sys$Crater" or "$sys$Crater imapi"

HKEY_Local_Machine\SYSTEM\CurrentControlSet\Enum\PCIIDE\IDEChannel(there will be two sets of syncronized numbers, the top is primary, and the bottom is secondary, since your cd drives are hooked up to secondary, click the second one. Then find the key that contains the value of $sys$Cor.


Then after that delete these files.


C:\Windows\System32\$sys$caj.dll

C:\Windows\System32\AXPSupport.dll

C:\Windows\System32\InstallContinue.exe

C:\Windows\System32\XPCPlugins.dll

C:\Windows\System32\ECDPlayerControl.ocx

C:\Windows\System32\XCPPhoenix.dll

C:\Windows\System32\$sys$Upgtool.exe

C:\Windows\System32\ClientSyncLoader.htm****or possibly html.


After that delete these two folders, and all of their contents.


C:\Windows\System32\SoftwareDistribution

C:\Windows\System32\$sys$filesystem


After doing all these steps, shutdown your computer. While the computer is shutdown, replug your source of internet back up to your computer. This is how we tell if your copy of the rootkit was succesfully removed. The process $sys$DRMserver.exe is activated by a source of connectivity to the internet. If it doesn't start up at Windows XP's Login then your computer is free from Sony's harmful attempt to cut back on distribution of music, but my opinion is my cd, my priorty to do whatever I want with it. Hope that this helped. Just remember, if it says copy-protection software on the case, it would be a good idea not to insert into computer's disk drive unless you check to make sure that the label of that cd does not belong to SONY BMG. PeAcE

P.S. After this, and any deletion of registry keys I recommend that you use a registry cleaner, for those of you that don't have one here's a free program that will take care of everything. However, I recommend that you do the registry scan more than once because it doesn't get all in it's first pass, but no worries this only take about 45seconds on a 600mhz proccessor, so if yours is faster then you really don't have to worry about it.

Registry Cleaner

afraid_of_death.jpg

If you would like for me to look into a problem, and put the answer to it right here on this website then visit my contact me page.