Lavasoft Rootkit Remover

JOSEPH · January 30, 2006, 01:04:09 PM

I don't know what to make of this, perhaps someone who has took the plunge with it might like to share their experience. I routinely examine various RootKit Detectors locally and such but this one threw up a RED FLAG when i was about to launch it when i came upon this warning!...........

GR@PH;<'S · January 30, 2006, 01:17:10 PM

JOSEPH,
That is a conformation sign (Disclamer)

Witch The program maker has placed in to cover its self in the case of you removing some thing form your PC.

GR@PH;<'S :breakkie:

JOSEPH · January 30, 2006, 02:13:15 PM

Hi GR@PH;<'S

Yes, i understand it is a Disclaimer of sorts along with a very candid Warning! .....but what's most
troubling is that no place does that Kit offer some additional explaination as to just what it means by
potentially harm your computer

That warning box, to me anyway clearly expresses an expected danger to occur. And if that is likely,
ie: Process Guard is hooking with it's protective measures, then you're to assume then that tool might
attempt to remove this safety? And in whatever variation that action might take what else are we to
assume but that it's highly likely to damage componants or worse.

I am just trying to find a better read on it if there is one of the Risk.
Obviously this is the first detector of that nature that explicitly implies using their tool is "potentially" dangerous which of course negates the entire interest.

winchester73 · January 30, 2006, 02:39:15 PM

Just musing here ...

Maybe you are confused about the application? It is meant to address the Sony rootkit issue, not be a rootkit "revealer" in general.

As for the warning itself, the nature of a rootkit makes it extremely difficult to remove, often leaving a hard drive reformat as the only solution. Some think the only guaranteed way to remove a rootkit is to destroy the system and then rebuild it from scratch.

Since the CD-ROM (or the PC itself) might fail to work properly if the rootkit was removed improperly, I suspect a warning such as you noted is somewhat sensible for those who lack sophisticated computer training.

On another note ... under an aggressive interpretation of the Digital Millennium Copyright Act (DMCA), some speculate that using a removal tool such as this to remove the Sony Rootkit could be considered a crime in itself. A vendor without a specific DMCA exemption might not be covered for distributing the removal tool.

Die Hard · January 30, 2006, 02:41:03 PM

When removing rootkits, keep in mind that the nature of them are to be hidden and to perform hidden and unknown taskas.
Therefore, any designer of such scanner cannot do anything else than to warn about the risks, when no one knows what will be found, nor removed.
Both F-secure´s Blacklight and Sysinternal´s RootKit Revealer have disclaimers. Not when you open the utilities , but they are clearly stated in the readme.

Many security experts say: "If you store or transmit classified data and find an unknown rootkit, wipe out Windows and reinstall"

Die Hard :)

JOSEPH · January 30, 2006, 03:28:50 PM

QuoteBoth F-secure´s Blacklight and Sysinternal´s RootKit Revealer have disclaimers. Not when you open the utilities

Hello DIEHARD
Exactly so, and is why when this one appeared straightway it suggests alarm or perhaps take your chances. That is kind of the indication expressed.

And Thanks Win73 for some feedback in that manner. I agree that underlying risks certainly can exist and will on occasion occur as we have all seen time and again, WinsockFix tool comes to mind that we must suggest on some of the more persistent types that attach to PC internet connection.
It seemed meant to bring particular attention with "save all your work"

At any rate it might would help if before offering such tool freely like that it was included the manner in which is expected to remove, and possibility what would be affected as a further precautions.
Some of the rootkit programs i examined particularly are "Detect Only" , with the exception of the Powerful! Ice Sword, it is an extremely sharp instrument that both reveals and effects removal, MANUALLY by user, i might add........but is also worded in Chinese :? (someone really should do something about an english version lol) You simply will not believe what all it uncovers.

I've yet to come across any known reports that the Lavasoft tool had been thoroughly tested or proven somewhat adequate but then hence the warning along with the recent offer indicates perhaps not? Speculating of course, but it does deserve caution and is why i felt it important untill theres some better clarification to pass along this find and gather a few opinions from anyone with recent experience with it.

Thanks

EDIT: I see i was lead to be misinterpreted to the purpose of that tool. In the present period we're in with all the stir over potential rootkits and many forums making it a practice to suggest to users affected by malware/hijacks to run Rootkit Detection tools that i took it to be another one in a group of RootKit Detectors per say in general, which of course clearly states it's not.

QuoteThe ARIES Rootkit Remover developed by Lavasoft provides the means to locate and permanently remove the Sony rootkit from the system and disable the rootkit's ability to run once more after reboot. This standalone tool is a reliable, trustworthy, and safe way of removing the rootkit--unlike Sony's own rootkit remover that has been known to cause blue screens.
The Lavasoft ARIES Rootkit Remover removes only the ARIES rootkit; it does not touch the DRM software from Sony. Once the ARIES Rootkit is removed, you can put the CD from which the rootkit was originally installed on your PC into the CD drive, and the ARIES rootkit will not be installed again.

winchester73 · January 30, 2006, 07:07:16 PM

QuoteEDIT: I see i was lead to be misinterpreted to the purpose of that tool. In the present period we're in with all the stir over potential rootkits and many forums making it a practice to suggest to users affected by malware/hijacks to run Rootkit Detection tools that i took it to be another one in a group of RootKit Detectors per say in general, which of course clearly states it's not.

LOL ... the name ARIES Rootkit Remover might have been a giveaway ... Aries.sys being the actual Sony rootkit driver ...

:tease:

According to Mark's blog at Sysinternals, the way the tools are removing the rootkit has a small chance of crashing your computer ... likely the reason for the Lavasoft warning.

Assarbad · January 30, 2006, 08:01:47 PM

Hi JOSEPH,

although I am writing in private here - so nothing of this is an official statement from Lavasoft - I am one of the authors of this tool. Most of it, except the GUI, has been written by me. It was also on me to analyze the Sony Rootkit in-depth. Although some vendors claim it is quite complicated, it is not at all. The biggest problem is how it works and to get it deactivated. Since Lavasoft's tool (the ARIES Rootkit Remover) employs a driver to perform checks and parts of the cleaning, it is only legitimate to prompt the user to agree, since the loading of any kernel modules is a risk by itself. You will surely agree that it is hard to test the tool on all myriads of (possible) configurations (read: combinations of different software).

@winchester73: Indeed, crashing may be a problem, but the tool does not attempt to unload the rootkit for obvious reasons.

I will write a blog entry on this soon. If I do not forget about it, I will also reply here to notify you of this blog-entry.

Cheers,

Oliver

LS SteveJ · January 30, 2006, 08:08:48 PM

Just a quick note. I can confirm the identity of Oliver. (In case anyone doubts this)

Die Hard · January 30, 2006, 08:39:22 PM

Hello ,Oliver. welcome and thank you for straightening this out. :thumbsup:
It´s very valuable to have an explanation directly from the vendors/authors :P

regards

Die Hard :)

winchester73 · January 30, 2006, 09:22:42 PM

OYF1P ... thanks for the explanation. I think Mark was probably talking about Sony's own tool, but I'm not sure ... :P

I believe I know you from other forums, but if LS SteveJ vouches for you, that's good enough for me ... :D

JOSEPH · January 30, 2006, 09:34:44 PM

Quote from: OYF1P on January 30, 2006, 08:01:47 PM
I will write a blog entry on this soon. If I do not forget about it, I will also reply here to notify you of this blog-entry.

Cheers,Oliver

Likewise, i welcome & appreciate the direct response, and at that, most timely. Thanks

Hello Oliver and greetings:

In some haste to make due with catching up to a schedule that seems to never end the Lavasoft RootKit Remover name attracted my attention while rapidly browsing over some results to RootKit Applications since they continue to be a focus of some study right now.

It was at the point actually in the reply post where Winchester73 made specific reference to SONY that i re-reviewed then recognized the oversight. I think if anyone followed my above post this will prove out to have been the case.
Still the interest is a very valid one and i like to pose a question for you if there is any consideration perhaps in the making from your group for a general RootKit Detection/Removal application. Any reply or reference to this is gladly received.

I was taken aback initially at the warning box message and i think you'll understand the hesitation with some serious concern whenever a presentation is so outlined with much caution as made in that fashion, but i also now think i can also understand the precaution that it was expected to imply also.

Upon another review for any additional helpful descriptions nothing detailed was found nor was expected to, given now that it's understood the tool is only meant to address a single entity (Sonyfiles), however as to the removal procedure whether or not an already existing security program which rests hooks to rootkit levels might be affected and just what might result from any interaction of the two, was my chief concern.

Thanks again for sharing your own views.

Corrine · January 30, 2006, 11:44:19 PM

Hi, Oliver, Those of us who frequent MR do indeed know you. Welcome and thank you. We appreciate your stopping by.

JOSEPH · January 31, 2006, 12:52:20 PM

QuoteLOL ... the name ARIES Rootkit Remover might have been a giveaway ... Aries.sys being the actual Sony rootkit driver ...

Believe it or not i had assumed that the Sony issue had long since concluded and given the long Lavasoft history of Ad-Aware simply concluded the RootKit Detector or any similar other tool offered would also be for general use.

For that matter the ARIES identifier to me could just as well been named VIRGO, AQUARIUS or any other Zodiac. VIRGO just happens to be mine LoL

Assarbad · February 03, 2006, 09:01:07 AM

Quote from: winchester73 on January 30, 2006, 09:22:42 PM
OYF1P ... thanks for the explanation. I think Mark was probably talking about Sony's own tool, but I'm not sure ... :P

Yes he was. And that is quite justified by the facts. I will detail it today in a long blog entry.

Quote from: JOSEPH on January 30, 2006, 09:34:44 PM
Likewise, i welcome & appreciate the direct response, and at that, most timely. Thanks

Sorry for the delay. I was moving to Sweden on Tuesday and Wednesday so I had no time until today. Will write the blog entry today and link to it from here.

Quote from: JOSEPH on January 30, 2006, 09:34:44 PM
Still the interest is a very valid one and i like to pose a question for you if there is any consideration perhaps in the making from your group for a general RootKit Detection/Removal application. Any reply or reference to this is gladly received.

We are looking into it. However, I personally think that there is no safe way to detect a rootkit, since it is the rootkit's sole purpose to hide and provide someone access to the owned box.

Quote from: JOSEPH on January 30, 2006, 09:34:44 PM
I was taken aback initially at the warning box message and i think you'll understand the hesitation with some serious concern whenever a presentation is so outlined with much caution as made in that fashion, but i also now think i can also understand the precaution that it was expected to imply also.

Well, just the fact that others do not warn you of it, does not mean there is less of a risk. The problem simply is, that any kernel module (i.e. any kernel mode driver) can cause trouble, because there is a large diversity of software out there where it is impossible to test all combinations.

Quote from: JOSEPH on January 30, 2006, 09:34:44 PM
Upon another review for any additional helpful descriptions nothing detailed was found nor was expected to, given now that it's understood the tool is only meant to address a single entity (Sonyfiles), however as to the removal procedure whether or not an already existing security program which rests hooks to rootkit levels might be affected and just what might result from any interaction of the two, was my chief concern.

You are right. A description, why this warning is being shown, should have been added to sweep away the doubts of sceptical people ;)
Since I am only a developer I can only give a hint to our webmaster to link to my blog entry once it is written.

Sorry for the late response again.