"Not even a format will do it"
I really hate to disagree with you but, I know when I do a format I also format the boot record, plus not if your doing the format from a clean bootable drive.
Yes, booting from a second, known to be clean volume will get rid of the rootkit.
"under ring 3 privileges"
Really, was that from securom, out of curiosity?
No. It's based on my own knowledge about how operating systems work, and what's known about the copy protection mechanism of SecuROM.
"Starforce wasn't a rootkit either."
Really, maybe I remember wrong, but I could swear it was revealed as a rootkit and I remember ring 0.
It is either a ring-0 or ring-1 driver, but to my knowledge it is not a rootkit.
To get some definitions straight:
(1) A rootkit is a piece of software that runs under ring-0 (kernel) privileges, and hides itself from the operating system kernel.
(2) A ring-0 driver is a piece of software that interfaces with hardware and runs under ring-0 (kernel) privileges. If it does not hide itself from the OS, it is not a rootkit.
(3) A ring-1 driver is a piece of software that runs directly under the kernel with elevated "system" privileges. It's not a rootkit.
(4) A piece of software that does not come with an uninstaller, flags files as hidden, or behaves badly in any of a huge number of other ways is not a rootkit. If it runs under ring-3 privileges, the damage it can do is fairly limited.
" One lesson we could learn is that unfounded hysteria"
Well if you find someone being hysterical you lets us know, ok?
I've been slapping you for a while now, trying to get you to snap out of it.
Yes, SecuROM *MAY* be a rootkit. However, until it has been *SHOWN TO BE* a rootkit, it is way, way premature to label it one. What's more, I have come across no information yet that would even give strong cause to suspect that it is a rootkit. In particular, the copy protection mechanism it uses -- code activation using a hardware hash -- does not *REQUIRE* kernel-level privileges.
""Having problems" != "rootkit" or even "very dangerous." "
Well, I remember it being proven a rootkit, though I could be wrong, but as I mentioned if it a rootkit as I and many recall, then you making nice code trying to prove it wasn't , doesn't affect reality, does it.
The Wikipedia article on StarForce (look it up if you like) describes it quite well. It doesn't explicitly state what ring the driver runs under. However, it looks to me that it's ring-1 (system) rather than ring-0 (kernel):
"The access control list of the drivers are set such that any person with control over the computer, including those without administrative rights, is allowed to change the code that is run by the driver. Exploitation is simple: The user changes it to point at any arbitrarily chosen executable, which is executed with full system privileges on next reboot."
(edit) Going back on how StarForce actually works, I think it probably is ring-0. It requires very low-level hardware access, which may not be possible to do at ring-1. I don't know for certain, though. That's still different from a rootkit, though.
"You keep *saying* this, yet you can't point to anything the program is KNOWN to do that actually IS dangerous"
Well the behavior certainly could be a rootkit and/or Malware as I mentioned and I never said it was definitively as I mentioned, I am asking out of concern, if you don't care that's fine.
Humm, did I say dangerous, maybe. Certianly I said cause for concern.
*Anything* could be a rootkit or malware, but most things aren't.
Btw, what was your position here and RPGDot about Starforce, besides the fact that your currently saying it's Not a rootkit, nor ever was if I understand you correctly?
Did blow off the idea of problems or potential problems when starforce was going on, sort of like you are now?
When I found out what Starforce was doing, I immediately uninstalled all games I had that used it and used the utilities provided by Sysinternals to get rid of the drivers. I also put an immediate personal boycott on Starforce-protected games. Starforce is a pretty evil piece of software that opens up a genuine security hole in the system.
But that don't make it a rootkit.