root kits

You need help to start using UVK? You have a doubt on a UVK feature? Post here!
Forum rules
We have no special rules for UVK forums. Just try to be polite and clear in your posts.
Please don't post spam in this forum. Spammers will be banned by IP, e-mail and username.
We reserve the right to delete all posts and ban all users we consider not having respected these rules without warning.
Post Reply
jcane1
Posts: 6
Joined: Tue Sep 13, 2011 4:07 pm

root kits

Post by jcane1 »

can UVK be used to remove root kits and repair the PC? I can also be reached at joshcane@yahoo.com I will be checking this forum and my email FREQUENTLY for this one!! thanks
Fred
Site Admin
Posts: 2357
Joined: Sat Jul 30, 2011 12:05 pm
Location: Red coast, France
Contact:

Re: root kits

Post by Fred »

Hi Josh.

Of course UVK can be used to detect and delete rootkits. :)

The most effective way to detect rootkits is creating a UVK log on the section Scan and create log.

e.g Imagine that malware has infected the system file volsnap.sys. You'll easily notice the line:

Code: Select all

<Drivers> | volsnap | C:\Windows\system32\drivers\volsnap.sys | No description | Unsigned :  No publisher
A genuine driver file is always digitally signed, either by its manufacturer or Microsoft. In this case it should be:

Code: Select all

<Drivers> | volsnap | C:\Windows\system32\drivers\volsnap.sys | Volume shadow copy driver | Stopped | Signed :  Microsoft Corporation
Pasting the first line above in the Run UVK scripts section and execute it should take care of the rootkit, but the Volume shadow copy service would still be damaged, as the genuine volsnap.sys would still be missing in the drivers folder.

You should then use the System protected resources scan, in the UVK system repair section to fix the issue, or use the command <SReplaceFile> to replace the infected file with a genuine one. In a Windows 7 64 bit system it could be done by executing the folowing code:

Code: Select all

<SReplaceFile>
%SystemDir%\drivers\volsnap.sys | %SystemDir%\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21\volsnap.sys
And if the service has also been damaged add this one:

Code: Select all

<RunWait>
%SystemDir%\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 %SystemDir%\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21\volume.inf
UVK's ability to block ntfs permissions on the files marked to delete on reboot helps on these cases. The blocked files cannot be loaded until rebootexec is launched, and deletes them.

For executable files it should be much easier, as you just have to detect them, and then delete them.
One thing we humans have in common is that we are all different. So, if you think you're weird because you're different from everyone else, then we are all weird.

Fred
jcane1
Posts: 6
Joined: Tue Sep 13, 2011 4:07 pm

Re: root kits

Post by jcane1 »

thank you so much for this !! ;-)
Fred
Site Admin
Posts: 2357
Joined: Sat Jul 30, 2011 12:05 pm
Location: Red coast, France
Contact:

Re: root kits

Post by Fred »

You're welcome. :D

Whenever you need help, just post.
One thing we humans have in common is that we are all different. So, if you think you're weird because you're different from everyone else, then we are all weird.

Fred
user24
Posts: 8
Joined: Sun Sep 11, 2011 3:36 am

Re: root kits

Post by user24 »

Hi Dear Can you post step by step Guidance on how to remove rootkit virus using UVK it will be very helpful for beginners
Fred
Site Admin
Posts: 2357
Joined: Sat Jul 30, 2011 12:05 pm
Location: Red coast, France
Contact:

Re: root kits

Post by Fred »

OK User24 I started making the tutorial.

viewtopic.php?f=6&t=56

If you have a rootkit to remove, would you mind trying the step one I posted and say if it worked?

Cheers. :D
One thing we humans have in common is that we are all different. So, if you think you're weird because you're different from everyone else, then we are all weird.

Fred
Post Reply