I've been asked to post a tutorial on rootkit removal using UVK. So here it is.
If some of you think there is something else to add to this tutorial, please post.
Step 1: Try to remove the rootkit with Kaspersky TDSS killer:
- Let's not start the hard way. First we'll try to use TDSS killer to remove the rootkit. Note that this procedure requires internet connection.
Download UVK and install it with the default settings. This is very important as it will create a system restore point just before the installation. For more information and download, visit the following urls:
Run UVK, and click Run UVK scripts. Paste the following code into the UVK commands text box:
Click Run / Fix listed and confirm.
Code: Select all
<Download> http://support.kaspersky.com/downloads/utils/tdsskiller.exe | %DeskTop%\KillTdss.exe <RunWait> %DeskTop%\KillTdss.exe <ResetHostsAndDns> <ResetGroupPolicy> <CreateRestorePoint> <Reboot>
So, first UVK will download TDSSKiller to your desktop and save it with a diferent name from the original. This is very important as most of the modern rootkits detect TDSSKiller by its name and prevent it from running.
Then UVK will run it. Follow the instructions at http://support.kaspersky.com/faq/?qid=208283363 to perform the rootkit scan and removal with TDSS Killer.
If the tool found and removed your rootkit, then man, you're lucky, click no if it asks you if you want to reboot immediately.
Close TDSS killer, and UVK will then clear the hosts file and flush the dns, reset the group policies, create a new system restore point, and reboot your machine. Hopefully after the reboot, your rootkit will be gone. If so you can ignore the next steps.