Rootkit removal with UVK

Post tutorials and script examples in this forum.
Forum rules
We have no special rules for UVK forums. Just try to be polite and clear in your posts.
Please don't post spam in this forum. Spammers will be banned by IP, e-mail and username.
We reserve the right to delete all posts and ban all users we consider not having respected these rules without warning.
Post Reply
Fred
Site Admin
Posts: 2357
Joined: Sat Jul 30, 2011 12:05 pm
Location: Red coast, France
Contact:

Rootkit removal with UVK

Post by Fred »

Hi.

I've been asked to post a tutorial on rootkit removal using UVK. So here it is.

If some of you think there is something else to add to this tutorial, please post.

Step 1: Try to remove the rootkit with Kaspersky TDSS killer:
  • Let's not start the hard way. First we'll try to use TDSS killer to remove the rootkit. Note that this procedure requires internet connection.

    Download UVK and install it with the default settings. This is very important as it will create a system restore point just before the installation. For more information and download, visit the following urls:
    http://www.carifred.com/uvk/help/
    http://www.carifred.com/uvk

    Run UVK, and click Run UVK scripts. Paste the following code into the UVK commands text box:

    Code: Select all

     <Download>
    http://support.kaspersky.com/downloads/utils/tdsskiller.exe | %DeskTop%\KillTdss.exe
    
    
     <RunWait>
    %DeskTop%\KillTdss.exe
    
     <ResetHostsAndDns>
    
     <ResetGroupPolicy>
    
     <CreateRestorePoint>
    
     <Reboot>
    Click Run / Fix listed and confirm.

    So, first UVK will download TDSSKiller to your desktop and save it with a diferent name from the original. This is very important as most of the modern rootkits detect TDSSKiller by its name and prevent it from running.

    Then UVK will run it. Follow the instructions at http://support.kaspersky.com/faq/?qid=208283363 to perform the rootkit scan and removal with TDSS Killer.

    If the tool found and removed your rootkit, then man, you're lucky, click no if it asks you if you want to reboot immediately.

    Close TDSS killer, and UVK will then clear the hosts file and flush the dns, reset the group policies, create a new system restore point, and reboot your machine. Hopefully after the reboot, your rootkit will be gone. If so you can ignore the next steps.
I'll continue this tut later. Please post if the step above didn't remove the rootkit.
One thing we humans have in common is that we are all different. So, if you think you're weird because you're different from everyone else, then we are all weird.

Fred
FredJClaus
Posts: 323
Joined: Sat Dec 06, 2014 6:21 am

Re: Rootkit removal with UVK

Post by FredJClaus »

Fred,

I'm going through old posts and came across this tutorial. Since it's from 2012 is it safe to say it's before TDSS killer was added to the malware section or is this in addition to that part?
wmmiller
Posts: 1098
Joined: Fri Dec 07, 2012 6:02 am
Location: Minnesota, USA

Re: Rootkit removal with UVK

Post by wmmiller »

This was before it was added. Kaspersky TDSSKiller was added in v5.7.1.0 Release date: 10/08/2013

Here's the change log: http://www.carifred.com/uvk/changelog.php

Bill
Play stupid games….win stupid prizes
Fred
Site Admin
Posts: 2357
Joined: Sat Jul 30, 2011 12:05 pm
Location: Red coast, France
Contact:

Re: Rootkit removal with UVK

Post by Fred »

Hi guys,

Yeah, I made this topic a long time ago. I was supposed to add more info, explaining how to detect and delete rootkit drivers manually using the Service manager and more stuff, nut I never got the time to finish it.

Merry Christmas!
One thing we humans have in common is that we are all different. So, if you think you're weird because you're different from everyone else, then we are all weird.

Fred
Post Reply