IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Pihar.b rootkit removed now cant boot
KillerKilgore
post 19.11.2011 04:26
Post #1


Member
**

Group: Members
Posts: 13
Joined: 19.11.2011




I am working on a laptop for a friend. I booted the laptop (Windows 7) and saw all the icons were gone and nothing in the start menu.

I shut down the machine. I inserted the Kaspersky Rescue Disk 10 and updated it to current virus defs for 11.18.11.
Ran a scan sda1. the only hard drive with rootkit and hidden startup options checked.
The only thing that was found was the pihar.b rootkit.
I removed the rootkit. rebooted and now get a flash of the BSOD with error code 0x0000007b and then a reboot.

Where do I go from here?

Thanks in advance,
KillerKilgore
Go to the top of the page
 
+Quote Post
richbuff
post 19.11.2011 04:54
Post #2


Oldtimer
****************

Group: Moderators
Posts: 48812
Joined: 14.06.2007




Welcome. Please repair Windows 7: http://www.sevenforums.com/tutorials/3413-...ir-install.html


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
KillerKilgore
post 19.11.2011 08:51
Post #3


Member
**

Group: Members
Posts: 13
Joined: 19.11.2011




Thanks richbuff for the quick reply.

There has to be another option than to do a repair install. beside I do not have a disk. don't remember if it has a reinstall partition or not.

edited -
If I can't do something else. can I put the rookkit back in.
the kaspersky disk said it did a backup before it was deleted. I did notice that there is a kaskersky folder on the HD and it did/does store the virus defs there.

if I can restore the rootkit and get the system back up I can use other options to remove the root kit.
found something elsewhere that recommends a regedit to remove the virus?

http://www.zimbio.com/Spyware/articles/2MH...ar+b+Completely

end edit

Thanks in advance,

KillerKilgore

This post has been edited by KillerKilgore: 19.11.2011 09:10
Go to the top of the page
 
+Quote Post
KillerKilgore
post 19.11.2011 10:16
Post #4


Member
**

Group: Members
Posts: 13
Joined: 19.11.2011




well if I had not deleted it might have been able to restore but restore is not an option on the right menu of quarantined items.

laptop does have a recovery partition but when it run it said set back to new os and loose all data - cant do that.

started and it gives options to do a startup repair. did that and it recommended a restore to previous date but it choose the date not me. restarted and still nothing. running startup repair again. will let you know of result.

killerkilgore
Go to the top of the page
 
+Quote Post
KillerKilgore
post 19.11.2011 12:06
Post #5


Member
**

Group: Members
Posts: 13
Joined: 19.11.2011




well the startup repair ran twice - no luck

went into advance mode went into command prompt
did the dir command only showed a few files named cybdefwebinstaller.log and 2 other cybdef*.log deleted them
did not see the windows dir.
ran attrib -h *.* /s /d got a lot of errors saying it could not set the -h attribute on system files - that's OK

can now see the windows dir and others.
deleted all files in c:\windows\temp

rebooted still same reboot cycle.

will make a win7pe disk and try to see what is in the reg dealing with that cybdef stuff.

will keep you posted.

only reason I'm doing this is it might help someone else on down the road.

kilgore - out
Go to the top of the page
 
+Quote Post
KillerKilgore
post 20.11.2011 21:31
Post #6


Member
**

Group: Members
Posts: 13
Joined: 19.11.2011




Quote from http://www.sevenforums.com/tutorials/3413-...ir-install.html

You can only do a repair install from within Windows 7.
You cannot do a repair install at boot or in Safe Mode.
You must be logged into Windows 7 in a administrator account to be able to do a repair install.

end Quote

Quote from my 1st post

I removed the rootkit. rebooted and now get a flash of the BSOD with error code 0x0000007b and then a reboot.

end Quote

Another brick in the wall. That WILL fall and land all over me and my mission.

KillerKilgore
Go to the top of the page
 
+Quote Post
KillerKilgore
post 21.11.2011 23:55
Post #7


Member
**

Group: Members
Posts: 13
Joined: 19.11.2011




OK, I now know that the pihar is a NASTY sob that infects the MBR of the infected machine and is aka TDL4. it installs a hidden boot partition that gets loaded before your OS and communicates that way.
http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot.

kinda looks like there will have to be a complete reinstall of the OS after nuking the HD (low level reformat).

I am going to try and see if there is a backup of the MBR and try to restore it.

My advice to anyone infected with a rootkit BEFORE removing any rootkit with a bootable scan,
research what kind of rootkit it is (listed in scan results) and try to find another way of removing it.

Hind-site 20/20 and I'm still blinded by the light.

KillerKilgore

dash1.gif
This is me pounding my head against the wall till it starts to feel good. Then pounding it some more.
Go to the top of the page
 
+Quote Post
KillerKilgore
post 22.11.2011 00:20
Post #8


Member
**

Group: Members
Posts: 13
Joined: 19.11.2011




b_punk.gif b_punk.gif b_punk.gif b_punk.gif b_punk.gif b_punk.gif b_punk.gif b_punk.gif b_punk.gif b_punk.gif



I ROCK!!!!!!!!!!!!!!!!!!!!!!!!

there was 4 partitions on the HD none hidden
the 1st was a small 300 MB that was set to active

I saved the the MBR and partition info (just incase) and then started

I set the 130GB partition active and then rebooted.

ITS ALIVE AND BREATHING.

Windows came right up and I was able to log into the OS.
I will now do a couple of scans to see what else could be wrong after I image the HD that way I have a way to get back to this starting point!!!!!!

KillerKilgore

This is proof that there is more than 1 way to skin a cat.
Go to the top of the page
 
+Quote Post
KillerKilgore
post 24.11.2011 22:15
Post #9


Member
**

Group: Members
Posts: 13
Joined: 19.11.2011




just an update for people following this.
I haven't had a lot of time to work on this infected machine but just to let everyone know malwarebytes found 21 infected items.
will keep everone posted on the progress.

KillerKilgore
Go to the top of the page
 
+Quote Post
richbuff
post 24.11.2011 23:33
Post #10


Oldtimer
****************

Group: Moderators
Posts: 48812
Joined: 14.06.2007




Maybe some logs can be of additional help. Please see the Virus section of this forum, first Important topic for instructions.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
KillerKilgore
post 25.11.2011 05:00
Post #11


Member
**

Group: Members
Posts: 13
Joined: 19.11.2011




I will do that.
Also, should I start another thread in the "Virus section" or just continue with this on?

KillerKilgore
Go to the top of the page
 
+Quote Post
KillerKilgore
post 25.11.2011 22:26
Post #12


Member
**

Group: Members
Posts: 13
Joined: 19.11.2011




QUOTE(KillerKilgore @ 18.11.2011 19:26) *
I am working on a laptop for a friend. I booted the laptop (Windows 7) and saw all the icons were gone and nothing in the start menu.

I shut down the machine. I inserted the Kaspersky Rescue Disk 10 and updated it to current virus defs for 11.18.11.
Ran a scan sda1. the only hard drive with rootkit and hidden startup options checked.
...


Just to add this to my post again just to help anyone following this or having the same issue.

When the screen came up to select the items, it showed sda1, and a C: drive. (as stated above I did not scan the C: drive)

After I finally got the machine to boot back into Windows. (after setting the 130GB drive to active.)
Then shut it down again after running a Malwarebytes scan.
Booted with Kaspersky disk again.
NOW on the screen to select what to scan there are 4 drives and the sda1. Which is a very good thing.

@richbuff,
I have read the post in the "Virus-related issues" section and do plan of posting that info here.

Thanks,

KillerKilgore
Go to the top of the page
 
+Quote Post
cottington
post 13.01.2013 01:00
Post #13


Newbie
*

Group: Members
Posts: 1
Joined: 13.01.2013




QUOTE(KillerKilgore @ 21.11.2011 15:20) *
b_punk.gif b_punk.gif b_punk.gif b_punk.gif b_punk.gif b_punk.gif b_punk.gif b_punk.gif b_punk.gif b_punk.gif
I ROCK!!!!!!!!!!!!!!!!!!!!!!!!

there was 4 partitions on the HD none hidden
the 1st was a small 300 MB that was set to active

I saved the the MBR and partition info (just incase) and then started

I set the 130GB partition active and then rebooted.

ITS ALIVE AND BREATHING.

Windows came right up and I was able to log into the OS.
I will now do a couple of scans to see what else could be wrong after I image the HD that way I have a way to get back to this starting point!!!!!!

KillerKilgore

This is proof that there is more than 1 way to skin a cat.


I registered just to say thanks for this! I was in the same situation as you, fixing a PC for a friend. I discovered and removed the rootkit with Kaspersky Rescue CD, and afterward Windows wouldn't boot. After much troubleshooting and searching, I finally landed at this page from the keywords "rootkit boot pihar c 0x0000007b". Not sure why I didn't think of this before, but I used GParted and found a small partition (about 200MB) that was set to boot. I changed the boot flag to the 250GB Windows partition and sure enough it booted up just fine.

I am now going back through and doing more scans to make sure everything is cleaned up. I had already removed stuff with Microsoft Security Essentials, Norton Rescue Disc, and Malwarebyte's. Since the rootkit should still be cleaned/deleted thanks to Kaspersky, I don't expect to find anything else.

Thanks again. I was very close to throwing in the towel and doing a factory image restore, which I only like to do as a last resort.
Go to the top of the page
 
+Quote Post
techsag
post 1.02.2013 03:17
Post #14


Newbie
*

Group: Members
Posts: 1
Joined: 1.02.2013




QUOTE(cottington @ 12.01.2013 15:00) *
I registered just to say thanks for this! I was in the same situation as you, fixing a PC for a friend. I discovered and removed the rootkit with Kaspersky Rescue CD, and afterward Windows wouldn't boot. After much troubleshooting and searching, I finally landed at this page from the keywords "rootkit boot pihar c 0x0000007b". Not sure why I didn't think of this before, but I used GParted and found a small partition (about 200MB) that was set to boot. I changed the boot flag to the 250GB Windows partition and sure enough it booted up just fine.

I am now going back through and doing more scans to make sure everything is cleaned up. I had already removed stuff with Microsoft Security Essentials, Norton Rescue Disc, and Malwarebyte's. Since the rootkit should still be cleaned/deleted thanks to Kaspersky, I don't expect to find anything else.

Thanks again. I was very close to throwing in the towel and doing a factory image restore, which I only like to do as a last resort.


Thank you both. You have solved a very annoying problem. bravo.gif bravo.gif bravo.gif bravo.gif bravo.gif
Go to the top of the page
 
+Quote Post
KillerKilgore
post 15.02.2013 08:13
Post #15


Member
**

Group: Members
Posts: 13
Joined: 19.11.2011




You both are welcome.

Never give up. Anyone can reformat a machine and start over from scratch.
It takes a problem solver, troubleshooter, you could say, to find the issue and FIX it.

That is why no one is willing to pay for computer repair. It is hard and takes some persistence and research.
It is much easier to

QUOTE(cottington @ 12.01.2013 16:00) *
... throwing in the towel and doing a factory image restore, which I only like to do as a last resort.


I am glad to see there are others out there like me that refuse to give up and let a dumb machine beat them.
Let that machine require them to reacquire all the data that was on the computer before the no good SOB wrote a virus, and set it loose on the net.

The computer may contain your only picture or other cherished memory of a loved one that has long since passed from this earth.

It may be part of the SETI@home project and is the last machine needed to confirm life on another planet exist or that a cure of cancer is found.

Never give up and reformat a computer after a virus removal. Try all things. Just remember the computer was working somewhat before removing the virus. I can and will work again. If nothing else use this time as a learning experience. The computer isn't working? Try some new (to you) software (GParted or GRUB maybe?).

The main thing is NOT TO GIVE UP! and for that I SALUTE you. Attached File  salute.gif ( 348bytes ) Number of downloads: 0


KillerKilgore
Go to the top of the page
 
+Quote Post
zygd
post 20.02.2013 12:44
Post #16


Newbie
*

Group: Members
Posts: 3
Joined: 19.02.2013




QUOTE(KillerKilgore @ 15.02.2013 07:13) *
That is why no one is willing to pay for computer repair. It is hard and takes some persistence and research.
It is much easier to ...

... The main thing is NOT TO GIVE UP! and for that I SALUTE you. Attached File  salute.gif ( 348bytes ) Number of downloads: 0


KillerKilgore


Sometimes it is not possible to revert back all changes made by malicious software. For example - Sality (one of its kind) changes
exe files, and even after successful clean, the exe files never come back to what they were before - bad CRC sum, so applications can't download update, some installs are unworkable.
In this moments the best is to revert back with hdd image (Norton Ghost, Snapshot, other apps). In my example I had cured Sality with KRD, and then revert my hdd image back.

Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 21.08.2014 06:23