KillerKilgore

Pihar.b rootkit removed now cant boot

16 posts in this topic

I am working on a laptop for a friend. I booted the laptop (Windows 7) and saw all the icons were gone and nothing in the start menu.

 

I shut down the machine. I inserted the Kaspersky Rescue Disk 10 and updated it to current virus defs for 11.18.11.

Ran a scan sda1. the only hard drive with rootkit and hidden startup options checked.

The only thing that was found was the pihar.b rootkit.

I removed the rootkit. rebooted and now get a flash of the BSOD with error code 0x0000007b and then a reboot.

 

Where do I go from here?

 

Thanks in advance,

KillerKilgore

Share this post


Link to post
Share on other sites

Thanks richbuff for the quick reply.

 

There has to be another option than to do a repair install. beside I do not have a disk. don't remember if it has a reinstall partition or not.

 

edited -

If I can't do something else. can I put the rookkit back in.

the kaspersky disk said it did a backup before it was deleted. I did notice that there is a kaskersky folder on the HD and it did/does store the virus defs there.

 

if I can restore the rootkit and get the system back up I can use other options to remove the root kit.

found something elsewhere that recommends a regedit to remove the virus?

 

http://www.zimbio.com/Spyware/articles/2MH...ar+b+Completely

 

end edit

 

Thanks in advance,

 

KillerKilgore

Edited by KillerKilgore

Share this post


Link to post
Share on other sites

well if I had not deleted it might have been able to restore but restore is not an option on the right menu of quarantined items.

 

laptop does have a recovery partition but when it run it said set back to new os and loose all data - cant do that.

 

started and it gives options to do a startup repair. did that and it recommended a restore to previous date but it choose the date not me. restarted and still nothing. running startup repair again. will let you know of result.

 

killerkilgore

 

Share this post


Link to post
Share on other sites

well the startup repair ran twice - no luck

 

went into advance mode went into command prompt

did the dir command only showed a few files named cybdefwebinstaller.log and 2 other cybdef*.log deleted them

did not see the windows dir.

ran attrib -h *.* /s /d got a lot of errors saying it could not set the -h attribute on system files - that's OK

 

can now see the windows dir and others.

deleted all files in c:\windows\temp

 

rebooted still same reboot cycle.

 

will make a win7pe disk and try to see what is in the reg dealing with that cybdef stuff.

 

will keep you posted.

 

only reason I'm doing this is it might help someone else on down the road.

 

kilgore - out

Share this post


Link to post
Share on other sites

Quote from http://www.sevenforums.com/tutorials/3413-...ir-install.html

 

You can only do a repair install from within Windows 7.

You cannot do a repair install at boot or in Safe Mode.

You must be logged into Windows 7 in a administrator account to be able to do a repair install.

 

end Quote

 

Quote from my 1st post

 

I removed the rootkit. rebooted and now get a flash of the BSOD with error code 0x0000007b and then a reboot.

 

end Quote

 

Another brick in the wall. That WILL fall and land all over me and my mission.

 

KillerKilgore

Share this post


Link to post
Share on other sites

OK, I now know that the pihar is a NASTY sob that infects the MBR of the infected machine and is aka TDL4. it installs a hidden boot partition that gets loaded before your OS and communicates that way.

http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot.

 

kinda looks like there will have to be a complete reinstall of the OS after nuking the HD (low level reformat).

 

I am going to try and see if there is a backup of the MBR and try to restore it.

 

My advice to anyone infected with a rootkit BEFORE removing any rootkit with a bootable scan,

research what kind of rootkit it is (listed in scan results) and try to find another way of removing it.

 

Hind-site 20/20 and I'm still blinded by the light.

 

KillerKilgore

 

:dash1:

This is me pounding my head against the wall till it starts to feel good. Then pounding it some more.

Share this post


Link to post
Share on other sites

:cb_punk: :cb_punk: :cb_punk: :cb_punk: :cb_punk: :cb_punk: :cb_punk: :cb_punk: :cb_punk: :cb_punk:

 

 

 

I ROCK!!!!!!!!!!!!!!!!!!!!!!!!

 

there was 4 partitions on the HD none hidden

the 1st was a small 300 MB that was set to active

 

I saved the the MBR and partition info (just incase) and then started

 

I set the 130GB partition active and then rebooted.

 

ITS ALIVE AND BREATHING.

 

Windows came right up and I was able to log into the OS.

I will now do a couple of scans to see what else could be wrong after I image the HD that way I have a way to get back to this starting point!!!!!!

 

KillerKilgore

 

This is proof that there is more than 1 way to skin a cat.

Share this post


Link to post
Share on other sites

just an update for people following this.

I haven't had a lot of time to work on this infected machine but just to let everyone know malwarebytes found 21 infected items.

will keep everone posted on the progress.

 

KillerKilgore

Share this post


Link to post
Share on other sites

Maybe some logs can be of additional help. Please see the Virus section of this forum, first Important topic for instructions.

Share this post


Link to post
Share on other sites

I will do that.

Also, should I start another thread in the "Virus section" or just continue with this on?

 

KillerKilgore

Share this post


Link to post
Share on other sites
I am working on a laptop for a friend. I booted the laptop (Windows 7) and saw all the icons were gone and nothing in the start menu.

 

I shut down the machine. I inserted the Kaspersky Rescue Disk 10 and updated it to current virus defs for 11.18.11.

Ran a scan sda1. the only hard drive with rootkit and hidden startup options checked.

...

 

Just to add this to my post again just to help anyone following this or having the same issue.

 

When the screen came up to select the items, it showed sda1, and a C: drive. (as stated above I did not scan the C: drive)

 

After I finally got the machine to boot back into Windows. (after setting the 130GB drive to active.)

Then shut it down again after running a Malwarebytes scan.

Booted with Kaspersky disk again.

NOW on the screen to select what to scan there are 4 drives and the sda1. Which is a very good thing.

 

@richbuff,

I have read the post in the "Virus-related issues" section and do plan of posting that info here.

 

Thanks,

 

KillerKilgore

Share this post


Link to post
Share on other sites
:cb_punk: :cb_punk: :cb_punk: :cb_punk: :cb_punk: :cb_punk: :cb_punk: :cb_punk: :cb_punk: :cb_punk:

I ROCK!!!!!!!!!!!!!!!!!!!!!!!!

 

there was 4 partitions on the HD none hidden

the 1st was a small 300 MB that was set to active

 

I saved the the MBR and partition info (just incase) and then started

 

I set the 130GB partition active and then rebooted.

 

ITS ALIVE AND BREATHING.

 

Windows came right up and I was able to log into the OS.

I will now do a couple of scans to see what else could be wrong after I image the HD that way I have a way to get back to this starting point!!!!!!

 

KillerKilgore

 

This is proof that there is more than 1 way to skin a cat.

 

I registered just to say thanks for this! I was in the same situation as you, fixing a PC for a friend. I discovered and removed the rootkit with Kaspersky Rescue CD, and afterward Windows wouldn't boot. After much troubleshooting and searching, I finally landed at this page from the keywords "rootkit boot pihar c 0x0000007b". Not sure why I didn't think of this before, but I used GParted and found a small partition (about 200MB) that was set to boot. I changed the boot flag to the 250GB Windows partition and sure enough it booted up just fine.

 

I am now going back through and doing more scans to make sure everything is cleaned up. I had already removed stuff with Microsoft Security Essentials, Norton Rescue Disc, and Malwarebyte's. Since the rootkit should still be cleaned/deleted thanks to Kaspersky, I don't expect to find anything else.

 

Thanks again. I was very close to throwing in the towel and doing a factory image restore, which I only like to do as a last resort.

Share this post


Link to post
Share on other sites
I registered just to say thanks for this! I was in the same situation as you, fixing a PC for a friend. I discovered and removed the rootkit with Kaspersky Rescue CD, and afterward Windows wouldn't boot. After much troubleshooting and searching, I finally landed at this page from the keywords "rootkit boot pihar c 0x0000007b". Not sure why I didn't think of this before, but I used GParted and found a small partition (about 200MB) that was set to boot. I changed the boot flag to the 250GB Windows partition and sure enough it booted up just fine.

 

I am now going back through and doing more scans to make sure everything is cleaned up. I had already removed stuff with Microsoft Security Essentials, Norton Rescue Disc, and Malwarebyte's. Since the rootkit should still be cleaned/deleted thanks to Kaspersky, I don't expect to find anything else.

 

Thanks again. I was very close to throwing in the towel and doing a factory image restore, which I only like to do as a last resort.

 

Thank you both. You have solved a very annoying problem. :bravo: :bravo: :bravo: :bravo: :bravo:

Share this post


Link to post
Share on other sites

You both are welcome.

 

Never give up. Anyone can reformat a machine and start over from scratch.

It takes a problem solver, troubleshooter, you could say, to find the issue and FIX it.

 

That is why no one is willing to pay for computer repair. It is hard and takes some persistence and research.

It is much easier to

 

... throwing in the towel and doing a factory image restore, which I only like to do as a last resort.

 

I am glad to see there are others out there like me that refuse to give up and let a dumb machine beat them.

Let that machine require them to reacquire all the data that was on the computer before the no good SOB wrote a virus, and set it loose on the net.

 

The computer may contain your only picture or other cherished memory of a loved one that has long since passed from this earth.

 

It may be part of the SETI@home project and is the last machine needed to confirm life on another planet exist or that a cure of cancer is found.

 

Never give up and reformat a computer after a virus removal. Try all things. Just remember the computer was working somewhat before removing the virus. I can and will work again. If nothing else use this time as a learning experience. The computer isn't working? Try some new (to you) software (GParted or GRUB maybe?).

 

The main thing is NOT TO GIVE UP! and for that I SALUTE you. post-385552-1360900964.gif

 

KillerKilgore

 

Share this post


Link to post
Share on other sites
That is why no one is willing to pay for computer repair. It is hard and takes some persistence and research.

It is much easier to ...

 

... The main thing is NOT TO GIVE UP! and for that I SALUTE you. post-385552-1360900964.gif

 

KillerKilgore

 

Sometimes it is not possible to revert back all changes made by malicious software. For example - Sality (one of its kind) changes

exe files, and even after successful clean, the exe files never come back to what they were before - bad CRC sum, so applications can't download update, some installs are unworkable.

In this moments the best is to revert back with hdd image (Norton Ghost, Snapshot, other apps). In my example I had cured Sality with KRD, and then revert my hdd image back.

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now