Jump to content
  • Announcements

    • Rodion Nagornov

      Долгое сохранение сообщений || Delays while posting (click here to read the full text RU/EN)   09/20/2017

      Due to some technical reasons visual delays are possible while message sending. Actually your message is published immediately - just interface works long. In such case, please, do not re-send your message immediately! Press F5 to reload the page and check if your message/topic is published. || По техническим причинам возможно визуально долгое отправление сообщений на форуме. Фактически ваше сообщение публикуется мгновенно - долго отрабатывает графика. В случае подобной ситуации, пожалуйста, сначала обновите страницу (F5) и проверьте, появилось ли ваше сообщение. Не пытайтесь сразу отправить его заново.

Rootkit.Boot.Pihar.b Keeps Coming Back

Recommended Posts

Safe mode Kapersky TDSS rootkit removing tool



19:00:03.0725 7768 Detected object count: 1

19:00:03.0725 7768 Actual detected object count: 1

19:00:23.0634 7768 \Device\Harddisk0\DR0\# - copied to quarantine

19:00:23.0636 7768 \Device\Harddisk0\DR0 - copied to quarantine

19:00:23.0701 7768 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine

19:00:23.0719 7768 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine

19:00:23.0723 7768 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine

19:00:23.0730 7768 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine

19:00:23.0737 7768 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine

19:00:23.0752 7768 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine

19:00:23.0766 7768 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine

19:00:23.0770 7768 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine

19:00:23.0773 7768 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine

19:00:23.0778 7768 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine

19:00:23.0783 7768 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine

19:00:23.0788 7768 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine

19:00:23.0923 7768 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot

19:00:23.0924 7768 \Device\Harddisk0\DR0 - ok

19:00:24.0388 7768 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure



24 hours later it returns, I clean in safe mode, it comes back again. Done this 4 times. How do I keep it from coming back???






Registry Keys Detected: 2

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3} (Trojan.Agent) -> Quarantined and deleted successfully.

Files Detected: 1

C:\Users\Hammerdown\Local Settings\TempDIR\BetterInstaller.exe (PUP.BundleInstaller.Somoto) -> Quarantined and deleted successfully.



AVG popped up and caught this:

"3/7/2012, 2:47:18 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process CSRDISP.EXE was quarantined."

"3/7/2012, 2:46:57 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process QMKOEUCUOL.EXE was quarantined."

"3/7/2012, 2:46:54 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process QMKOEUCUOL.EXE was detected."

"3/7/2012, 2:46:54 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process QROCWMOEUIGIELKITHIYVWVEV.EXE was quarantined."

"3/7/2012, 2:46:51 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process QROCWMOEUIGIELKITHIYVWVEV.EXE was detected."

"3/7/2012, 2:46:49 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process CSRDISP.EXE was detected."

"3/7/2012, 2:46:48 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process PHKVGLMBLQJKJCGF.EXE was quarantined."

"3/7/2012, 2:46:46 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process PHKVGLMBLQJKJCGF.EXE was detected."

"3/7/2012, 2:46:46 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process WFBEHXAEONXJZBGXOR.EXE was quarantined."

"3/7/2012, 2:46:27 PM";"NT AUTHORITY\SYSTEM";"IDP";"Process WFBEHXAEONXJZBGXOR.EXE was detected."


Share this post

Link to post

Welcome. Please see the first Important topic. There, you will find instructions for the two preliminary logs.



Please see the small print that is located at the bottom of this message.

Share this post

Link to post

You're welcome. Vista Business SP1? Where is Service Pack 2?


Also, I noticed that you don't have Kaspersky installed. After you fix your Vista....


...If you don't have Kaspersky installed, please feel free to use the AVP Tool. It is linked in the first Important topic.

Attach its sysinfo.zip. Located at Desktop\Virus Removal Tool\LOG\avptool_sysinfo.zip

Share this post

Link to post

Please try this link: http://devbuilds.kaspersky-labs.com/devbui...03_09_09_09.exe


The current Service Pack contains reliability updates and functionality updates and critical security updates. Let me guess: you do not have Windows updates that come out on Patch Tuesday?


The surface of this planet is crammed to the rafters with security experts who lie awake sleepless all night, trying to figure out how to get people to install the current Service Pack and all Windows updates. But I am not going to spend more than two minutes on this effort at this juncture. If your next log does not show up-to-date Windows, then you can see if another moderator would like to continue with this topic. :)

Share this post

Link to post

I run Windows update every few days manually and take all security updates. I purposely have not installed SP2 because of incompatibilities with my laptop (VAIO) hardware. Going on three years after SP2 was released and not had a single problem running SP1. I won't be installing SP2 until I solve this rootkit and I do a Ghost of my clean system.

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now