[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Rootkit.Boot.Pihar.c

Posted on 2012-08-15
34
Medium Priority
?
2,961 Views
Last Modified: 2013-11-22
Okay,

I CANNOT for the life of me remove this infection from the hard drive!  The customer brought it in.  It runs Windows XP, or it is supposed to anyways.  You boot up the computer and when it goes to boot to the hard drive, all you get is a blinking cursor.  I've seen this before, so I removed the hard drive and through it into a slave computer.  I have ran Avast! on the hard drive and found 2 generic infections.  I have externally scanned it with Malwarebytes, which found nothing (kind of surprised about that!).  I ran TDSSKiller, and it does find a rootkit.  Rootkit.Boot.Pihar.c on the slaved hard drive.  I tell it to Cure, it says it has to write a standard boot code, I say Yes, then it reboots the computer.

Problem is, I scan it again after the computer has rebooted, and it is STILL there!  I've tried to 'Cure' it 5 times now!  Any suggestions?
0
Comment
Question by:Scott Thompson
  • 10
  • 7
  • 3
  • +6
31 Comments
 
LVL 12

Expert Comment

by:Seaton007
ID: 38296420
Try SUPERAntiSpyware as well: http://www.superantispyware.com
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 38296458
Doing that now, but I don't think that will solve any issues since it is a rootkit issue and SUPERAntiSpyware does not scan for rootkits (I think)
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 38296654
Did you try booting the computer from a WinXP CD and fixing the MBR?

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 8

Author Comment

by:Scott Thompson
ID: 38296805
Yes, gerwjansen, I tried running the fixmbr command from the recovery console.  No luck.  I also ran fixboot and bootcfg /rebuild.
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 38296906
Update, SUPERAntiSpyware finished, no infections found on the slaved drive.
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 38296958
Try placing it back in the original computer, download Windows Defender offline to a USB stick and then boot from that stick to perform a scan.

http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline/
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 38297503
Quick scan with Windows Defender found nothing... running a full scan with it now.
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 38297561
You might want to request that a moderator adds http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/ as a forum to your question so more experts get to look at it.  I doubt a full scan with WDO will make any difference in removing the boot sector virus.  I did look this virus up and I don't see anything special in terms of removing it, so I'm not sure why TDSS/WDO is having difficulty doing so.
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 38298027
Just a thought: how exactly do you know it's still there?

Can you try running another root kit detector like http://www.gmer.net
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 38298215
How do I request a moderator add, aleinss?
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 38298242
Use the 'request attention' button on top.
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 38298410
I'm stupid gerwin, I don't see the button.  The full scan with Windows Defender offline is still running.  It says that it has 'Preliminary Scan Results show malicious or potentially unwanted software might exist on my computer'  which will probably end up being something small like MyWebSearch.  Yay :P
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 38298429
Is it possible to run Gmer on a slaved drive?
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 38299397
You can scan slaved drives but this won't be effective because that way gmer is not able to detect hidden processes for example that would have been loaded when booting from the drive. So you'd have to build it into the machine again :)

I'll 'Request Atttention' for you, button is here:
attention please
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 38300228
Read my article on rootkits and reviews of free antirootkit sw

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html

Basically you need to run at least 3 antirootkit apps before trying to run another scan.  Also check out roguekiller.
0
 
LVL 44

Expert Comment

by:Davis McCarn
ID: 38300357
The odds are SVCHOST.EXE, NETBT.SYS, TCPIP.SYS, USBSTOR.SYS, and CLASSPNP.SYS are all hooked with Rootkits.  If you have good copies, rename them to BAD-xxx, copy on good versions, fix the MBR, pray a little, and try booting into Safe Mode.
The PIHAR.C Bootkit is being recreated each time you try to boot the drive.
I, too, BTW, am somewhat chagrinned that these things are not detected by scans with the drive connected as non-booting.
If it will boot (SAFE MODE PLEASE!) run the latest versions of TDSSKiller, ESET's SIREFEF remover, and Microsoft's MRT.
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 38300441
It has been my experience that any rootkit worth it's name will not be deetected when the drive is connected as a non-booting drive(slaved).  Rootkits detect whether the OS is running and work on those files.  A well designed rootkit will hide parts of itself in other files so it can recreate itself when needed.

In order to detect most rootkits you need to run the antirootkit software on he drive that is infected while the drive is mounted as the boot drive.  Many will do a partial mount so they run 'before' windows, this is a trick that antirootkit software uses to make the rootkit think that windows has booted and thus be able to find and eradicate it.
0
 
LVL 38

Expert Comment

by:younghv
ID: 38300493
Just a quick follow up on the latest comment from 'tzucker'.

"Slave Scans" haven't been effective for probably about two years (or more). I know we all used to do it in the old days, but many (most) current malware variants will not be visible to the scanners. Worse, Windows File Protection service is NOT running and if your scanner deletes/quarantines critical system files without replacing them, you are going to BSOD someone's system.

Some Boot CD scanners can get the job done if they're created properly, but the Experts here need to quit recommending these old/non-functional suggestions.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 38301257
The bad news is that the machine is compromised. The best solution is to back up the data, format and re-install the operating system and restore the data. That is really the only way you can 'trust' that machine any more.  You can play with anti-malware tools i.e. superantispyware / malware bytes / tdskiller / combofix but if they don't fix the problem then you're left with the reinstallation of the o/s.. Sometimes biting the bullet is the only thing you can do.
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 38301866
I understand that is an option I might have to do.  Luckily the customer is not on me too hard yet.  I am trying to run ASWMbr, but my computer loves to reboot... :(  Windows Defender Offline found nothing important.
0
 
LVL 38

Expert Comment

by:younghv
ID: 38302033
pc_solutions50501 -

You might want to give something a try that is a new (to me) tool on the market. It has been getting rave reviews by some of the best anti-malware experts.

I've used it a couple of times now and it is VERY good:

"Emsisoft Emergency Kit 2.0"
http://www.emsisoft.com/en/software/eek/
0
 
LVL 44

Expert Comment

by:Davis McCarn
ID: 38302468
The AVG Rescue CD is very good, too; but, will not by default delete SVCHOST.EXE and you would have to have a good copy anyway.
Did you read my first post? http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_27829629.html#a38300357
0
 
LVL 38

Expert Comment

by:younghv
ID: 38302579
@DavisMcCarn -
A little EE trick for you to use to reference a comment - but only within the same thread.

Use:
http:#a + the comment number.

Example: http:#a38300357 (will link the reader right back to that comment).
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 38303816
@younghv - Thanks for the http:#a38302579 tip :D
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 38304303
Try going to http://safety.live.com and doing a scan.

If you can't go to http://safety.live.com, contact support at 1-866-PCSafety or 1-866-727-2338. This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For support in other countries, visit the Worldwide computer security information page.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 38304333
Untested solution:
files to delete
%appdata%\random
%appdata%\local\low\sun\java\rootkit.boot.pihar.b
c:\windows\system64   (entire directory!!!)

registry entries
Hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\run\win64 (delete the entire key)
HKCU\Software\microsoft\internet explorer\toolbar,linksfoldername = c:\windows\Network Diagnositic\xpnetdiag.exe
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 38310870
Hi  pc_solutions50501, how are you doing, any progress?
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 38311842
@Vee_Mod - thanks for the tip, I'm only after solving this problem for the asker, nothing more, nothing less. Let's hope there is some progress for the asker :)
0
 
LVL 8

Accepted Solution

by:
Scott Thompson earned 0 total points
ID: 38313913
Hey guys, that's alright :)  I figured it out FINALLY.  I put the hard drive back in the system and tried running Emsisoft offline, and AVG offline.  Neither of those removed it.  I even ran TDSSKiller from Windows Vista Recovery Console.  The infection was still there.  I could not get it to boot off the hard drive.  It had a blinking cursor STILL.

So, I thought, I am having boot issues, let's try the Ultimate Boot CD.  I went to the Smart BootManager, chose the appropriate partition, and it BOOTED!  I have removed the infections and everything is working since then!
0
 
LVL 8

Author Closing Comment

by:Scott Thompson
ID: 38332152
TDSSKiller removed the infection from the computer once booted into the Windows.  Ran scans and everything going.
0
 

Expert Comment

by:Tip32a
ID: 38374423
PC_solutions50501,
Can you post better detail of what steps you took with ultimate Boot cd. I have found many links to dounload it and many versions.
Thanks in advance
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question