Rootkit.Boot.Pihar.c

Okay,

I CANNOT for the life of me remove this infection from the hard drive!  The customer brought it in.  It runs Windows XP, or it is supposed to anyways.  You boot up the computer and when it goes to boot to the hard drive, all you get is a blinking cursor.  I've seen this before, so I removed the hard drive and through it into a slave computer.  I have ran Avast! on the hard drive and found 2 generic infections.  I have externally scanned it with Malwarebytes, which found nothing (kind of surprised about that!).  I ran TDSSKiller, and it does find a rootkit.  Rootkit.Boot.Pihar.c on the slaved hard drive.  I tell it to Cure, it says it has to write a standard boot code, I say Yes, then it reboots the computer.

Problem is, I scan it again after the computer has rebooted, and it is STILL there!  I've tried to 'Cure' it 5 times now!  Any suggestions?
LVL 8
Scott ThompsonComputer Technician / OwnerAsked:
Who is Participating?
 
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Hey guys, that's alright :)  I figured it out FINALLY.  I put the hard drive back in the system and tried running Emsisoft offline, and AVG offline.  Neither of those removed it.  I even ran TDSSKiller from Windows Vista Recovery Console.  The infection was still there.  I could not get it to boot off the hard drive.  It had a blinking cursor STILL.

So, I thought, I am having boot issues, let's try the Ultimate Boot CD.  I went to the Smart BootManager, chose the appropriate partition, and it BOOTED!  I have removed the infections and everything is working since then!
0
 
Seaton007Commented:
Try SUPERAntiSpyware as well: http://www.superantispyware.com
0
 
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Doing that now, but I don't think that will solve any issues since it is a rootkit issue and SUPERAntiSpyware does not scan for rootkits (I think)
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Gerwin Jansen, EE MVETopic Advisor Commented:
Did you try booting the computer from a WinXP CD and fixing the MBR?

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
0
 
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Yes, gerwjansen, I tried running the fixmbr command from the recovery console.  No luck.  I also ran fixboot and bootcfg /rebuild.
0
 
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Update, SUPERAntiSpyware finished, no infections found on the slaved drive.
0
 
Adam LeinssServer SpecialistCommented:
Try placing it back in the original computer, download Windows Defender offline to a USB stick and then boot from that stick to perform a scan.

http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline/
0
 
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Quick scan with Windows Defender found nothing... running a full scan with it now.
0
 
Adam LeinssServer SpecialistCommented:
You might want to request that a moderator adds http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/ as a forum to your question so more experts get to look at it.  I doubt a full scan with WDO will make any difference in removing the boot sector virus.  I did look this virus up and I don't see anything special in terms of removing it, so I'm not sure why TDSS/WDO is having difficulty doing so.
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
Just a thought: how exactly do you know it's still there?

Can you try running another root kit detector like http://www.gmer.net
0
 
Scott ThompsonComputer Technician / OwnerAuthor Commented:
How do I request a moderator add, aleinss?
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
Use the 'request attention' button on top.
0
 
Scott ThompsonComputer Technician / OwnerAuthor Commented:
I'm stupid gerwin, I don't see the button.  The full scan with Windows Defender offline is still running.  It says that it has 'Preliminary Scan Results show malicious or potentially unwanted software might exist on my computer'  which will probably end up being something small like MyWebSearch.  Yay :P
0
 
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Is it possible to run Gmer on a slaved drive?
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
You can scan slaved drives but this won't be effective because that way gmer is not able to detect hidden processes for example that would have been loaded when booting from the drive. So you'd have to build it into the machine again :)

I'll 'Request Atttention' for you, button is here:
attention please
0
 
Thomas Zucker-ScharffSolution GuideCommented:
Read my article on rootkits and reviews of free antirootkit sw

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html

Basically you need to run at least 3 antirootkit apps before trying to run another scan.  Also check out roguekiller.
0
 
Davis McCarnOwnerCommented:
The odds are SVCHOST.EXE, NETBT.SYS, TCPIP.SYS, USBSTOR.SYS, and CLASSPNP.SYS are all hooked with Rootkits.  If you have good copies, rename them to BAD-xxx, copy on good versions, fix the MBR, pray a little, and try booting into Safe Mode.
The PIHAR.C Bootkit is being recreated each time you try to boot the drive.
I, too, BTW, am somewhat chagrinned that these things are not detected by scans with the drive connected as non-booting.
If it will boot (SAFE MODE PLEASE!) run the latest versions of TDSSKiller, ESET's SIREFEF remover, and Microsoft's MRT.
0
 
Thomas Zucker-ScharffSolution GuideCommented:
It has been my experience that any rootkit worth it's name will not be deetected when the drive is connected as a non-booting drive(slaved).  Rootkits detect whether the OS is running and work on those files.  A well designed rootkit will hide parts of itself in other files so it can recreate itself when needed.

In order to detect most rootkits you need to run the antirootkit software on he drive that is infected while the drive is mounted as the boot drive.  Many will do a partial mount so they run 'before' windows, this is a trick that antirootkit software uses to make the rootkit think that windows has booted and thus be able to find and eradicate it.
0
 
younghvCommented:
Just a quick follow up on the latest comment from 'tzucker'.

"Slave Scans" haven't been effective for probably about two years (or more). I know we all used to do it in the old days, but many (most) current malware variants will not be visible to the scanners. Worse, Windows File Protection service is NOT running and if your scanner deletes/quarantines critical system files without replacing them, you are going to BSOD someone's system.

Some Boot CD scanners can get the job done if they're created properly, but the Experts here need to quit recommending these old/non-functional suggestions.
0
 
David Johnson, CD, MVPOwnerCommented:
The bad news is that the machine is compromised. The best solution is to back up the data, format and re-install the operating system and restore the data. That is really the only way you can 'trust' that machine any more.  You can play with anti-malware tools i.e. superantispyware / malware bytes / tdskiller / combofix but if they don't fix the problem then you're left with the reinstallation of the o/s.. Sometimes biting the bullet is the only thing you can do.
0
 
Scott ThompsonComputer Technician / OwnerAuthor Commented:
I understand that is an option I might have to do.  Luckily the customer is not on me too hard yet.  I am trying to run ASWMbr, but my computer loves to reboot... :(  Windows Defender Offline found nothing important.
0
 
younghvCommented:
pc_solutions50501 -

You might want to give something a try that is a new (to me) tool on the market. It has been getting rave reviews by some of the best anti-malware experts.

I've used it a couple of times now and it is VERY good:

"Emsisoft Emergency Kit 2.0"
http://www.emsisoft.com/en/software/eek/
0
 
Davis McCarnOwnerCommented:
The AVG Rescue CD is very good, too; but, will not by default delete SVCHOST.EXE and you would have to have a good copy anyway.
Did you read my first post? http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_27829629.html#a38300357
0
 
younghvCommented:
@DavisMcCarn -
A little EE trick for you to use to reference a comment - but only within the same thread.

Use:
http:#a + the comment number.

Example: http:#a38300357 (will link the reader right back to that comment).
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
@younghv - Thanks for the http:#a38302579 tip :D
0
 
David Johnson, CD, MVPOwnerCommented:
Try going to http://safety.live.com and doing a scan.

If you can't go to http://safety.live.com, contact support at 1-866-PCSafety or 1-866-727-2338. This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For support in other countries, visit the Worldwide computer security information page.
0
 
David Johnson, CD, MVPOwnerCommented:
Untested solution:
files to delete
%appdata%\random
%appdata%\local\low\sun\java\rootkit.boot.pihar.b
c:\windows\system64   (entire directory!!!)

registry entries
Hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\run\win64 (delete the entire key)
HKCU\Software\microsoft\internet explorer\toolbar,linksfoldername = c:\windows\Network Diagnositic\xpnetdiag.exe
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
Hi  pc_solutions50501, how are you doing, any progress?
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
@Vee_Mod - thanks for the tip, I'm only after solving this problem for the asker, nothing more, nothing less. Let's hope there is some progress for the asker :)
0
 
Scott ThompsonComputer Technician / OwnerAuthor Commented:
TDSSKiller removed the infection from the computer once booted into the Windows.  Ran scans and everything going.
0
 
Tip32aCommented:
PC_solutions50501,
Can you post better detail of what steps you took with ultimate Boot cd. I have found many links to dounload it and many versions.
Thanks in advance
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.