We help IT Professionals succeed at work.

Rootkit.Boot.Pihar.c

Okay,

I CANNOT for the life of me remove this infection from the hard drive!  The customer brought it in.  It runs Windows XP, or it is supposed to anyways.  You boot up the computer and when it goes to boot to the hard drive, all you get is a blinking cursor.  I've seen this before, so I removed the hard drive and through it into a slave computer.  I have ran Avast! on the hard drive and found 2 generic infections.  I have externally scanned it with Malwarebytes, which found nothing (kind of surprised about that!).  I ran TDSSKiller, and it does find a rootkit.  Rootkit.Boot.Pihar.c on the slaved hard drive.  I tell it to Cure, it says it has to write a standard boot code, I say Yes, then it reboots the computer.

Problem is, I scan it again after the computer has rebooted, and it is STILL there!  I've tried to 'Cure' it 5 times now!  Any suggestions?
Comment
Watch Question

CERTIFIED EXPERT

Commented:
Try SUPERAntiSpyware as well: http://www.superantispyware.com
Scott ThompsonComputer Technician / Owner

Author

Commented:
Doing that now, but I don't think that will solve any issues since it is a rootkit issue and SUPERAntiSpyware does not scan for rootkits (I think)
Gerwin Jansen, EE MVETopic Advisor
CERTIFIED EXPERT
Most Valuable Expert 2016

Commented:
Did you try booting the computer from a WinXP CD and fixing the MBR?

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.
Scott ThompsonComputer Technician / Owner

Author

Commented:
Yes, gerwjansen, I tried running the fixmbr command from the recovery console.  No luck.  I also ran fixboot and bootcfg /rebuild.
Scott ThompsonComputer Technician / Owner

Author

Commented:
Update, SUPERAntiSpyware finished, no infections found on the slaved drive.
Adam LeinssSystems Administrator
CERTIFIED EXPERT

Commented:
Try placing it back in the original computer, download Windows Defender offline to a USB stick and then boot from that stick to perform a scan.

http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline/
Scott ThompsonComputer Technician / Owner

Author

Commented:
Quick scan with Windows Defender found nothing... running a full scan with it now.
Adam LeinssSystems Administrator
CERTIFIED EXPERT

Commented:
You might want to request that a moderator adds http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/ as a forum to your question so more experts get to look at it.  I doubt a full scan with WDO will make any difference in removing the boot sector virus.  I did look this virus up and I don't see anything special in terms of removing it, so I'm not sure why TDSS/WDO is having difficulty doing so.
Gerwin Jansen, EE MVETopic Advisor
CERTIFIED EXPERT
Most Valuable Expert 2016

Commented:
Just a thought: how exactly do you know it's still there?

Can you try running another root kit detector like http://www.gmer.net
Scott ThompsonComputer Technician / Owner

Author

Commented:
How do I request a moderator add, aleinss?
Gerwin Jansen, EE MVETopic Advisor
CERTIFIED EXPERT
Most Valuable Expert 2016

Commented:
Use the 'request attention' button on top.
Scott ThompsonComputer Technician / Owner

Author

Commented:
I'm stupid gerwin, I don't see the button.  The full scan with Windows Defender offline is still running.  It says that it has 'Preliminary Scan Results show malicious or potentially unwanted software might exist on my computer'  which will probably end up being something small like MyWebSearch.  Yay :P
Scott ThompsonComputer Technician / Owner

Author

Commented:
Is it possible to run Gmer on a slaved drive?
Gerwin Jansen, EE MVETopic Advisor
CERTIFIED EXPERT
Most Valuable Expert 2016

Commented:
You can scan slaved drives but this won't be effective because that way gmer is not able to detect hidden processes for example that would have been loaded when booting from the drive. So you'd have to build it into the machine again :)

I'll 'Request Atttention' for you, button is here:
attention please
Thomas Zucker-ScharffSolution Guide
CERTIFIED EXPERT

Commented:
Read my article on rootkits and reviews of free antirootkit sw

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html

Basically you need to run at least 3 antirootkit apps before trying to run another scan.  Also check out roguekiller.
CERTIFIED EXPERT

Commented:
The odds are SVCHOST.EXE, NETBT.SYS, TCPIP.SYS, USBSTOR.SYS, and CLASSPNP.SYS are all hooked with Rootkits.  If you have good copies, rename them to BAD-xxx, copy on good versions, fix the MBR, pray a little, and try booting into Safe Mode.
The PIHAR.C Bootkit is being recreated each time you try to boot the drive.
I, too, BTW, am somewhat chagrinned that these things are not detected by scans with the drive connected as non-booting.
If it will boot (SAFE MODE PLEASE!) run the latest versions of TDSSKiller, ESET's SIREFEF remover, and Microsoft's MRT.
Thomas Zucker-ScharffSolution Guide
CERTIFIED EXPERT

Commented:
It has been my experience that any rootkit worth it's name will not be deetected when the drive is connected as a non-booting drive(slaved).  Rootkits detect whether the OS is running and work on those files.  A well designed rootkit will hide parts of itself in other files so it can recreate itself when needed.

In order to detect most rootkits you need to run the antirootkit software on he drive that is infected while the drive is mounted as the boot drive.  Many will do a partial mount so they run 'before' windows, this is a trick that antirootkit software uses to make the rootkit think that windows has booted and thus be able to find and eradicate it.
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
Just a quick follow up on the latest comment from 'tzucker'.

"Slave Scans" haven't been effective for probably about two years (or more). I know we all used to do it in the old days, but many (most) current malware variants will not be visible to the scanners. Worse, Windows File Protection service is NOT running and if your scanner deletes/quarantines critical system files without replacing them, you are going to BSOD someone's system.

Some Boot CD scanners can get the job done if they're created properly, but the Experts here need to quit recommending these old/non-functional suggestions.
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
The bad news is that the machine is compromised. The best solution is to back up the data, format and re-install the operating system and restore the data. That is really the only way you can 'trust' that machine any more.  You can play with anti-malware tools i.e. superantispyware / malware bytes / tdskiller / combofix but if they don't fix the problem then you're left with the reinstallation of the o/s.. Sometimes biting the bullet is the only thing you can do.
Scott ThompsonComputer Technician / Owner

Author

Commented:
I understand that is an option I might have to do.  Luckily the customer is not on me too hard yet.  I am trying to run ASWMbr, but my computer loves to reboot... :(  Windows Defender Offline found nothing important.
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
pc_solutions50501 -

You might want to give something a try that is a new (to me) tool on the market. It has been getting rave reviews by some of the best anti-malware experts.

I've used it a couple of times now and it is VERY good:

"Emsisoft Emergency Kit 2.0"
http://www.emsisoft.com/en/software/eek/
CERTIFIED EXPERT

Commented:
The AVG Rescue CD is very good, too; but, will not by default delete SVCHOST.EXE and you would have to have a good copy anyway.
Did you read my first post? http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_27829629.html#a38300357
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Commented:
@DavisMcCarn -
A little EE trick for you to use to reference a comment - but only within the same thread.

Use:
http:#a + the comment number.

Example: http:#a38300357 (will link the reader right back to that comment).
Gerwin Jansen, EE MVETopic Advisor
CERTIFIED EXPERT
Most Valuable Expert 2016

Commented:
@younghv - Thanks for the http:#a38302579 tip :D
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Try going to http://safety.live.com and doing a scan.

If you can't go to http://safety.live.com, contact support at 1-866-PCSafety or 1-866-727-2338. This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada. For support in other countries, visit the Worldwide computer security information page.
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Untested solution:
files to delete
%appdata%\random
%appdata%\local\low\sun\java\rootkit.boot.pihar.b
c:\windows\system64   (entire directory!!!)

registry entries
Hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\run\win64 (delete the entire key)
HKCU\Software\microsoft\internet explorer\toolbar,linksfoldername = c:\windows\Network Diagnositic\xpnetdiag.exe
Gerwin Jansen, EE MVETopic Advisor
CERTIFIED EXPERT
Most Valuable Expert 2016

Commented:
Hi  pc_solutions50501, how are you doing, any progress?
Gerwin Jansen, EE MVETopic Advisor
CERTIFIED EXPERT
Most Valuable Expert 2016

Commented:
@Vee_Mod - thanks for the tip, I'm only after solving this problem for the asker, nothing more, nothing less. Let's hope there is some progress for the asker :)
Computer Technician / Owner
Commented:
Hey guys, that's alright :)  I figured it out FINALLY.  I put the hard drive back in the system and tried running Emsisoft offline, and AVG offline.  Neither of those removed it.  I even ran TDSSKiller from Windows Vista Recovery Console.  The infection was still there.  I could not get it to boot off the hard drive.  It had a blinking cursor STILL.

So, I thought, I am having boot issues, let's try the Ultimate Boot CD.  I went to the Smart BootManager, chose the appropriate partition, and it BOOTED!  I have removed the infections and everything is working since then!
Scott ThompsonComputer Technician / Owner

Author

Commented:
TDSSKiller removed the infection from the computer once booted into the Windows.  Ran scans and everything going.

Commented:
PC_solutions50501,
Can you post better detail of what steps you took with ultimate Boot cd. I have found many links to dounload it and many versions.
Thanks in advance