Removing Rootkit.Boot.SST.a leaves you with unbootable Windows 7

Last night I had to deal with one very nasty rootkit.   It’s called Rootkit.Boot.SST.a.  Removing the rootkit is pretty easy (used the kaspersky rescue disk), however after it’s removed Windows 7 becomes unbootable and you’re left with a 0x0000007b.   

If you try to use a Windows 7 disc to repair the mbr using bootrec.exe /fixboot, /fixmbr or /scanos it says Windows Installations: 0 (meaning bootrec doesn’t see the partition containing Windows 7).

I found a solution here and boy was it a pain, but it worked and I was very grateful to them 🙂

Here’s a excerpt:

  1. Boot to the Windows Recovery Environment either by selecting Repair Your Computer when Windows fails to boot, by inserting the Windows installation disc, or by using a Windows ERD/MS DART disc (if you happen to have access to one, that is).
  2. Cancel the recovery attempt if it tries to start on its own (it will fail anyway) and then choose the advanced options link at the bottom of the window.
  3. Choose to open the Command Prompt.
  4. Here’s the fun part.  Once at the prompt, enter the following commands one by one.  Take care not to mistype anything, and be sure to replace C: with whatever your system drive happens to be:

bootrec.exe /fixmbr
bootsect.exe /nt60 all /force
bcdedit /export C:\BCD_Backup
attrib -h -s C:\boot\BCD
ren C:\boot\BCD BCD.old
bcdedit /createstore c:\boot\bcd.temp
bcdedit.exe /store c:\boot\bcd.temp /create {bootmgr} /d “Windows Boot Manager”
bcdedit.exe /import c:\boot\bcd.temp
bcdedit.exe /set {bootmgr} device partition=C:
bcdedit.exe /timeout 10
attrib -h -s C:\boot\bcd.temp
del c:\boot\bcd.temp
bcdedit.exe /create /d “Windows 7? /application osloader

At this point, note the value within the curly braces {……..} as you will need it during the next steps.  Replace the dots within the curly braces below with that entire string on each line.  NOTE:  To make this easier, once you type it once, you can press the Up arrow to restore the last command and simply edit that line for the next one.

bcdedit.exe /set {…..} device partition=C:
bcdedit.exe /set {…..} osdevice partition=C:
bcdedit.exe /set {…..} path \Windows\system32\winload.exe
bcdedit.exe /set {…..} systemroot \Windows
bcdedit.exe /displayorder {…..}
bcdedit.exe /default {…..} 

When I rebooted after I ran these commands Windows still crashed. I then proceeded to rerun the built-in Windows 7 startup repair. After about 1 minute of the Startup repair everything was fixed and Windows 7 booted normally.

, ,

5 Responses to Removing Rootkit.Boot.SST.a leaves you with unbootable Windows 7

  1. Exit2600x May 14, 2012 at 10:05 pm #

    Holy crap, thank you for sharing.

  2. MHazell May 16, 2012 at 1:28 am #

    Well that was alot of work.

    As far as the CMD goes, I prefer using Linux Terminals, but I can deal with Windows CMDs. You clearly know your CMD!

    Hey Matt, if you like to dual boot your machine with something linux, then I recommend you use GRUB. It is a good bootloader. Go read about it online. I dual boot Windows XP and Ubuntu 12.04 Long Term Support (LTS).

    And did you get the Google thing settled out? How much traffic do you get from Bing?

  3. Dave May 16, 2012 at 10:44 pm #

    Matt, where did you get all those command entries from?

    • Dave May 16, 2012 at 10:47 pm #

      Sorry, I didn’t follow the link until after the fact.

  4. Bubba May 21, 2012 at 9:20 pm #

    Any news on a new video Matt?

Leave a Reply