Tag Archives | rootkit

Removing Rootkit.Boot.SST.a leaves you with unbootable Windows 7

Last night I had to deal with one very nasty rootkit.   It’s called Rootkit.Boot.SST.a.  Removing the rootkit is pretty easy (used the kaspersky rescue disk), however after it’s removed Windows 7 becomes unbootable and you’re left with a 0x0000007b.   

If you try to use a Windows 7 disc to repair the mbr using bootrec.exe /fixboot, /fixmbr or /scanos it says Windows Installations: 0 (meaning bootrec doesn’t see the partition containing Windows 7).

I found a solution here and boy was it a pain, but it worked and I was very grateful to them 🙂

Here’s a excerpt:

  1. Boot to the Windows Recovery Environment either by selecting Repair Your Computer when Windows fails to boot, by inserting the Windows installation disc, or by using a Windows ERD/MS DART disc (if you happen to have access to one, that is).
  2. Cancel the recovery attempt if it tries to start on its own (it will fail anyway) and then choose the advanced options link at the bottom of the window.
  3. Choose to open the Command Prompt.
  4. Here’s the fun part.  Once at the prompt, enter the following commands one by one.  Take care not to mistype anything, and be sure to replace C: with whatever your system drive happens to be:

bootrec.exe /fixmbr
bootsect.exe /nt60 all /force
bcdedit /export C:\BCD_Backup
attrib -h -s C:\boot\BCD
ren C:\boot\BCD BCD.old
bcdedit /createstore c:\boot\bcd.temp
bcdedit.exe /store c:\boot\bcd.temp /create {bootmgr} /d “Windows Boot Manager”
bcdedit.exe /import c:\boot\bcd.temp
bcdedit.exe /set {bootmgr} device partition=C:
bcdedit.exe /timeout 10
attrib -h -s C:\boot\bcd.temp
del c:\boot\bcd.temp
bcdedit.exe /create /d “Windows 7? /application osloader

At this point, note the value within the curly braces {……..} as you will need it during the next steps.  Replace the dots within the curly braces below with that entire string on each line.  NOTE:  To make this easier, once you type it once, you can press the Up arrow to restore the last command and simply edit that line for the next one.

bcdedit.exe /set {…..} device partition=C:
bcdedit.exe /set {…..} osdevice partition=C:
bcdedit.exe /set {…..} path \Windows\system32\winload.exe
bcdedit.exe /set {…..} systemroot \Windows
bcdedit.exe /displayorder {…..}
bcdedit.exe /default {…..} 

When I rebooted after I ran these commands Windows still crashed. I then proceeded to rerun the built-in Windows 7 startup repair. After about 1 minute of the Startup repair everything was fixed and Windows 7 booted normally.

Continue Reading · 5

Rootkit Causes Windows Not To Boot – Freezes at Windows Load Screen

Hi Guys,  just an FYI here.  I’ve had 3 rootkits this week that prevent Windows 7 from loading.  Basically when you start the PC Windows starts to load and then freezes on Windows screen (black background, before the colored spinning balls).

This is easy to resolve.  Just download the latest Kaspersky Rescue Disk, burn the ISO or create the bootable USB stick.  Boot the PC from the Kaspersky Rescue Disk, update it (via a wired or wireless connection) and then scan the entire C drive as well as Disk Boot Sectors.  

After the scan is complete Kaspersky will allow you to disinfect, delete or quarantine any malware found.  Here is the order I always try to choose:

  1. Disinfect
  2. Quarantine
  3. Delete

Reboot the PC after the malware has been removed.  Follow up with a Malwarebytes scan.

Continue Reading · 1

Getting Rid of MBR Rootkit’s (bootkit)

Yo everyone, for the past 2 months I’ve been seeing a major increase in MBR (sector 0) rootkits a.k.a bootkits.  While these may sound scary (something on sector zero of your hard drive….oh no’s) they’re really pretty easy to get rid of.

Method 1 – Boot your computer from a Dr. Web Live CD and scan C: (or all your partitions).  The instant the scanner starts it will find the MBR Rootkit.  Choose yes to write a new signature.  That effectively destroys the MBR Rootkit.

Method 2 (Windows XP) – Boot your computer from the windows xp and choose to enter the recovery console.  Once you’re inside the recovery console issue the following command and press enter

FIXMBR

…then Reboot.

Method 2 (Windows 7 or Vista) – Boot your computer from the Windows 7 or Vista disc.  Choose to repair your computer.  Choose the Command Prompt option (near the bottom).  Enter the following command and press enter

Bootrec /FIXMBR

…then Reboot.

At this point your MBR rootkit should be toast.

Reboot your computer and run a scan with an updated Malwarebytes and whatever antivirus (I suggest Kaspersky Internet Security) quarantine and then remove whatever they find.

Lastly, here are 2 good articles from Microsoft concerning the recovery console and bootrec

http://support.microsoft.com/kb/927392 – Windows 7 and Vista Bootrec.exe Documentation

http://support.microsoft.com/kb/314058 – Windows XP Recover Console Documentation

Continue Reading · 4