Removing Rootkit.Boot.SST.a leaves you with unbootable Windows 7

Last night I had to deal with one very nasty rootkit.   It’s called Rootkit.Boot.SST.a.  Removing the rootkit is pretty easy (used the kaspersky rescue disk), however after it’s removed Windows 7 becomes unbootable and you’re left with a 0x0000007b.   

If you try to use a Windows 7 disc to repair the mbr using bootrec.exe /fixboot, /fixmbr or /scanos it says Windows Installations: 0 (meaning bootrec doesn’t see the partition containing Windows 7).

I found a solution here and boy was it a pain, but it worked and I was very grateful to them 🙂

Here’s a excerpt:

  1. Boot to the Windows Recovery Environment either by selecting Repair Your Computer when Windows fails to boot, by inserting the Windows installation disc, or by using a Windows ERD/MS DART disc (if you happen to have access to one, that is).
  2. Cancel the recovery attempt if it tries to start on its own (it will fail anyway) and then choose the advanced options link at the bottom of the window.
  3. Choose to open the Command Prompt.
  4. Here’s the fun part.  Once at the prompt, enter the following commands one by one.  Take care not to mistype anything, and be sure to replace C: with whatever your system drive happens to be:

bootrec.exe /fixmbr
bootsect.exe /nt60 all /force
bcdedit /export C:\BCD_Backup
attrib -h -s C:\boot\BCD
ren C:\boot\BCD BCD.old
bcdedit /createstore c:\boot\bcd.temp
bcdedit.exe /store c:\boot\bcd.temp /create {bootmgr} /d “Windows Boot Manager”
bcdedit.exe /import c:\boot\bcd.temp
bcdedit.exe /set {bootmgr} device partition=C:
bcdedit.exe /timeout 10
attrib -h -s C:\boot\bcd.temp
del c:\boot\bcd.temp
bcdedit.exe /create /d “Windows 7? /application osloader

At this point, note the value within the curly braces {……..} as you will need it during the next steps.  Replace the dots within the curly braces below with that entire string on each line.  NOTE:  To make this easier, once you type it once, you can press the Up arrow to restore the last command and simply edit that line for the next one.

bcdedit.exe /set {…..} device partition=C:
bcdedit.exe /set {…..} osdevice partition=C:
bcdedit.exe /set {…..} path \Windows\system32\winload.exe
bcdedit.exe /set {…..} systemroot \Windows
bcdedit.exe /displayorder {…..}
bcdedit.exe /default {…..} 

When I rebooted after I ran these commands Windows still crashed. I then proceeded to rerun the built-in Windows 7 startup repair. After about 1 minute of the Startup repair everything was fixed and Windows 7 booted normally.

, ,