Boot avira rescue cd
http://www.avira.com/en/downloads#tools
| CS.RIN.RU - Steam Underground Community http://cs.rin.ru/forum/ |
|
| [Problem] Help in removing a root/bootkit http://cs.rin.ru/forum/viewtopic.php?f=14&t=60859 |
Page 1 of 1 |
| Author: | hegyak [ Monday, 12 Mar 2012, 23:52 ] |
| Post subject: | Help in removing a root/bootkit |
I have a PC infected with Pihar.b I can't boot using the PC as it won't boot correctly, but I can scan/fix the drive using a USB connection to a "clean" PC. Any suggestions? It's from an HP Laptop so there's derp partitions. I have tried Kaspersky, TDSSKiller, D7. |
|
| Author: | .Rar [ Tuesday, 13 Mar 2012, 00:19 ] |
| Post subject: | Re: Help in removing a root/bootkit |
Rootkit Unhooker can scan for hidden files. Autoruns can work with the registry of an offline system. Those tools might help if you know what to remove, although I've never dealt with a rootkit, so it could be a bit more harder than that. This link may also be useful. |
|
| Author: | ChrisTX [ Tuesday, 13 Mar 2012, 02:07 ] |
| Post subject: | Re: Help in removing a root/bootkit |
What anti-virus scanner detects as such? I wasn't able to find any encyclopedia entry on it. However, do the standard things first, SFC check, offline sweeper ( I recommend http://connect.microsoft.com/systemsweeper as it spits out names you can find in an encyclopedia ) Be that as it may, it seems that Pihar is a name for certain Alureon-family viruses. As of such, it is likely that it destroyed driver files ( see the bottom of the technical analysis http://www.microsoft.com/security/porta ... %2fAlureon ). Whilst it is likely you could clean the infection, it is just as likely that Alureon caused permanent damaged to the interiors of the system. I'd recommend a clean installation for such a severe infection, as specifically registry damage could be cleaned up by a repair install, but doesn't have to be - especially if some of the keys belong to 3rd party software. |
|
| Author: | hegyak [ Tuesday, 13 Mar 2012, 02:11 ] |
| Post subject: | Re: Help in removing a root/bootkit |
ChrisTX Kaspersky Picked it up and panicked over it. I was thinking about doing a MBR rebuild using the Windows 7 DVD since it is in the boot sector. Or would that not work? Can I put the drive onto a non-Windows OS (Ubuntu since I have it handy) and retrieve the data with out infection from the rootkit on the second USB drive? |
|
| Author: | ChrisTX [ Tuesday, 13 Mar 2012, 04:03 ] |
| Post subject: | Re: Help in removing a root/bootkit |
hegyak wrote: Kaspersky Picked it up and panicked over it. I was thinking about doing a MBR rebuild using the Windows 7 DVD since it is in the boot sector. Or would that not work? Can I put the drive onto a non-Windows OS (Ubuntu since I have it handy) and retrieve the data with out infection from the rootkit on the second USB drive? I wouldn't recommend per se using Linux for NTFS handling, rather use WinPE/RE or DaRT. An MBR repair can work, but then, I don't know what exactly this virus all damaged. Obviously, if it's part of Alureon which is known to damage drivers and kernel components, chances that just removing the MBR infection will not resolve the issues are pretty high. You can retrieve data without an infection if you do not copy infected files (doh!). As long as the virus does not run on the machine - ie. you tried to boot - it cannot auto-infect anything. |
|
| Author: | Tom [ Friday, 16 Mar 2012, 21:33 ] |
| Post subject: | Re: Help in removing a root/bootkit |
Boot avira rescue cd http://www.avira.com/en/downloads#tools |
|
| Author: | hegyak [ Saturday, 17 Mar 2012, 03:42 ] |
| Post subject: | Re: Help in removing a root/bootkit |
I resolved this by using a disk imaging tool of a Clean Windows 7 install over the infected drive. The user's data was kept safe on an external drive. God, I hate Kaspersky. Can't handle multiple partition infection rootkits. Guess the best isn't good enough anymore... |
|
| Author: | ChrisTX [ Saturday, 17 Mar 2012, 03:55 ] |
| Post subject: | Re: Help in removing a root/bootkit |
Nod32 is from AV comparatives better than Kaspersky. However, the best protection boils down to enabling Windows Update, using a decent anti-phishing and anti-malware scanner like SmartScreen and keeping your Adobe software up to date. |
|
| Author: | hegyak [ Saturday, 17 Mar 2012, 04:34 ] |
| Post subject: | Re: Help in removing a root/bootkit |
ChrisTX What is the best scanner? I have to scan 100K+ files. |
|
| Author: | Tom [ Saturday, 17 Mar 2012, 12:22 ] |
| Post subject: | Re: Help in removing a root/bootkit |
http://www.av-comparatives.org/en/compa ... ction-test |
|
| Page 1 of 1 | All times are UTC + 3 hours |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|