othersteve
Member
- Reaction score
- 14
AlaDes,
The Pihar family of rootkits (TDSS variants) create an encrypted hidden partition at the end of a drive and mark it Active to have the machine boot to that partition first. It contains all of the rootkit files (encrypted), then continues to boot the system partition. In doing so, this, of course, grants it access to all information flowing through the PC. This is actually what my blog post (linked above) is about.
The side effect, naturally, is that if you remove the rootkit but do not properly adjust the partition flags, you end up with an unbootable system as the main OS partition is Inactive. Sometimes it's as easy as correcting that setting, but other times the entire BCD seemingly needs to be rebuilt. After that, I find that all of these machines spring back to life.
I hope my post above helps the OP solve the issue.
The Pihar family of rootkits (TDSS variants) create an encrypted hidden partition at the end of a drive and mark it Active to have the machine boot to that partition first. It contains all of the rootkit files (encrypted), then continues to boot the system partition. In doing so, this, of course, grants it access to all information flowing through the PC. This is actually what my blog post (linked above) is about.
The side effect, naturally, is that if you remove the rootkit but do not properly adjust the partition flags, you end up with an unbootable system as the main OS partition is Inactive. Sometimes it's as easy as correcting that setting, but other times the entire BCD seemingly needs to be rebuilt. After that, I find that all of these machines spring back to life.
I hope my post above helps the OP solve the issue.