A Windows Vista laptop is currently not booting. System Restore did not work. The customer said the blue screen of death appeared but I never saw it. The system file checker in the recovery console did not work, even though it said it found corrupt files but was unable to fix them. I tried chkdsk and bootrec /fixboot and bootrec /fixmbr from the recovery console already on the computer. When I was attempting to boot in safe mode, the boot process stops after loading hal.dll.

Because bootrec did not work and because safe mode stopped after hal.dll, I thought it was a virus infecting one of the Windows files. That is why I ran the system file checker. So I decided to scan the hard drive for viruses.

I pulled the hard drive and scanned with Eset on my computer. Eset discovered a boot sector rootkit and several other rootkit files on the computer, but didn’t clean any of them. (If I copied some of the files to my hard drive, Eset removed the file of my hard drive. Eset tends to be better for keeping things off rather than getting things off.) I found this interesting because I ran bootrec already which should have cleared and recreated the Master Boot Record and boot sector. Since Eset didn’t clean the boot sector, I ran Kaspersky’s TDSSKiller and that cleaned the boot sector.

I didn’t try to run the bootrec or bootsect commands from the Windows 7 disc. I wonder if these new rootkits alter the built-in recovery console so that the bootrec command does not clear the boot sector rootkit. From now on, if I suspect there is a rootkit I will boot using the Windows DVD and then try to fix the boot sector.

These are malware types Eset identified: (Eset tends to use their own name and not an industry standard name.)

  • Kryptik.AGVE trojan
  • Kryptik.AHVU trojan
  • Olmarik.AXY trojan – This is Eset’s name for the TDSS rootkit