Showing posts with label rootkit. Show all posts
Showing posts with label rootkit. Show all posts

Friday, May 20, 2011

"Unknown Hard Error" BSOD and CI.DLL

My Windows 7 64-bit laptop suffered a BSOD with "Unknown hard error". A reboot resulted in Windows immediately going into Startup Repair mode, and the log showed that the file ci.dll had been corrupted.

I tried booting into Safe Mode, tried a Last Known Good boot, neither option worked, each time the system jumped back into Startup Repair. Finally, I chose the option Disable Driver Signature Enforcement, and was able to successfully boot into normal mode. This option bypasses the functionality in Windows which checks for system or driver file corruption and thus far it seemed like perhaps some software or driver I'd recently installed or updated might've led to this boot issue.

Days prior I'd been noticing some strange behavior in Windows. I had been unable to access my GMail and Live accounts. GMail would forever remain at the initial progress bar, eventually timing out and asking if I wanted to use basic HTML mode; Live would load the initial screen showing my email but just sit there, any clicks on my Inbox or Sent Items or other folders did nothing. Once I booted in this Disable Driver Signature Enforcement mode though, a new twist; it appeared my Google search results were now occasionally being redirected to advertising sites.

It turned out to be malware, a rootkit to be specific.

I ran a full scan with the latest SpyBot as well as Symantec Endpoint Protection, installed on all our workplace PCs, but these found nothing.

However, in tracking down other reports of apparent ci.dll file corruption, I discovered Kaspersky's TDSSKiller tool. I downloaded and ran the tool, which performed a concise scan that took roughly a minute to complete. Lo and behold, a rootkit, a member of the notorious TDSS family.

Rootkit.Win32.TDSS.tdl4


I ensured the Cure option was selected, then clicked Continue, and allowed the tool to initiate a reboot and hopefully clean out the rootkit.



Following the removal, I could once again boot into Windows normally, and the anomalous behaviors described above no longer occurred.