Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Disappearing disk space? Caused by Rootkit.Boot.Pihar.c?

  • Please log in to reply
2 replies to this topic

#1 elansweetseater


  • Members
  • 2 posts
  • Local time:03:00 PM

Posted 19 July 2014 - 01:57 PM

There is a Windows 7x32 SP1 system I am supporting. It started slowing down and show BSOD over the last few weeks and I was called in to look at it. I noticed disk space was almost 10MB. I immediately cleared some space to give the about 3/4 GB of space. Then I watched Task Manager and noticed DLLHOST.exe was taking lots of RAM and saw it making connections to akamai and many other non-mainstream IPs and downloading significant amounts of data. I would kill the process tree and it would return. Symantec Endpoint found nothing, but eventually I ran TDDSKiller and it discovered rootkit.boot.pihar.c and restated the machine and removed it. This stopped the dllhost.exe behavior.


I have run SFC /scannow and MalwareBytes RootKit program and nothing has been found since. Also a CHKDSK on boot has been run and it did make many repairs.


The strangeness is that the drive shows 232GB total size with 3.32 GB free. When I run WinDirStat or TreeSize Free they both show only ~58 GB of data.


I suspect the rootkit has been downloading and storing stuff on the disk (for some reason, P2P?) and it is hidden and I can't find it. Are there any tools to help in this situation? That is over 150 GB of unavailable space.

Edited by hamluis, 19 July 2014 - 02:56 PM.
Moved from Win 7 to Am I Infected - Hamluis.

BC AdBot (Login to Remove)


#2 elansweetseater

  • Topic Starter

  • Members
  • 2 posts
  • Local time:03:00 PM

Posted 20 July 2014 - 12:26 PM

Any ideas? What about an offline MBR checker or something?

#3 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,530 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:05:00 PM

Posted 20 July 2014 - 08:53 PM

Hello elansweetseater this one is a bit tricky.
Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.
Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.
If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.
If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users