topic Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help in Tech Outpost

Rootkit.Boot.SST.b is NOT coming off! PLEASE help

chepo23 — Fri, 18 Nov 2011 01:38:26 GMT

My laptop won't boot to windows and sits at a cursor just as soon as I turn it on. I took off the hard disk and scanned it on another machine as a secondary drive and the ( Rootkit.Boot.SST.b ) came up and no antivirus program can't delete it, cure it or quaranteen it! Please help on how to get it taken off. I have read many forums and still no luck. Seems no one knows how so that is why I cam to Norton as Symantec has been the best one I've ever found and has worked for me. Thanks, Chepo

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Quads — Fri, 18 Nov 2011 05:13:00 GMT

SST.B (and SST.A) is the MaxSS modifcation of TDL4, but with a few differences, FixMBR and FixBoot commands used via a bootable CD /DVD like the Windows Recovery Console on disc does not cure the problem.

It has it's own partition and appears to not actually alter the sector 0 (boot sector) MBR but has it's own MBR and own files within the likes of it's own partition.

It can stop programs running that may be able to cure these modifications. In saying that fixing the Boot Sector (MBR) on your hard drive so at least you can load Windows, although still infected to then be able to remove SST (MaxSS) from your Hard Drive.

I am unsure how to get the removal (cure) tool to not scan the master drive but instead the infected slave drive. (you may still have to repair the screwed MBR after that). I am looking at the scanners options.

I would suggest backing up your personal files before going any further..

Quads

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Quads — Fri, 18 Nov 2011 23:35:17 GMT

Theory of one way

For MaxSS / SST.*

People who can't load the Boot Sector (MBR) for the Windows Partition due to MaxSS infection causing Black Screen with blinking white cursor on boot.

Run a Bootable CD partition manager, I think Paragon as a free version,Boot from CD (Quads has different tools) may be others.

Run Partition Manager You will see the MaxSS / SST. (a or b) created partition set to active and the OS /Windows partition not being set to "active"

Reset your OS /Windows partition to "Active" so later when booting from the Hard Drive, it will now boot the Windows partition.

Delete or Deactivate the MaxSS partition by removing the "Active" flag. The MaxSS partition can be deleted later through the Windows Computer Management once the user is sure.

Confirm the changes and restart the PC to boot from the Hard Drive, it should now be loading the Windows Partition and thus loading windows.

I suggest using a bootable CD to be able to recover you personal files off first, there is always a risk of things going wrong with Rookit / Bootkit removal proceedures!!!

Quads

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Quads — Fri, 02 Dec 2011 01:03:13 GMT

What Partition software was used of interest, just so others know of another Partition software that can do the same cure.

Quads

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Topopurim47 — Fri, 02 Dec 2011 15:51:49 GMT

found this at wilders http://secure-computer-solutions.com/blog/

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

bleeper24 — Fri, 02 Dec 2011 17:25:36 GMT

Just a postsript in case anyone else has to attempt the excellent recovery advice offered by Quads! ...

The link kindly offered by Topopurim leads to the method of Partition management using GParted !

I use this software onmy Linux machines and it is a very useful tool !

Just a polite word of advice though to anyone not too familiar with the "Volume terminology " used by GParted ........the various partitions on the disk are identified by the "sda " method of terminology ......Just be certain that the correct partition is selected for any operation that is to be carried out , as the different terminology can be a little confusing for new users of GParted :smileywink:

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

DaveH — Sat, 03 Dec 2011 01:52:19 GMT

Thats a nice article but it's wrong. It's showing a Windows 7 system and it's the "System Reserved Partition" that needs to be set active. If you set the OS partition active, the system is not going to boot and you would need to do a startup repair.

I tried posting a comment for the article but I'm not sure if it worked.

Dave

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Quads — Mon, 19 Dec 2011 05:02:14 GMT

NOTE: the example for the MaxSS partition below is 1 MB, but depending on your own personal infection the partition involved may be anywhere from 1 MB to 15 MB.

The number of partitions could or will be different including the volume names, sizes, number of Hard Drives and which partition should be Flagged as the Boot partition

This walkthough below uses only the OS partition and the MaxSS partition so it is easier to determine which should be the boot partition. (there is unallocated also).

Most people with Partitioning experience will see what is shown below with ease to any PC with the MaxSS partition and fix the problem.

Others may have to ask on another thread or Forum (for others reading out in the WWW) which partition is Bad and which partition should be flagged as Boot.

Backup / Save all personal files (photos, docs, music etc) first incase, something goes wrong.

Firstly download Gparted, maybe from another clean computer instead, From http://sourceforge.net/projects/gparted/files/gparted-live-stable/ chose the stable .iso download.

Now you have to burn the .iso image as an image to CD You can use ImgBurn do this. http://www.imgburn.com/index.php?act=download or any other CD burning program that can handle .iso images.

Now boot off of the newly created Gparted CD. You may have to change the computers boot options, so that you can boot from the CD /DVD from first instead of the Hard Drive.

You should be here (above)... Just press ENTER

By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

Choose your language and press ENTER. English should be default [33]

NOTE: If you choose to select another language the reast of this Post (message) may look different as English is used here.

Once again, at this prompt, press ENTER as 0 should be selected as default

You will now be taken to the main GUI screen below

Remember in this post the partition that is bad is 1 MB in size, your bad Partition which has been confirmed by someone could be 1 MB to 15 MB, also a different setup can have more partitions to list, so the bad partition needs to be known before just going about deleting partitions

Select the MaxSS (SST.a, SST.b) partition then click the trash can icon to delete that bad partition and then click Apply.

You should now be here confirming your actions: Click Apply Delete Operation Pending

Now you should be here: Just Click Close and now in this example you will see there is only the Good OS partition and unallocated space, which has gone up in size from 10 MB to 11 MB. No more MaxSS partition.

Now is the boot next to your OS drive? (in the Flags column)

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in the boot column like the picture below and close : This is where a standard home user may also get confirmation from another thread or forum which partition is to have boot for their PC in question

Now double-click on the Exit Button

You should receive a small pop up asking you what you want to do

Choose reboot and then press OK.

Take out the CD before it loads, or on the Startup you can change the BIOS load order back to booting from the Hard Drive first.

Now with Windows loaded and no MaxSS partition Norton should no longer detect Boot.Tidserv or you may have to clear the Unresolved threats listings.

There Could also be cases where the MBR of the OS partition still has to be fixed.

Quads

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

bleeper24 — Mon, 19 Dec 2011 07:01:19 GMT

Hi all

I posted earlier in this topic ...and wrote

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

A big "Thankyou " to Quads :smileywink:.....for taking the time to add the "step by step " image tutorial outlining the process in detail .This is a big help to anyone not familiar with Gnome terminology which can" baffle " new GParted users ...Excellent post Quads ....all credit due :smileywink:

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Quads — Mon, 19 Dec 2011 21:06:49 GMT

There is another free bootable CD partition manager here http://www.partitionwizard.com/partition-wizard-bootable-cd.html

Quads

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Quads — Fri, 20 Jan 2012 22:37:52 GMT

NOTE: For MaxSS (SST.*) Norton is detecting this infection as "Boot.Tidserv" and giving the link to FixTDSS. The progam can't fix this.

Quads

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

momoboro — Tue, 28 Feb 2012 03:23:17 GMT

I definitely know that Norton can't detect or even clean these hard to find&remove rootkits and bootbots, so I used the following to get rid of most of them successfully: TDSSKiller by Kaspersky, Malwarebytes, and Emsisoft Antimalware. I had to use a laptop to download those free malware scanners b/c the fake antivirus known as XP Home Security 2012 had infected my pc. TDSSKiller cleaned those that were not detectable by Norton's antirootkit that had given me those annoying popups that showed up everytime I started my computer and when I tried going to a website on Internet Explorer 8. Then I had to look for instructions on how to reinstall Netbt service on Windows, since the netbt.sys file in the system32 folder had a rootkit on it and it was removed by TDSSKiller.

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

momoboro — Tue, 28 Feb 2012 04:51:38 GMT

Oh, I almost forgot to tell you that TDSSKiller has to be used more than once to actually find all those Tidserv rootkits and if you do lose internet connection like I have, then use another computer to connect and then google this, "How to reinstall NetBT Service on Windows XP."

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Quads — Tue, 28 Feb 2012 20:36:12 GMT

NOTE: This thread is for instructions to remove the MaxSS partition detected as Boot.Tidserv, Please ignore the above posts by Momoboro. None of his tools he used are successful. Let alone the fact:-

a) Sounds like he is not talking about MaxSS.

b) No details of what was actually detected.

c) Now no Internet Connection for what ever reason, let alone the next users problem file might not be say "netbt.sys" or it's a problem with the I.P. Stack.

d) Sounds more like Max++

Quads

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

momoboro — Wed, 29 Feb 2012 04:14:49 GMT

um, anyone found this website? http://en.kioskea.net/faq/18862-rootkit-boot-sst

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

momoboro — Wed, 29 Feb 2012 08:40:24 GMT

also try GMER’s mbr.exe: http://w ww2.gmer.net/mbr/mbr.exe

[Edit: Removed the direct link to the executable to conform with Participation Guidelines and Terms of Service ]

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Quads — Wed, 29 Feb 2012 12:12:15 GMT

I don't need to know about other websites or tools, I can infect my system with MaxSS when I want I have the dropper / installers. Also it did or does not infect a driver at all, But instead the partition has to be removed and the flag made sure is set correctly.

A least 2 or 3 people have use my instructions with success with their own threads and a) TDSSkiller does not fix the problem of the partition.

Loads of others unknown (by the amount of views) may have also used my instructions.

Problems occuring with TDSSkiller and what is or looks like MaxSS, after running TDSSkiller

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\afd.sys is missing.
Attention! C:\WINDOWS\system32\Drivers\netbt.sys is missing.
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\ipsec.sys is missing.
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

And

", I have a laptop that was infected. I had removed pretty much everything that was found but was still getting a kdcom.dll BSOD every hour or so while windows 7 x64 was running. I found that the machine had the rootkit.boot.sst.b infection and attempted to remove it with TDSSKILLER. Afterwards it would not fully boot no matter of Normal modem or Safe Mode. It stops on the 0x7B error every time.

Had a 0.03GB boot patition.

Quads

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

momoboro — Wed, 29 Feb 2012 23:05:13 GMT

Will Norton have an antirootkit/recovery option for mbr rootkits even when the computer can't boot up? I already know that Live CDs and Partition managers are good methods to remove the MaxSS/Pihar/TDL4, but is there another way? Also, when Windows 8 comes out, it's going to have a UEFI secure boot feature to get rid of these kinds of rootkits.

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

bleeper24 — Thu, 01 Mar 2012 07:48:25 GMT

With all due respect momoboro ..........

momoboro wrote:
Will Norton have an antirootkit/recovery option for mbr rootkits even when the computer can't boot up? I already know that Live CDs and Partition managers are good methods to remove the MaxSS/Pihar/TDL4, but is there another way? Also, when Windows 8 comes out, it's going to have a UEFI secure boot feature to get rid of these kinds of rootkits.

As you must be aware ....we have had the Developer preview...the Windows 8 newest preview was only released moments ago .....and Microsoft plainly tell us that major changes may be implemented before final RTM of Windows 8 ...

So lets' keep an open mind on just what may make it to the Final release candidate ...No one really knows yet :smileywink:

..............Ed

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Quads — Fri, 02 Mar 2012 23:52:05 GMT

There is already a Windows 8 Root/Boot kit created

Quads