Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

momoboro · ‎01-24-2012

Then what was I supposed to do? Kaspersky proved very useful, however TDSSKiller knocked out my internet. I'm still not sure how to fix that black screen error everytime I had to boot my pc except having to go into the recovery console to restore the os back to factory default.

Quads · ‎07-21-2008

Well if you want to play with this stuff and at the end this is what happens, When you do your factory reset, which wipes the HD and install Windows a fresh, don't play with the stuff again or attempt to deal with these groups.

Interesting on page 2, http://community.norton.com/t5/Tech-Outpost/Rootkit-Boot-SST-b-is-NOT-coming-off-PLEASE-help/td-p/58... You gave instruction somewhat if people read it on how to remove what as I said sounds more like Max++, with a website link also,

But yet you struggled and did a factory reinstall, hmmmm which means your methods don't work, people should ignore what you did (don't do the same).

As I said on page 2 Internet = I.P Stack or could be corrupt driver, black screen = it's not fully removed. As I have done for people even when Windows won't startup I have had to remove the infection on the system and reset things for Windows to startup again.

Quads

momoboro · ‎01-24-2012

Actually, the first infection was when I experienced the black screen at bootup, so I went into the recovery console. The second one after that was the network redirect rootkit called Sirefef. I couldn't access System Restore b/c there was an error trying to open it using the Recovery Console and after I had restored the pc to default, it had a ZeroAccess trojan in several of its system snapshots.

Wizards4Action · ‎04-15-2012

I removed this with Kaspersky Rescue CD.

Downloaded the iso

Booted to it in text mode

configured the networking

downloaded the updates

scaned all my drives, deleteing or disinfecting files

scan the boot sector,and disenfected it

I tried a dozen or so different things this was what finally removed it

I also finished by using Rouge Killer to scan and restore my desktop and start menu, and other settings

Wizard4Action

support.kaspersky.com/viruses/rescuedisk

[edit: Please do not direct link to .exe files per the Participation Guidelines and Terms of Service.]

Ol_Jethro · ‎09-21-2012

Thank you Quads. you were extremely helpful in helping me remove Boot.tidserv off an old Dell Optiplex 755 running Windows 7 x64. I found a hidden partition using your GParted theory. It had 1.93MB partition. After I rebooted it 3 times I got no warning from Norton stating my machine was infected. So im doing another fresh install to make sure the registry and MBR is good. Thanks again.

Quads · ‎07-21-2008

With boot.Pihar and MaxSS (SST.*) it is not really the MBR like with TDL4, but I am aware Symantec / Norton does or can detect these as Tidserv for quite some time.

Quads

Ol_Jethro · ‎09-21-2012

Yeah the way it was embedded makes me think it was the Maxes strain. Nasty little bugger though. Neither NPE, TSSkiller, or fresh installs helped. But your theory was right on spot. Good work. IM in school right now to become a security specialist. Is there anything else I should do to be sure its completely gone? MalwareBytes or anything similar didn't pick up its signature before anything you might know of to be sure?