• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Rootkit.Boot.SST.b is NOT coming off! PLEASE help

My laptop won't boot to windows and sits at a cursor just as soon as I turn it on.  I took off the hard disk and scanned it on another machine as a secondary drive and the ( Rootkit.Boot.SST.b ) came up and no antivirus program can't delete it, cure it or quaranteen it! Please help on how to get it taken off.  I have read many forums and still no luck.  Seems no one knows how so that is why I cam to Norton as Symantec has been the best one I've ever found and has worked for me.  Thanks, Chepo

Replies

Kudos3 Stats

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

SST.B  (and SST.A) is the MaxSS modifcation of TDL4, but with a few differences,  FixMBR and FixBoot commands used via a bootable CD /DVD like the Windows Recovery Console on disc does not cure the problem.

It has it's own partition and appears to not actually alter the sector 0 (boot sector) MBR but has it's own MBR and own files within the likes of it's own partition.

It can stop programs running that may be able to cure these modifications.  In saying that fixing the Boot Sector (MBR) on your hard drive so at least you can load Windows, although still infected to then be able to remove SST (MaxSS) from your Hard Drive.

I am unsure how to get the removal (cure) tool to not scan the master drive but instead the infected slave drive. (you may still have to repair the screwed MBR after that).  I am looking at the scanners options.

I would suggest backing up your personal files before going any further..

Quads 

Accepted Solution
Kudos3 Stats

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Theory of one way

For MaxSS / SST.*

People who can't load the Boot Sector (MBR) for the Windows Partition due to MaxSS infection causing Black Screen with blinking white cursor on boot.

Run a Bootable CD partition manager, I think Paragon as a free version,Boot from CD (Quads has different tools) may be others.

Run Partition Manager You will see the MaxSS / SST. (a or b) created partition set to active and the OS /Windows partition not being set to "active"

 Reset your OS /Windows partition to "Active" so later when booting from the Hard Drive, it will now boot the Windows partition.

Delete or Deactivate the MaxSS partition by removing the "Active" flag. The MaxSS partition can be deleted later through the Windows Computer Management once the user is sure.

Confirm the changes and restart the PC to boot from the Hard Drive, it should now be loading the Windows Partition and thus loading windows.

I suggest using a bootable CD to be able to recover you personal files off first, there is always a risk of things going wrong with Rookit / Bootkit removal proceedures!!!

Quads

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

What Partition software was used of interest, just so others know of another Partition software that can do the same cure.

Quads

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

 found this at wilders       http://secure-computer-solutions.com/blog/

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Just a postsript in case anyone else has to attempt the excellent recovery advice offered by Quads! ...

The link kindly offered by Topopurim leads to the method of Partition management using GParted !

I use this software onmy Linux machines and it is a very useful tool !

Just a polite  word of advice though to anyone not too familiar with the "Volume terminology " used by GParted ........the various partitions on the disk are identified by the "sda " method of terminology ......Just be certain that the correct partition is selected for any operation that is to be carried out , as the different terminology can be a little confusing for new users of GParted

Windows7 SP1....Norton NIS 2012 ...4Gb RAM ..Momentus XT SolidState HybridHDDocendo discimus ( Teach in order to learn)
Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Thats a nice article but it's wrong.  It's showing a Windows 7 system and it's the "System Reserved Partition" that needs to be set active.  If you set the OS partition active, the system is not going to boot and you would need to do a startup repair.

I tried posting a comment for the article but I'm not sure if it worked.

Dave

Kudos5 Stats

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

NOTE:  the example for the MaxSS partition below is 1 MB, but depending on your own personal infection the partition involved may be anywhere from 1 MB to 15 MB. 

The number of partitions could or will be different including the volume names, sizes, number of Hard Drives and which partition should be Flagged as the Boot partition 

This walkthough below uses only the OS partition and the MaxSS partition so it is easier to determine which should be the boot partition.  (there is unallocated also). 

Most people with Partitioning experience will see what is shown below with ease to any PC with the MaxSS partition  and fix the problem.

Others may have to ask on another thread or Forum (for others reading out in the WWW) which partition is Bad and which partition should be flagged as Boot.

Backup / Save all personal files (photos, docs, music etc) first  incase, something goes wrong. 

Firstly download Gparted, maybe from another  clean computer instead, From http://sourceforge.net/projects/gparted/files/gparted-live-stable/ chose the stable .iso download.

Now you have to burn the .iso image as an image to CD  You can use ImgBurn do this. http://www.imgburn.com/index.php?act=download  or any other CD burning program that can handle .iso images.

Now boot off of the newly created Gparted CD.  You may have to change the computers boot options, so that you can boot from the CD /DVD from first instead of the Hard Drive.


You should be here (above)...  Just press ENTER



By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.


Choose your language and press ENTER. English should be default [33]

NOTE:  If you choose to select another language the reast of this Post (message) may look different as English is used here.


Once again, at this prompt, press ENTER as 0 should be selected as default

You will now be taken to the main GUI screen below

Remember in this post the partition that is bad is 1 MB in size, your bad Partition which has been confirmed by someone could be 1 MB to 15 MB, also a different setup can have more partitions to list, so the bad partition needs to be known before just going about deleting partitions 

Select the MaxSS (SST.a, SST.b) partition  then click the trash can icon to delete that bad partition and then click Apply.

You should now be here confirming your actions:  Click Apply  Delete Operation Pending


Now you should be here: Just Click Close  and now in this example you will see there is only the Good OS partition and unallocated space, which has gone up in size from 10 MB to 11 MB. No more MaxSS partition.

Now is the  boot next to your OS drive? (in the Flags column)

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in the boot column like the picture below and close :  This is where a standard home user may also get confirmation from another thread or forum which partition is to have boot for their PC in question 

Now double-click on the Exit Button

You should receive a small pop up asking you what you want to do

Choose reboot and then press OK.

Take out the CD before it loads, or on the Startup you can change the BIOS load order back to booting from the Hard Drive first.

Now with Windows loaded and no MaxSS partition Norton should no longer detect Boot.Tidserv  or you may have to clear the Unresolved threats listings.

There Could also be cases where the MBR of the OS partition still has to be fixed.

Quads

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Hi all

               I posted earlier in this topic ...and wrote

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Just a polite  word of advice though to anyone not too familiar with the "Volume terminology " used by GParted ........the various partitions on the disk are identified by the "sda " method of terminology ......Just be certain that the correct partition is selected for any operation that is to be carried out , as the different terminology can be a little confusing for new users of GParted ----------------------------------------------------------------------------------------------------------------------------------------------------------------

A big "Thankyou " to Quads .....for taking the time to add the "step by step " image tutorial outlining the process in detail .This is a big help to anyone not familiar with Gnome terminology which can" baffle " new GParted users ...Excellent post Quads ....all credit due 

Windows7 SP1....Norton NIS 2012 ...4Gb RAM ..Momentus XT SolidState HybridHDDocendo discimus ( Teach in order to learn)
Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

There is another free bootable CD partition manager here http://www.partitionwizard.com/partition-wizard-bootable-cd.html

Quads

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

NOTE:  For MaxSS (SST.*)  Norton is detecting this infection as "Boot.Tidserv"  and giving the link to FixTDSS.  The progam can't fix this.

Quads

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

I definitely know that Norton can't detect or even clean these hard to find&remove rootkits and bootbots, so I used the following to get rid of most of them successfully: TDSSKiller by Kaspersky, Malwarebytes, and Emsisoft Antimalware.  I had to use a laptop to download those free malware scanners b/c the fake antivirus known as XP Home Security 2012 had infected my pc.  TDSSKiller cleaned those that were not detectable by Norton's antirootkit that had given me those annoying popups that showed up everytime I started my computer and when I tried going to a website on Internet Explorer 8.  Then I had to look for instructions on how to reinstall Netbt service on Windows, since the netbt.sys file in the system32 folder had a rootkit on it and it was removed by TDSSKiller.

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Oh, I almost forgot to tell you that TDSSKiller has to be used more than once to actually find all those Tidserv rootkits and if you do lose internet connection like I have, then use another computer to connect and then google this, "How to reinstall NetBT Service on Windows XP."

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

NOTE:   This thread is for instructions to remove the MaxSS partition detected as Boot.Tidserv, Please ignore the above posts by Momoboro.  None of his tools he used are successful. Let alone the fact:-

a)  Sounds like he is not talking about MaxSS.

b)  No details of what was actually detected.

c) Now no Internet Connection for what ever reason, let alone the next users problem file might not be say "netbt.sys" or it's a problem with the I.P. Stack.

d)  Sounds more like Max++

Quads

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

um, anyone found this website?    http://en.kioskea.net/faq/18862-rootkit-boot-sst

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

also try GMER’s mbr.exe: http://w ww2.gmer.net/mbr/mbr.exe

[Edit: Removed the direct link to the executable to conform with Participation Guidelines  and Terms of Service ]

Kudos2 Stats

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

I don't need to know about other websites or tools,  I can infect my system with MaxSS when I want I have the dropper / installers.  Also it did or does not infect a driver at all,  But instead the partition has to be removed and the flag made sure is set correctly.

A least 2 or 3 people have use my instructions with success with their own threads and   a) TDSSkiller does not fix the problem of the partition.  

Loads of others unknown (by the amount of views) may have also used my instructions.

Problems occuring with TDSSkiller and what is or looks like MaxSS, after running TDSSkiller


 File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\afd.sys is missing.
Attention! C:\WINDOWS\system32\Drivers\netbt.sys is missing.
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\ipsec.sys is missing.
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

And 

", I have a laptop that was infected. I had removed pretty much everything that was found but was still getting a kdcom.dll BSOD every hour or so while windows 7 x64 was running. I found that the machine had the rootkit.boot.sst.b infection and attempted to remove it with TDSSKILLER. Afterwards it would not fully boot no matter of Normal modem or Safe Mode. It stops on the 0x7B error every time. 

Had a 0.03GB boot patition.


Quads

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Will Norton have an antirootkit/recovery option for mbr rootkits even when the computer can't boot up?  I already know that Live CDs and Partition managers are good methods to remove the MaxSS/Pihar/TDL4, but is there another way?  Also, when Windows 8 comes out, it's going to have a UEFI secure boot feature to get rid of these kinds of rootkits.

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

With all due respect momoboro ..........


momoboro wrote:

Will Norton have an antirootkit/recovery option for mbr rootkits even when the computer can't boot up?  I already know that Live CDs and Partition managers are good methods to remove the MaxSS/Pihar/TDL4, but is there another way?  Also, when Windows 8 comes out, it's going to have a UEFI secure boot feature to get rid of these kinds of rootkits.




As you must be aware ....we have had the Developer preview...the Windows 8 newest preview was only released moments ago .....and Microsoft plainly tell us that major changes may be implemented before final RTM of Windows 8 ...

So lets' keep an open mind on just what may make it to the Final release candidate ...No one really knows yet

                                                                                                                                                                     ..............Ed

Windows7 SP1....Norton NIS 2012 ...4Gb RAM ..Momentus XT SolidState HybridHDDocendo discimus ( Teach in order to learn)
Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

There is already a Windows 8 Root/Boot kit created 

Quads

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Given that Windows 7 is ver 6.1 and Windows 8 is 6.2 ..... who's surprised?

Hugh
Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Vista is Windows 6, Windows 7 is Windows 6, (not 7) haha

Quads

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help


Quads wrote:

Vista is Windows 6, Windows 7 is Windows 6, (not 7) haha

Quads



And so is WIndows 8 ....

Hugh
Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

                                                                      

Dick Win 10x64 10586 current NSBU
Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help


dickevans wrote:

                                                                      


Me too ...Is it a bird? ...is it a plane? ....is it a six  ? or is it a seven ?                                               

                                                                                                                                        ...................................................................Ed

Windows7 SP1....Norton NIS 2012 ...4Gb RAM ..Momentus XT SolidState HybridHDDocendo discimus ( Teach in order to learn)
Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help


bleeper24 wrote:

dickevans wrote:

                                                                      


Me too ...Is it a bird? ...is it a plane? ....is it a six  ? or is it a seven ?                                               

                                                                                                                                        ...................................................................Ed



it's all of the above or maybe just some of the above or even none of the above

Dick Win 10x64 10586 current NSBU
Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

FixTDSS never even worked once on my Windows XP Media Center pc.  Will it have any improvements on detecting rootkits and fixing system files, plus have antimbr functionality?

Kudos2 Stats

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

FixTDSS is designed for a specific group and that does not include the clones or mods of that group. It is not a auto -protect always running tool but on demand scanner.  So anti-MBR = No 

Old TDL2, 2+, 3, 3+, 4 = yes

Pihar, Max++, MaxSS, Rovix (Cidox) = No

If you don't understand the Tools around or the Malware like these, Best not play with them.

Quads

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

So does Power Eraser match the detection rates of TDSSKiller? And can it find mbr rootkits like avast's or gmer's mbr?

Kudos1 Stats

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Don't play with what you don't understand.

Quads

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Then what was I supposed to do? Kaspersky proved very useful, however TDSSKiller knocked out my internet.  I'm still not sure how to fix that black screen error everytime I had to boot my pc except having to go into the recovery console to restore the os back to factory default.

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Well if you want to play with this stuff and at the end this is what happens, When you do your factory reset, which wipes the HD and install  Windows a fresh, don't play with the stuff again or attempt to deal with these groups.

Interesting on page 2, http://community.norton.com/t5/Tech-Outpost/Rootkit-Boot-SST-b-is-NOT-coming-off-PLEASE-help/td-p/588858/highlight/false/page/2  You gave instruction somewhat if people read it on how to remove what as I said sounds more like Max++, with a website link also,  

But yet you struggled  and did a factory reinstall, hmmmm which means your methods don't work, people should ignore what you did (don't do the same). 

As I said on page 2  Internet = I.P Stack or could be corrupt driver,  black screen = it's not fully removed.   As I have done for people even when Windows won't startup I have had to remove the infection on the system and reset things for Windows to startup again.

Quads

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Actually, the first infection was when I experienced the black screen at bootup, so I went into the recovery console.  The second one after that was the network redirect rootkit called Sirefef.  I couldn't access System Restore b/c there was an error trying to open it using the Recovery Console and after I had restored the pc to default, it had a ZeroAccess trojan in several of its system snapshots.

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

I removed this with Kaspersky Rescue CD.

Downloaded the iso 

Booted to it in text mode

configured the networking

downloaded the updates

scaned all my drives, deleteing or disinfecting files

scan the boot sector,and disenfected it

I tried a dozen or so different things this was what finally removed it

I also finished by using Rouge Killer to scan and restore my desktop and start menu, and other settings

Wizard4Action

support.kaspersky.com/viruses/rescuedisk

[edit: Please do not direct link to .exe files per the Participation Guidelines and Terms of Service.]

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Thank you Quads. you were extremely helpful in helping me remove Boot.tidserv off an old Dell Optiplex 755 running Windows 7 x64. I found a hidden partition using your GParted theory. It had 1.93MB partition. After I rebooted it 3 times I got no warning from Norton stating my machine was infected. So im doing another fresh install to make sure the registry and MBR is good.  Thanks again.

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

With boot.Pihar and MaxSS (SST.*) it is not really the MBR like with TDL4, but I am aware Symantec / Norton does or can detect these as Tidserv for quite some time.

Quads

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Yeah the way it was embedded makes me think it was the Maxes strain. Nasty little bugger though. Neither NPE, TSSkiller, or fresh installs helped. But your theory was right on spot. Good work. IM in school right now to become a security specialist. Is there anything else I should do to be sure its completely gone? MalwareBytes or anything similar didn't pick up its signature before anything you might know of to be sure?

Kudos0

Re: Rootkit.Boot.SST.b is NOT coming off! PLEASE help

Reformat and Fresh Install of Windows does not work for a reason,  I do keep telling people, about infections surviving reformatting.

You did your own thing, so I don't give any info or advice for your system.

Good Luck

Quads