Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System infected with rootkit.boot.sst.b


  • This topic is locked This topic is locked
11 replies to this topic

#1 MDSpeed

MDSpeed

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 01 July 2012 - 10:22 AM

OS: Windows 7 x64

System would BSOD when booted. Used Kaspersky rescue disc which shows a lot of infections but primarily the rootkit.boot.sst.b virus. Cleaned up everything with Kaspersky but I am still unable to boot the system to Windows. System will not boot to safe mode or regular.

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:14 AM

Posted 01 July 2012 - 11:09 AM

Press F10 as System powers up,you should see the BOOT options screen,can you see a line similar to this?

[ /NOEXECUTE=OPTIN /MININT

Please post the contents here

Edited by narenxp, 01 July 2012 - 11:10 AM.


#3 MDSpeed

MDSpeed
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 01 July 2012 - 11:37 AM

Path = \windows\system32\winload.exe
Partition: 3
Hard disk: 28000000
[ /NOEXECUTE=OPTIN /MININT ]

Edited by MDSpeed, 01 July 2012 - 11:37 AM.


#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:14 AM

Posted 01 July 2012 - 12:03 PM

Use backspace to remove the /MININT

The option should be like this after editing it

/NOEXECUTE=OPTIN

Now try to boot normally

Edited by narenxp, 01 July 2012 - 12:44 PM.


#5 MDSpeed

MDSpeed
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 01 July 2012 - 01:25 PM

Thank you for the reply. I made the change you suggested and tried to boot. Got a BSOD.

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:14 AM

Posted 01 July 2012 - 01:27 PM

Let me ask a malware response team member to assist you

good luck

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:14 AM

Posted 01 July 2012 - 01:32 PM

Hi,

Please run the following:

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe and press Enter.
Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Uncheck the Whitlelist boxes next to Registry, Services, Drivers, and known DLL's
  • Place a check next to List Drivers MD5
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 MDSpeed

MDSpeed
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 01 July 2012 - 06:16 PM

Thanks for the instruction CatByte I ran some diagnostics while waiting for a reply and found a ton of bad sectors on the disc. It may be that the virus and BSOD were just two separate issues. I'm scanning with SeaTools right now to zero out the drive and try and repair the bad sectors. That should (according to seagate) remove any infected MBRs.

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:14 AM

Posted 02 July 2012 - 09:07 AM

do you still need help with your machine? If so, please run FRST

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 MDSpeed

MDSpeed
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 02 July 2012 - 03:48 PM

This issue can be closed. Given the errors on the disk, a full format was the best shot of getting it working again. It's working fine now but may need to be replaced if it gets more bad sectors.

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:14 AM

Posted 02 July 2012 - 03:57 PM

ok,

thanks for letting me know

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:14 AM

Posted 02 July 2012 - 03:58 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users