Removal Of Rootkit.mbr.sst.b (boot Image) Virus
Posted 03 November 2011 - 05:54 PM
Bit Defender has blocked a virus!
Name: Rootkit.MBR.Sst.B (Boot Image)
BD could not disinfect, delete or quarantine this item. Access to this object has been denied.
I couldn't find this particular virus mentioned anywhere on the forums. Can anyone help?
Posted 03 November 2011 - 06:19 PM
This infection should already be disinfected.
Also let me know what is your operating system and how many gigs/megs of RAM you have on the system.
Posted 03 November 2011 - 10:56 PM
Posted 04 November 2011 - 04:53 PM
1. upgrade for free to Bitdefender 2012 and run a complete scan when done.
2.restore the MBR (Master Boot Record) of your hard disk using the Windows CD.
the command that you need to run is: fixmbr
Full info is available here:
Posted 08 November 2011 - 05:36 PM
I restored the Master Boot Record as directed, restarted computer and got the same message about virus.
I followed instructions for upgrading to BD 2012, and at the end of the scan received an alert under Events that said:
Infected file detected
Action taken: Deny
Date: Tuesdsay, November 8, 2011 9:25:35 am
Virus name: Rootkit.MBR.Sst.B (Boot Image)
My assumption is this means my computer is not actually infected, but a threat was detected and denied. Is this correct, or does "deny" mean the virus was not allowed to be deleted from computer?
I may be overthinking this....
And btw, I can't tell you how much I appreciate your help with this. I NEVER would have been able to get to the "root" of the problem.
Posted 08 November 2011 - 06:29 PM
. A BDSYS log;
[how to GENERATE A BDSYS LOG]
. Save and extract the BDSYS tool to a location of your choice:
. Make sure you close all active applications and then run "BDInfoTool.exe"; If you receive a firewall
alert,select to Allow the application to connect;
. Click the "Create log" button to start generating the
log; A progress bar is indicating that the tool is creating the report;
. When the small window appears with the message "Log
saved" then the report is complete and a new file named "bdsyslog.zip" has appeared on your Desktop;
. Send me via PM the generated log file.
. If the file is to big for send it over PM, upload the results to one of the online file hosting servers mentioned below or use one of your own and send via PM the download link.
.During this process the Real Time Protection in Bitdefender must be temporarily disabled;
.If you receive a Bitdefender Firewall alert to inform you that BDInfoTool.exe tries to connect to the internet,then you need to select Allow;
[how to DISABLE THE ANTIVIRUS PROTECTION in Bitdefender 2012]
In order to disable the antivirus protection,please open Bitdefender and click the "Settings" button in the upper side part of the interface"; In the new window go to "Antivirus" > "Shield"tab and click on "Turn off" under On-access scanning.Select the time interval that suites your troubleshooting needs and click "OK" . The On-access scanning should be enabled back after finishing the troubleshooting procedure.
We will get back to you as soon as the analysis is complete. Have a nice day.
Posted 10 November 2011 - 06:45 PM
File path: Master boot record....Rootkit.MBR.sst.c (boot image) (ignored limited rights)
Also: Trojan.generic 6793636 (ignored limited rights)
I don't have a Windows boot disc as I bought my computer as is...
Can anyone provide any tips?
Posted 12 November 2011 - 08:18 PM
Sorry for the delayed reply.
The guys from our lab are working on a solution for these types of infections(MBR infection).
I will post more details on Monday.
Posted 20 November 2011 - 11:30 PM
Posted 23 November 2011 - 01:51 AM
Can you run a scan in Rescue Mode?
You have all the information right here:
Let me clerify, The PC was not running BitDefender when it was infected it was Trend, with that said.
I built a new Hard Drive up from Scratch and Loaded BitDefender IS 2012, Attached the original drive up as a slave and scanned it, I can see it scanning data files and it found the infection but was denied of cleaning it. I did try running this in Rescue Mode but it fails to reboot the PC once I make that choice??
When I boot the the original infected drive in the system I can't get the software to install, and everything appears to be GONE!! LOL
Posted 23 November 2011 - 03:03 AM
Further investigation of the drive showed a new partition on the drive where one should not have been. On a clean system i used disk manager to delete the additional partition and then mark the "good" partition as the active partition. Apparently this MBR creates a new partition and then sets it as the active parition and when you reboot it boot_s to the new partition which then infects the PC, and then boot_s to the old parition. After I deleted the partition, I ran another scan and it showed up clean.
Posted 22 December 2011 - 07:02 AM
New removal tools have been posted here:
I downloaded and ran the removal tool. It said the computer needed to restart. Once it was restarting it didn't go through the boot process and is now stuck with a black screen that says "loading operating system... " please help as I do not have a boot disk to load from.
Posted 28 December 2011 - 11:46 AM
Our lab just released a new removal tool.
This tool can remove the following infections:
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users