Rootkit.boot.SST.B/SST.A AKA MAXSS removal.
The Get-answers-fast.com google search redirect has been caused by the newer variant of TDL4 the MAXSS aka
Sst.b/a rootkit. This rootkit does not allow the execution of TDSS Killer and running GMER to scan gives the error message.
The rootkit loads using its own partition on the HDD. So running a fixmbr command will no help. One way to deactivate the rootkit is to boot from a paragon partition manager or Hiren’s boot CD and set the rootkit’s partition to inactive.
Given below is a grab of the partition. Used by the rootkit.
The only tools which can clean this up from user mode is the TDSS Killer and the AVP tool from Kaspersky But they both will not run unless they are patched. Here’s a patched version of the TDSS Killer.
http://tinyurl.com/maxssfix
A screenshot is given below for reference.
In case the the infection reoccurs then we have to end the callbacks to the other partition and remove the callbacks. We can use Rootrepeal to do this as follows.
Run Tdsskiller, or AVP now and remove the infection.
Thanks
Tausif
No comments:
Post a Comment