[HackJack]

New installer for FakeSysDef, hope this installs the new rootkit!

[EP_X0FF]

It only drops "System Restore" fakealert here

http://www.virustotal.com/file-scan/rep ... 1320891760

Manually set first partition (Boot) active with any available partition managers. However all your story is strange and you doing something wrong.

[HackJack]

please find the installer for the new rootkit - Rootkit.Boot.SST.b, which is dropped by the FakeSysdef Installer

Microsft detects it as Win32/Alureon.FE

http://www.virustotal.com/file-scan/rep ... 1320903761

[HackJack]

it true it creates a new partion for sure, please refer the screenshot below

[EP_X0FF]

And? I know that this is Alureon.FE aka MaxSS, aka SST. I don't understand what are trying to do? If you want to remove it from infected machine - then how did it turned that you have multiple droppers and multiple screenshot before and after infection? Fixmbr completely kills any bootkit for standart MBR as in your case, your attached MBR indeed shows additional partition set as active as it happening in case of Alureon.FE infection, so rootkit is working. If you just playing with malware - then don't waste our time and start reading what others posted - all solutions already given.

[PX5]

They are saying that RC and fixmbr does not resolve this issue for them, no fixtools work either.

This makes 3 times i hear this story about bootkit, lol, partition, fixboot would sort that?

[EP_X0FF]

The only reasonable explanation here (if topic starter not trolling and doing all things right: tried available rootkit removers, RC commands, 3rd party partition managers, fixed boot record, removed new partition, set active for boot partition) is reinfection.

[Ormu]

Just saw one of these, Kaspersky's TDSSkiller was able to remove it. TDSS filesystem was also present.

Edit: Hm, it was actually a different variant, detected as Rootkit.Boot.SST.a

[HackJack]

We are dealing with Rootkit.Boot.SST.b

Gmer Loads with an error message as below

“ LoadDriver(“c:\docume~1\re\locals~1\temp\kwkcrpog.sys”) error 0xC000010E: cannot create a stable subkey under a volatile parent key”

In Gmer except Services, Registry and Files other options are disabled

[erikloman]

I think de Rootkit is filtering specific driver symbolic links. GMER's driver loads but de user mode application is not able to communicate so it tries to deploy driver again but its running already? aswMBR and HitmanPro have the same issue as GMER. Maybe someone has more info on how the rootkit blocks specific anti-rootkit drivers?