Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop laptop infected with a MBR Rootkit


  • Please log in to reply
2 replies to this topic

#1 2cantech

2cantech

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:30 AM

Posted 31 August 2014 - 08:09 AM

Original Topic - Am I infected? What to do?

 

I am a PC tech working on a Gateway laptop infected with a MBR Rootkit.  Bleeping Computer is a place where one tech helps another, and I could use some help now.

 

It started out as a computer caught in a loop.  I pulled the drive, and scanned it externally with eset online scanner.  Eset found 20 threats, one of which was a trojan, Win32/Kryptik.CBJZ.

I reinstalled the drive, and the machine booted right up.  I installed CCleaner and removed 7GB of junk.  I installed MalwareBytes Pro and Avast.  I backed up all of the client's data.

 

MalwareBytes detects the rootkit as 2 forged physical sectors, and Avast detects it as MBR:Cidox-E[Rtk].  MalwareBytes cannot remove it.  Avast is unable to remove it.  After the first attempt, I got BSOD Quota_Underflow, and after the 2nd attempt, BSOD Reference_By_Pointer.

 

I downloaded Aswmbr from Avast, and it reported the default Windows 7 MBR was fine.  So I am starting to wonder if it has something to do with the Gateway Recovery Partition.  I have FRST64 logs if that would be helpful.

So "am I infected?  What do I do next?"

 

I am thinking, "throw away the hard drive, and put in a new one." 

I look at removing bugs as a challenge.  I am a warrior, and I hate to give up the fight.  :warrior:

 

Note: The local Ohio tech force recommended the client buy a new computer.  They sent it to me in Florida as I am a trusted family member. 

It would be the easiest solution to just replace the drive.  However I would like to learn what is necessary to remove this threat.



BC AdBot (Login to Remove)

 


#2 2cantech

2cantech
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:30 AM

Posted 31 August 2014 - 09:08 AM

Status Update:
Intel Rapid Storage Technology is installed on this laptop which can be a false positive.
The machine is running Microsoft Services only.  All other services (except Avast) are turned off in a clean boot environment.
 
Spphos identifies Cidox-E as a trojan.
Avast identifies Cidox-E as a MBR rootkit
 
Just got the following BSOD: an attempt was made to write to read only memory
 
Drive was 7% fragmented.  Runniing Defraggler this morning.

Edited by Queen-Evie, 31 August 2014 - 10:20 AM.
split from http://www.bleepingcomputer.com/forums/t/546198/computer-running-incredibly-slow-programs-not-opening-and-pages-not-loading/


#3 2cantech

2cantech
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:08:30 AM

Posted 31 August 2014 - 12:11 PM

Thank You to humble member "replicates" for recommending that I use TDSSkiller by Kaspersky. 

It found the culprit to be Cidox-B, and removed it quickly.

 

Kudos to "replacates" for the time saving suggestion.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users