Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Boot:Cidox-A [Rtk] Rootkit


  • This topic is locked This topic is locked
5 replies to this topic

#1 jakey101

jakey101

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 11 November 2014 - 08:00 AM

Hi there,

 

My XP machine is infected with the Cidox-A rootkit. I have run Avast and attempted to quarantine or delete it but to no avail.

 

My FRST logs are attached.

 

Your help is greatly appreciated. Thanks 

Attached Files



BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:44 AM

Posted 14 November 2014 - 03:19 PM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully: :exclame:

  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.

windows_xp_logo.jpg Windows XP notes

I've noticed that you're a Windows XP user. I need to tell you that my canned speeches (texts I use to present instructions) are designed for newer systems in first place. Therefore, whenever you will see a request to Run as Administrator, please ignore it and instead run the tool just by a double-click on the aforementioned icon.

warning.gif Windows XP end of support warning!

As 8th of April 2014 has passed, this Operating System is not longer supported by the Microsoft.
Any patches, updates or security releases are ceased for this System.

This is just an information for you if not aware.
My recommendation would be to start thinking about replacing it with some newer edition, like Windows Vista, Windows 7 or Windows 8.

 
Step 1

emsimbrmaster.PNGemsilogo.png
Please download MBR Master. (Link) (Make sure to save it on your Desktop).

  • Open the MBR Master file that you saved on your desktop (the default file name is mbrmastr).
  • Click on the Backup MBR button in the lower-right corner.
  • Save the backup of your MBR on your desktop (you can name it "checkthis").
  • Close the program. A log will be saved also on your desktop.
  • Please right-click on the MBR backup that you saved on your desktop, go to "Sent to", and select Compressed (zipped) folder in order to zip the file so that it can be attached to a reply.
  • Please attach both the log and the zipped MBR backup to your next reply.

 

 

Step 2

Please download TDSStdsskiller.pngiller and save it to your Desktop.

  • Start tdsskiller.exe with administrator privileges.
  • Accept the EULA and the KSN Statement.
  • Click on Change parameters.
  • Make sure that all available options (except "Loaded modules") are checked and click OK.
  • Click on Start scan.
  • If any threats are found don't delete them but choose the Skip option for all of them.
  • Click on Report to open the log file. (It is also saved at C:\TDSSKiller.<version_date_time>_log.txt).
    Copy and paste its contents in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:44 AM

Posted 17 November 2014 - 03:56 PM

Hi,

3 Day Inactivity

This is the third day since my last post. Are you still there?

If you need more time, just let me know.

If you do not post within 48 hours, this thread will be closed due to inactivity.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#4 jakey101

jakey101
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 18 November 2014 - 06:39 PM

Hi Jurgen,

 

Thank you for your response. In the end I thought I had removed the rootkit using the windows recovery console and fixboot/fixmbr as it no longer showed up on antivirus scan however I read that some rootkits can embed themselves in the BIOS and hide from AV so to prevent any further issue I re-flashed the BIOS and formatted the drive from another machine and re-installed windows. Not what I wanted initially but after spending many hours on the machine it seemed the best course of action as I needed to get the machine up and running promptly. Thank you very much for responding to my post, you guys do an excellent job, very kind of you to help people.

 

Best Regards

 

Jake



#5 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:44 AM

Posted 19 November 2014 - 06:46 AM

Hi Jake!
Thanks for letting me know.
Reformat is the cleaner solution for sure. You are welcome! :)
All the best!


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#6 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:44 AM

Posted 19 November 2014 - 06:46 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users