How do I remove Cidox-A rootkit

Viruses and worms
1

I have an infection problem and I can not figure out how to remove it. I had a serious mess on my step-fathers XP machine. I was able to remove and/or quarantine everything except a rootkit called “Cidox-A”. I even had OfficeMax try to fix it but to no avail, and I went back and forth with them for over a week… finally got them to offer me a refund. However I still have this rootkit that Avast finds with Quick Scan right off the bat. Cidox-A appears to be attached/infected in the MBR. Has anybody else come across this… and does anybody know how to remove it? My Step-dad is completely computer illiterate so I can’t just get him a new machine because he would never understand or be able to figure out Windows 8. If anybody could help or point me in the right direction I sure would appreciate it!!!

2

Attach your logs. (MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

3

Monitoring…

4

I am posting from my machine as I am afraid Cidox is a “key logger”. Avast is the program that finds the Cidox-A infection on my step-dad’s system. Can I print or save the log from Avast? And am I supposed to post that to this thread?

5

Basic instructions are in Reply #1.
In case TwinHeadedEagle needs other/further logs, he’ll let you know. :wink:

6

Well… here are the log files for Malwarebytes, OTL and aswMBR… Malwarebytes didn’t find anything… I don’t know if OTL found anything… but aswMBR found exactly what I am talking about… thanks for the help!

7

Hi,

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

***** NEXT *****

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

8

I ran TDSS Killer… It did not find anything (even though Avast popped up a Cidox alert just before I ran TDSS Kileer) and there are 12 TDSS Killer logs in my root directory(The OfficeMax techs I had try to fix it last week must have tried this also) What log should I post and what should I do now?

9

I just ran FRST as well… here are the FRST logs and I believe the TDSS Killer log that was generated from the scan I ran

10

Download attached fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

***** NEXT *****

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.
  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]
  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.
11

I can not download ComboFix (http://‘http//download.bleepingcomputer.com/sUBs/ComboFix.exe’) or view the ComboFix guide (http://‘http//www.bleepingcomputer.com/combofix/how-to-use-combofix’)… the browser says something about Intranet Settings… I am waiting to run the FRST Fix till I know what to do here about this

12

Try different browser, it works for me…

13

Ok I DLed ComboFix… Unfortunately I ran it before disabling my Avast… it sent up a message but I did not see it before I clicked ok… but it ran… I did not see a ComboFix.txt in my C: directory… then I disabled my avast and tried running it again but then an ERROR came up… how bad have I messed up and what do I do from here?

14

Try running ComboFix again. Did you run FRST fix?

15

yes I ran FRST Fix… ComboFix created 2 or 3 folders in the C: directory… do I need to delete them before running ComboFix again? Maybe that is what made the error when I tried running it again after I disabled Avast?

16

Can you download ComboFix again. If it is not working, try this:

Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
[i]For full instructions how MBAR works, read this article

> Doubleclick on the MBAR file (
http://www.mcshield.net/personal/magna86/Images/mbar.png
) and allow it to run.
• Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
• After reading the Introduction, click Next if you agree.

• On the Update Database screen, click on the Update button. Once you see ‘Success: Database was successfully updated’ click on Next
• Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:

  • ‘Could not load protection driver’. Click ‘OK’.
  • ‘Could not load DDA driver’. Click ‘Yes’ to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

>> If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>> If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
• The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.

>> Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe

  • Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution …
  • When you see “press any key to exit” fix is completed, press any key to close the window. Reboot the system.

> The following reports will be created in mbar folder:

  1. mbar-log-year-month-day (hour-minute-second).txt
  2. system-log.txt

Please post both logs in your next reply.

17

Ok… ran ComboFix and it seemed to do its thing… here is the FRST fixlog and the ComboFix log

18

Open notepad and copy/paste the text present inside the code box below:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-

ClearJavaCache::

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Tell me how is computer after this?

19

Just a littler clarification before I do this… you say to tell you “how the computer is after doing this”… the only way for me to tell is to run run Avast Quick Scan to see if it finds the Cidox-A Rtk… is this what I should do after running the ComboFix script? And should I leave Avast disabled when I run the script?

20

Don’t need to disable avast during this script.