How to get rid of CIDOX rootkit

I am running Windows XP and received a notice from Avast that I was infected by the CIDOX rootkit. Following instructions from https://forum.avast.com/index.php?topic=53253.0, I ran Malwarebytes, Farbar Recovery Scan Tool, and aswMBR.

Malwarebytes showed no threats. I am attaching Farbar’s frst.txt and addition.txt and the aswMBR log. I am also attaching the Avast notice.

What can I do to remove the CIDOX rootkit?

THANKS IN ADVANCE
Ami Raz

Whilst I am looking at the FRST logs :

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Sorry for the delay in responding. Circumstance beyond my control…
I ran the TDSS rootkit as requested and it found no threats. I am including the log below. I ran Avast full scan again, and found 2 Cidox rootkit threats that were marked with “Fix Automatically.” I clicked on “Apply” and received the message “Action Postponed.” I thought that this may mean that the removal was postponed until I rebooted the computer. I rebooted and ran AVast again and again received the same threats and the same messages.

Please let me know what to do next.

Thanks,
Ami Raz

Hmm this is weird as TDSSKiller is a specialised tool just for this bootkit yet it never saw it

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I am attaching the combofix log from yesterday.

Thanks in advance,
Ami Raz

Could you re-run AswMBR please and if it still reports cidox then press fix

I ran AWSMBR as requested and received a notice that the CIDOC rootkit was found. But when it finished I wasn’t able to click on “Fix” – only on “FixMBR.” When I clicked on “FixMBR,” I received a notice that this may make my partition inaccessible. Please confirm that I should press “FixMBR” – or give me further instructions.

For what it’s worth, I am attaching a screen capture of the AWSMBR results.

THANKS IN ADVANCE,
Ami Raz

Essexboy, please note the:

AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

Press fixmbr and that should cure it

Eddy the ADS is one generated by windows and is OK

HI-
I ran ASWMBR twice. Each time I clicked on “FIXMBR”, rebooted the computer, and ran ASWMBR again. Each time, I received a notice that the computer was still infected with the CIDOX rootkit. Any other ideas?

Thanks
Ami Raz

I have a feeling this is a false positive as the other tools would have shown an indicator which they do not

Is the computer exhibiting any unusual behaviour ?

No complaints. I’ve been working with the computer for about three weeks since I first found the CIDOX rootkit warning in AVAST.

THANKS
Ami Raz

Lets clear my rubbish now then and see what happens

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

Then click OK (or press Enter ).
Wait for the uninstall process to complete.

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

HI -

Thanks for your help. I realize that you are on holiday until Oct 14th. I don’t think that I have an urgent problem.

I’ve done everything that you requested – is there anything else that needs to be done? I’ve been running the computer for days without problem.

Ami Raz

Everything seems to be fine.
Keep using your system in a safe/responsible way.
I don’t foresee any problems at this point.