MBR:Cidox-E [rtk] - Avast can not remove

Hi - I am helping a friend recover their laptop. I think it’s mostly clear except for the Cidox-E rootkit.

This is also discussed in

https://forum.avast.com/index.php?topic=161457.0

and I have already ran TDSSKiller which did not find anything.

I have attached the FRST logs. Do you need any others? Many thanks in advance for any help! :slight_smile:

Could you attach the TDSSKiller log please

Download the attached fixlist to the same location as FRST
Start FRST and press Fix
After the reboot a log will open please attach that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

TDSSKiller logs on next reply. Thank you!

TDSSKiller logs

Could you resave the TDSSKiller log as ANSI please

Could you download and then run Listparts from here :
http://www.bleepingcomputer.com/download/listparts/

When the programme has finished a results.txt will be created please attach that

Here they are (in ANSI)

Hmm yet TDSSKiller does not see it nor listparts

One more check

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I ran ComboFix earlier. Here is the log, let me know if I should re-run it

Is Avast still reporting cidox ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

C:\awhEE06.tmp C:\awh614C.tmp C:\awh7CDC.tmp C:\awh8B9B.tmp C:\awh621C.tmp C:\awh77FC.tmp C:\awh7280.tmp C:\awh7A7C.tmp C:\awhD01A.tmp C:\awh70CB.tmp C:\awhB6B1.tmp C:\awhD864.tmp C:\awh697B.tmp C:\awh5D3C.tmp C:\awhFE00.tmp C:\awh42AA.tmp EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Yes, aswMBR shows it once the scan is started… it still crashes at atapi.sys though. It usually takes a while after the reboot for Avast 2015 to show the pop-up window… and it just did :wink:

Still not seeing it, yet another look at it

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

[QUOTE]Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

MBRCheck log. Found something…

Essexboy has logged out for today, check back tomorrow

Run MBRCheck.exe once again.

You will be presented with the following dialog:

[QUOTE]Found non-standard or infected MBR.
Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Enter Y and press Enter.

The following dialog will be presented:

[QUOTE]Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:
[/quote]
Enter 2 and press Enter

The following dialog will be presented:

[QUOTE]Enter the physical disk number to fix (0-99, -1 to cancel):
[/quote]
Enter >>0<< and press Enter

The following dialog will be presented:

Enter >>3<< and press Enter

The following dialog will be presented:

[QUOTE]Do you want to fix the MBR code? Type ‘YES’ and hit ENTER to continue:
[/quote]
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!

And last the following dialog will be presented:

[QUOTE]Done! Press ENTER to exit…
[/quote]
Press Enter. A report will be produced on the desktop. Post that report in your next reply.

And, the results!

Is Avast still alerting ?

Unfortunately, yes

Could you run AswMBR once again please and we will see if that can fix it

It is still crashing at atapi.sys during the services scan.

That is Avast anti rootkit and has not been updated for at least a year

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
You may be offered the option of using virtualisation, accept that
When it offers to download the virus database allow that as well
Click the “Scan” button to start scan

https://dl.dropboxusercontent.com/u/73555776/AswMBR%20scan.JPG

On completion of the scan click save log, save it to your desktop and post in your next reply