Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on November 26, 2014, 06:53:15 PM
-
Hi - I am helping a friend recover their laptop. I think it's mostly clear except for the Cidox-E rootkit.
This is also discussed in https://forum.avast.com/index.php?topic=161457.0 and I have already ran TDSSKiller which did not find anything.
I have attached the FRST logs. Do you need any others? Many thanks in advance for any help! :)
-
Could you attach the TDSSKiller log please
Download the attached fixlist to the same location as FRST
Start FRST and press Fix
After the reboot a log will open please attach that
THEN
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
-
TDSSKiller logs on next reply. Thank you!
-
TDSSKiller logs
-
Could you resave the TDSSKiller log as ANSI please
Could you download and then run Listparts from here :
http://www.bleepingcomputer.com/download/listparts/
When the programme has finished a results.txt will be created please attach that
-
Here they are (in ANSI)
-
Hmm yet TDSSKiller does not see it nor listparts
One more check
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
I ran ComboFix earlier. Here is the log, let me know if I should re-run it
-
Is Avast still reporting cidox ?
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
C:\awhEE06.tmp
C:\awh614C.tmp
C:\awh7CDC.tmp
C:\awh8B9B.tmp
C:\awh621C.tmp
C:\awh77FC.tmp
C:\awh7280.tmp
C:\awh7A7C.tmp
C:\awhD01A.tmp
C:\awh70CB.tmp
C:\awhB6B1.tmp
C:\awhD864.tmp
C:\awh697B.tmp
C:\awh5D3C.tmp
C:\awhFE00.tmp
C:\awh42AA.tmp
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
-
Yes, aswMBR shows it once the scan is started... it still crashes at atapi.sys though. It usually takes a while after the reboot for Avast 2015 to show the pop-up window... and it just did ;)
-
Still not seeing it, yet another look at it
Please download MBRCheck.exe (http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe) to your Desktop. Run the application.
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
If an infection is found, you will be presented with the following dialog:
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.
-
MBRCheck log. Found something...
-
Essexboy has logged out for today, check back tomorrow
-
Run MBRCheck.exe once again.
You will be presented with the following dialog:
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Enter Y and press Enter.
The following dialog will be presented:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:
Enter 2 and press Enter
The following dialog will be presented:
Enter the physical disk number to fix (0-99, -1 to cancel):
Enter >>0<< and press Enter
The following dialog will be presented:
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel
Please select the MBR code to write to this drive:
Enter >>3<< and press Enter
The following dialog will be presented:
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue:
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!
And last the following dialog will be presented:
Done! Press ENTER to exit...
Press Enter. A report will be produced on the desktop. Post that report in your next reply.
-
And, the results!
-
Is Avast still alerting ?
-
Unfortunately, yes
-
Could you run AswMBR once again please and we will see if that can fix it
-
It is still crashing at atapi.sys during the services scan.
-
That is Avast anti rootkit and has not been updated for at least a year
Download aswMBR.exe (http://files.avast.com/files/rootkit-scanner/aswmbr.exe) ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
You may be offered the option of using virtualisation, accept that
When it offers to download the virus database allow that as well
Click the "Scan" button to start scan
(https://dl.dropboxusercontent.com/u/73555776/AswMBR%20scan.JPG)
On completion of the scan click save log, save it to your desktop and post in your next reply
-
The log I attached may not be the most recent, in fact it may have been create during a scan in safe mode. But that is the same version I have been running. It crashes at atapi.sys every time.
-
Hmm this is weird as none of the other tools are even hinting at cidox
So lets run a scan with windows and the MBR inactive
Create an emergency repair USB drive:
Download Dr Web Live USB (http://www.freedrweb.com/liveusb/?lng=en) to your desktop
- Connect a USB flash drive to the computer. Registering the plugging in event takes no more than 10 seconds.
- Launch drwebliveusb.exe.
- The program will detect available USB-devices automatically and prompt you to choose the one you?d like to use as an emergency repair drive. You can format the device if you like (a warning will be displayed before you proceed with formatting). In order to read the License agreement, follow a corresponding link found in the program window (the page containing the license agreement text will be loaded in your default browser).
(https://dl.dropbox.com/u/73555776/liveusb_ru.jpg)
- To create a bootable USB flash drive, press the Create Dr.Web LiveUSB button.
- Files will be copied automatically.
- Once the copying process is completed, press the Exit button to close the application.
- Reboot the infected computer with the USB in the drive
- Ensure that the first boot device is USB - If you are not sure about that then see this page (http://www.hiren.info/pages/bios-boot-cdrom) for instructions
- As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.
(https://dl.dropboxusercontent.com/u/73555776/Live%20boot%20screen.png)
- Use arrow keys to select DrWeb-LiveCD (Default)
(https://dl.dropboxusercontent.com/u/73555776/drwebselect.JPG)
- Press select objects for scanning
(https://dl.dropboxusercontent.com/u/73555776/drwebfolders.JPG)
- When the system is loaded, check the disks or folders you want to scan, and click on Start.
- The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
(https://dl.dropboxusercontent.com/u/73555776/drwebscan.JPG)
(https://dl.dropboxusercontent.com/u/73555776/drwebscancomplete.JPG)
- Select Open Report and copy to the USB
- Once completed reboot to normal windows, and attach the report here
-
I ran the scanner a few times and it found around 50 or so items to fix and fixed them. I never did see the option to "open report" but I found the name of the log file in the help section and did a search for it. It's too big so I split it up into 3 parts. There are 2 - 4 items that it repeatedly finds in between scans and booting into windows. Something about UserInit if I remember correctly.
-
Part 2 of 3
-
Part 3 of 3
-
Is Avast still alerting ?
-
Yes, Avast is still alerting
-
Could you do the following :
Go to > Control panel > administrative tools > computer management > storage > disc management
Then take a screen shot and post it here
-
Screenshot
-
Have you tried the Delete now option ?
It looks as though it may be alerting on the 10Gb EISA partition which is a restore partition
-
Yes, I have. It requests to schedule a boot scan and restart the computer, but it is not found during the boot scan and removed.
-
As it stands none of my tools have found it so I believe it is a false alarm on your recovery partition
If there was even a trace then TDSSKiller or DrWeb would have seen it.
Tick the do not alert again box
-
OK, will do. Thanks so much for the help! Happy holidays!!! :D
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Remove Combofix
Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
Then click OK (or press Enter ).
Wait for the uninstall process to complete.
Remove tools
Download and run Delfix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Unchecky (http://unchecky.com/)
Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme ;)
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave: