How do I remove Cidox-A rootkit

[TwinHeadedEagle]

Can you download ComboFix again. If it is not working, try this:



Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
For full instructions how MBAR works, read this article


> Doubleclick on the MBAR file () and allow it to run.
•  Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
•  mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
•  After reading the Introduction, click Next if you agree.

•  On the Update Database screen, click on the Update button. Once you see 'Success: Database was successfully updated' click on Next
•  Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:
-  'Could not load protection driver'. Click 'OK'.
-  'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

>>  If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>>  If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
•  The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.


>>  Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe
- Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution ...
- When you see "press any key to exit" fix is completed, press any key to close the window. Reboot the system.




> The following reports will be created in mbar folder:
1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt

Please post both logs in your next reply.

[REDACTED]

Ok... ran ComboFix and it seemed to do its thing... here is the FRST fixlog and the ComboFix log

[TwinHeadedEagle]

Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-

ClearJavaCache::
Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )



Tell me how is computer after this?

[REDACTED]

Just a littler clarification before I do this... you say to tell you "how the computer is after doing this"..  the only way for me to tell is to run run Avast Quick Scan to see if it finds the Cidox-A Rtk... is this what I should do after running the ComboFix script? And should I leave Avast disabled when I run the script?

[TwinHeadedEagle]

Don't need to disable avast during this script.

[REDACTED]

When I dragged CFScript.txt into ComboFix.exe avast popped up and said it "detected a threat and blocked it". It moved or deleted ComboFix.exe from my desktop. I searched for ComboFix.exe in my Files and Folders but it did not find it. What should I do now? Re-download ComboFix or what? Also... I look at my C: drive and it appears that Avast also deleted the \3278822FWJFW folder that CombFix created during it's original scan???

[TwinHeadedEagle]

OK, disable Avast, download fresh ComboFix and then run script.

[REDACTED]

Ok... I re-downloaded ComboFix.. avast blocked the the DL because it said it was malware.. so I disabled Avast.. downloaded it again.. ran the script.. quickscanned with Avast and it still picked up the Cidox-A [Rkt] at C:\$Boot.. I am attaching the newly generated ComboFix.txt log...   

[TwinHeadedEagle]

Run Malwareabytes Anti-Rootkit, I instructed above.

[REDACTED]

Mbar did not find anything.. here are the log files...

[TwinHeadedEagle]

PC seems clean. Can you make one more boot scan?

[REDACTED]

A lot of these programs don't seem to find anything.. but Avast Quick Scan finds the Cidox-A Rkt every time...Avast also pops up a threat alert when it boots up... by boot scan do you mean to have Avast run a boot time scan before Windows opens? If so what do I do when avast finds something?

[TwinHeadedEagle]

It seems this is false detection, because none of the tools we used revealed anything.

[REDACTED]

The aswmbr scan saw it too. If this is a real threat, what does Cidox-A rootkit do? I(s it a key logger,, redirect Trojan.. etc? So I should just have my step dad ignore this warning? My concern is more or less that this can/will be used to gather his personal info for use of identity theft/fraud

[Pondus]

what avast call Boot:Cidox-A[rtk] is called  Virus:DOS/Rovnix.F by microsoft

info here
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Virus:DOS/Rovnix.F#tab=2

symantec

Trojan.Cidox is a Trojan horse that modifies the NTFS boot sector's Initial Program Loader (IPL) in order to perform malicious actions.

http://www.symantec.com/security_response/writeup.jsp?docid=2011-070712-0320-99&tabid=2