MBR:Cidox-E [rtk] - Avast can not remove

[REDACTED]

Hi - I am helping a friend recover their laptop. I think it's mostly clear except for the Cidox-E rootkit.

This is also discussed in

Code: [Select]

https://forum.avast.com/index.php?topic=161457.0 and I have already ran TDSSKiller which did not find anything.

I have attached the FRST logs. Do you need any others? Many thanks in advance for any help!

[essexboy]

Could you attach the TDSSKiller log please

Download the attached fixlist to the same location as FRST
Start FRST and press Fix
After the reboot a log will open please attach that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.
  

[REDACTED]

TDSSKiller logs on next reply. Thank you!

[REDACTED]

TDSSKiller logs

[essexboy]

Could you resave the TDSSKiller log as ANSI please

Could you download and then run Listparts from here :
http://www.bleepingcomputer.com/download/listparts/

When the programme has finished a results.txt will be created please attach that

[REDACTED]

Here they are (in ANSI)

[essexboy]

Hmm yet TDSSKiller does not see it nor listparts

One more check

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[REDACTED]

I ran ComboFix earlier. Here is the log, let me know if I should re-run it

[essexboy]

Is Avast still reporting cidox ?

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

C:\awhEE06.tmp
C:\awh614C.tmp
C:\awh7CDC.tmp
C:\awh8B9B.tmp
C:\awh621C.tmp
C:\awh77FC.tmp
C:\awh7280.tmp
C:\awh7A7C.tmp
C:\awhD01A.tmp
C:\awh70CB.tmp
C:\awhB6B1.tmp
C:\awhD864.tmp
C:\awh697B.tmp
C:\awh5D3C.tmp
C:\awhFE00.tmp
C:\awh42AA.tmp 
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

Yes, aswMBR shows it once the scan is started... it still crashes at atapi.sys though. It usually takes a while after the reboot for Avast 2015 to show the pop-up window... and it just did

[essexboy]

Still not seeing it, yet another look at it

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

[REDACTED]

MBRCheck log. Found something...

[Pondus]

Essexboy has logged out for today, check back tomorrow

[essexboy]

Run MBRCheck.exe once again.

You will be presented with the following dialog:

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Enter Y and press Enter.

The following dialog will be presented:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Enter 2 and press Enter

The following dialog will be presented:

Enter the physical disk number to fix (0-99, -1 to cancel):

Enter >>0<< and press Enter

The following dialog will be presented:

Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive:

Enter >>3<<  and press Enter

The following dialog will be presented:

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue:

Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!

And last the following dialog will be presented:

Done! Press ENTER to exit...

Press Enter. A report will be produced on the desktop. Post that report in your next reply.

[REDACTED]

And, the results!