Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / Nasty rootkit!

Author
Message
Phaelax
DBPro Master
21
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 18th Feb 2014 01:15
Link
Went over to my moms to fix a computer today, it was running very slow. I thought this would be a simple fix, until I noticed several weird processes running, including multiple explorer processes just killing the cpu. After many scans and fixes, tdsskiller alerted me of Rootkit.Boot.Cidox.b installed in part of the boot partition of the drive.

I looked it up and it described precisely the problems we're having, but unfortunately no tools are capable of getting rid of it. So it's down to a manual cleaning. Cleaned out all registry entries I could find, then deleting every possible copy of the trojan, except for two. Every time I killed the process it went right back, so I was unable to delete them. I was going to reboot into safe mode, but I can't get windows to load now. This morning her husband informed me of a clicking sound. At first I figured it was a bad fan (it's an old P4 system), but then I started actually listening to it. Yup, harddrive click of death!

So I said I'll take it home and try to do what I can, but then the freezing rain started! So that's been my day, how's yours?

http://zimnox.com
Back to top
Profile PM Email Website
nonZero
12
Years of Service
User Offline
Joined: 10th Jul 2011
Location: Dark Empire HQ, Otherworld, Silent Hill
Posted: 18th Feb 2014 09:01
Link
Well woke up too early, hard to concentrate, feeling undead. I guess that's not as bad as your day but if I get a call-out it may be as in the southern hemisphere it's summer and it's 34 degrees Celsius here.

On the subject of that PC, assuming the hdd was not broken, I'd boot in my custom-Debian-for-easily-killing-viruses disc (or unetbootin the iso onto flashdrive if USB boot is available on the target machine). Then just kill all copies of the virus's binaries and overwrite the boot sector with GRUB or boot into the OEM partition / CD if available and restore the Windows bootloader. But since the hdd is dead, I'd retrieve what I could and replace it.

ver7.5
Back to top
Profile PM Email Website
Seditious
10
Years of Service
User Offline
Joined: 2nd Aug 2013
Location: France
Posted: 18th Feb 2014 14:05
Link
Quote: "I'd boot in my custom-Debian-for-easily-killing-viruses disc (or unetbootin the iso onto flashdrive if USB boot is available on the target machine)."


This is what I would also suggest. I keep a bootable Xubuntu stored on a USB key just in case I have any problems that prevent me booting Windows.
Back to top
Profile PM
Phaelax
DBPro Master
21
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 19th Feb 2014 21:57
Link
The rootkit changes the mbr. Every attempt I've made has been useless. The second I boot up normally it's back. And I went through manually cleaning the registry, services, and other files, some which I could only delete from the recovery console. So at this point I'm losing too much time and reformatted. Up and running fine now.

http://zimnox.com
Back to top
Profile PM Email Website
Back to top

Login to post a reply

Server time is: 2024-05-04 15:38:21
Your offset time is: 2024-05-04 15:38:21