Page 2 of 2 FirstFirst 12
Results 16 to 19 of 19
  1. #16
    Joined
    Mar 2002
    Location
    Sarasota, FL
    Age
    54
    Posts
    2,496

    Re: Mom's computer got the Cidox.b rootkit ?

    So, I basically did what Sick Willie said, but I added some stuff in between and stuff. Briefly, here's what I did with or without results (remember, I'm trying to be as "brief" as possible):

    First, all below was done OFFLINE for now:
    1. ran TweakNow RegCleaner, cleaned the registry up a bit
    2. deleted some of the strange things in 9. above in post #5
    3. ran Process Explorer (friend advised me on this), didn't see anything strange
    4. ran RKill, then TDSSKiller, rebooted, ran RKill again, then TDSSKiller again (when you check all the items except verify sigs, you'll know what I'm talking about), nothing detected
    5. ran TFC, but not much left to get rid of
    6. ran MBAM, MBAR and SASW (MBAM still run with different subd name and different exe file name)
    7. ran ComboFix (it thinks Avira Desktop is still running, so stopped it)
    8. can't uninstall, so I deleted all of Avira AntiVir stuff in directories, subdirectories and registry
    9. ran ComboFix again (still thinks Avira Desktop is running), even though a warning, I ran anyway (what choice did I have?), it got rid of some stuff that didn't look good
    10. ran Adwcleaner and it didn't detect anything (I would hope at this point all spyware/adware is gone)
    11. ran MBAM, MBAR and SASW one more time to make sure and detected nothing
    12. Since MBAM and Avira AntiVir are now renamed to get them to run, I tried naming them back and the software policy restriction still remains. They do not show up in Add/Remove Programs either. I decided to delete all references to MBAM is subdirectories and registry also.

    Second, this was a scan of HD from another computer:
    13. At this point at the advice of Sick Willie, I removed the HD from the WinXP computer and installed as data drive in a Win7 computer and ran an updated MS Security Essentials on it. It detected 8 items (7 severe alert, but 3 were false positives (decided to deleted 7 of them anyway; last one was TDDSKiller that Quarantined "Virus: DOS/Rovnix.W", I'll delete this later if I can). The legitimate 5 were (exact names left out):
    VirTool: Win32
    Backdoor: Win32
    Trojan Downloader: Win32
    Backdoor: Win32
    Trojan: Win32

    Third, all below was done ONLINE:
    14. ran TFC and Process Explorer and nothing strange
    15. ran ComboFix (still thinks Avira is running for some odd reason), continued after warning; deleted a lot less than last time.
    16. ran Adwcleaner and nothing detected, but after it ran got an almost infinite loop of Windows Installer window switching with Logitech QuickCam detection over and over again (I stopped it by killing processes until it went away).
    17. ran RKill, TDSSKiller, RKill, TDSSKiller again and detected nothing
    18. ran MBAM and detected same Trojan Downloaded as MS Security Essentials, so deleted again.
    19. ran MBAR and SASW again with no detections
    20. made a DriveImage backup of the C: drive
    21. tried to reinstall the new version of Avira AntiVir, but got problems with Chrome and IE and which one was default; didn't like the way this new version was installing, so I decided not to use Avira this time around.
    22. installed the newest version of Avast without the software updating crap and am running that now.
    23. decided not to bother with HitManPro, Eset Online Scanner, Emsisoft Emergency Kit, or some of the others in links I haven't mentioned yet for now.

    Also, I may try applying the WinXP security update fix at a later date (probably next weekend). Thank you everyone that helped (esp. Sick Willie)!

  2. #17
    Joined
    Nov 2001
    Location
    I've moved.....I'm over here now.
    Age
    60
    Posts
    7,289

    Re: Mom's computer got the Cidox.b rootkit ?

    I would've done #13 first.

    Did I mention that I've made roughly half a million dollars (declared income) removing viruses?
    Last edited by Sick Willie; 11-18-2014 at 04:18 PM.

  3. #18
    Joined
    Mar 2002
    Location
    Sarasota, FL
    Age
    54
    Posts
    2,496

    Re: Mom's computer got the Cidox.b rootkit ?

    Awesome, then the right person responded. So, next time if a few scans with stuff I already have installed doesn't work (and/or they are locked and I have to change their names to work), whether WinXP, 7 or 8, you would suggest start with virusscan from another computer?

    Also, any idea why ComboFix still thinks Avira is running and I can't find it and nothing else detects it as running?
    Skaarj-laptop:Asus G750JW-NH71,Win8.1,Corei7-4700HQ,12GB DDR3 RAM,Nvidia GTX 765M 2GB,Realtek HD,TSST CDDVDW SN-208DN,WDC 750GB HD...
    SkaarjMasterDuo:WinXPSP3, Core2Duo E8600(Gigabyte GA-EP45-UD3P),Noctua NH-C12P,4GB Corsair XMS2 TWIN2X4096-8500C5 RAM,Nvidia EVGA GTX-750Ti 1GB,SB Audigy2 6.1,Klipsch 5.1 sats,Dayton sub,Pioneer VSX-819H-K rec,,Enermax 850W PSU,Lian-Li PC-71B full tower,Pioneer DVR-216D,BenQ DW1655,Asus E818A3T,2-1TB WD HDs.....
    Dragonslayer (at Mom's house now): WinXPSP3, P4 3.2GHz(Asus P4P800-Deluxe),Thermalright SLK-947U,3GB Corsair XMS PC3200 RAM,ATI Radeon 9800Pro 256MB,VGA Silencer,SB Audigy2 5.1,Seasonic 500W PSU,Silverstone FT01-B mid tower,LG DVD burner,Asus E616P3..
    Dragon1: (off for now, will not boot) Win98SE, AthlonXP 1900+(Soyo SY-K7V Dragon+),Thermalright AX-7, 512MB Crucial 2.5 DDR PC2100 SDRAM MSI GeF4Ti4400,SB AudigyGamer,Enermax 431W PSU...

  4. #19
    Joined
    Nov 2001
    Location
    I've moved.....I'm over here now.
    Age
    60
    Posts
    7,289

    Re: Mom's computer got the Cidox.b rootkit ?

    I always start with the drive connected to another machine irregardless of the version of Windows. Combofix uses a variety of different ways to detect AV software. Sometimes it misfires. I never uninstall the software and have never had an issue.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •