|
Post by raymondo70 on Nov 25, 2014 18:03:05 GMT -8
Rootkit.Boot.Cidox.b Logical Drive: \Device\Harddisk0\DR0\Partition1
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 25, 2014 18:09:26 GMT -8
Not a TDFS (File System) Detection??
The log was cut, I wonder if TDSSkiller was stopped by Norton. Hmmmm
Quads
|
|
|
Post by raymondo70 on Nov 25, 2014 18:11:00 GMT -8
There were 2 attachments. One was long the other short. Even the long one seemed cut short? Shows Cidox infection in the long text doc.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 25, 2014 18:18:28 GMT -8
Oh I see the logging is now different with the Newer TDSSkiller
18:36:59.0238 0x016c ================ Scan VBR ================================== 18:36:59.0240 0x016c [ 554C26A8BD3F31BE9A6BD448C87C5F89 ] \Device\Harddisk0\DR0\Partition1 18:36:59.0242 0x016c \Device\Harddisk0\DR0\Partition1 - detected Rootkit.Boot.Cidox.b ( 0 ) 18:36:59.0242 0x016c \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b ) - infected 18:37:02.0072 0x016c [ 1370B054FFC2355E0F6F87EE5036F862 ] \Device\Harddisk0\DR0\Partition2 18:37:02.0073 0x016c \Device\Harddisk0\DR0\Partition2 - ok
You can have TDSSkiller deal to it.
Quads
|
|
|
Post by raymondo70 on Nov 25, 2014 18:22:03 GMT -8
So you saying have TDSS killer cure virus then?
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 25, 2014 18:29:24 GMT -8
Yes You can have TDSSkiller cure The Bootkit
Rememeber if you have to start again and run a scan to use the same settings in the parameters to look for the TDLFS.
I was expecting TDSSkiller to come back with the likes of the below also
[ 7D7275F85A559CAC9FF9E94041B8EBE4 ] \Device\Harddisk0\DR0
17:55:26.0596 0x137c \Device\Harddisk0\DR0 - detected TDSS File System ( 1 )
But it didn't
Quads
|
|
|
Post by raymondo70 on Nov 25, 2014 18:55:25 GMT -8
So I ran the cure, rebooted and got the "missing the operating system" message once again. Thoughts?
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 25, 2014 19:07:28 GMT -8
OK, TDSSkiller is in the middle of cleaning out Cidox (into Qurantine) but the restart has meant that the Boot Sector is back to the way it was, after the below (again) It should go though again, but with TDSSkiller also carrying on with is processes
Make sure the downloaded fixlist is in .txt formatting.
Download the script attached, needs to be the same file name as well (fixlist.txt), Copy across to flash drive, so that fixlist.txt is next to FRST64.exe on the Flash Drive, DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Do Like previously to start FRST without Windows loading like we did when we first used FRST on the Flash Drive. (there is a difference stated further down)
In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst.exe or e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer. (If it still gives the disclaimer) Press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) Please attach the log in your reply back, Or with this forum you can paste the log into a message as some logs are already for bb code
Quads
|
|
|
Post by raymondo70 on Nov 25, 2014 19:30:33 GMT -8
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-11-2014 01 Ran by SYSTEM at 2014-11-25 20:29:41 Run:4 Running from g:\ Boot Mode: Recovery ==============================================
Content of fixlist: ***************** start cmd: bootrec /FixMbr end
*****************
========= bootrec /FixMbr =========
??T h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y . ========= End of CMD: =========
==== End of Fixlog ====
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Nov 25, 2014 19:32:31 GMT -8
Now the system should go though and TDSSkiller carries on to deal with the VBR
Quads
|
|