Boot sector virus cidox.b

ReedRichards · ‎14-07-2009

I have sometimes wondered to myself if resetting a computer to its factory state would cure any virus and I now know the answer is that it does not. A boot sector virus can survive unscathed and still carry on its business. I was presented with a badly corrupted computer where basic functions like plug-and-play were not working. So I reset it to factory settings. But it still seemed sluggish and if I looked in Task Manager there were two instances of iexplore.exe running and consuming a lot of resources even though I had not started Internet Explorer and it was not visibly running. There were also two instances of explorer.exe running. I scanned it with various antivirus tools, Malwarebytes, Kaspersky Rescue Disk but it came up clean, yet continued to misbehave.
Eventually I tried TDSS Killer http://usa.kaspersky.com/downloads/TDSSKiller , a Kasperky free utility. This found and removed rootkit.cidox.b from the boot sector which cured the sluggish behaviour and Task Manager anomalies. Oddly, these anomalies, although easy to spot, do not seem to be widely associated with a computer virus infection. For example, this post describes many of the symptoms I observed but they were never identified as due to a virus http://www.sevenforums.com/general-discussion/314805-multiple-explorer-exe-task-manager-hogging-most... .

rongtw · ‎01-12-2010

I find this a handy place for info

http://www.bleepingcomputer.com/virus-removal/

Asus ROG Hero Vii Z97 , Intel i5 4690k ,ROG Asus Strix 1070,
samsung 850evo 250gig , WD black 2 TB . Asus Phoebus sound ,
16 gig Avexir ram 2400 , water cooling Corsair H100i gtx ,
Corsair 750HXI Psu , Phanteks Enthoo pro case .

demonix01 · ‎18-07-2014

A quicker way to fix those infections is if you have the OS disc, you can boot up into a specific mode and use a command that repairs the master boot record and removes the infection (there is a tool that also does this, but this was for the first boot sector virus (dubbed the black internet virus) and most likely wouldn't pick anything else up although that nuisance can be picked up by using your ears as you would hear the click you would normally hear when clicking on a link in internet explorer).

ReedRichards · ‎14-07-2009

I did not know the computer had a boot sector virus until TDSSKiller detected it. Since this tool offered to fix the virus and did so on rebooting, the solution was very quick indeed. It was understanding the problem that took a great deal of time and that motivated me to post here just in case somebody else encounters similar symptoms.
Using the OS disk method I have never been completely sure if I should use Fixboot or Fixmbr; the former I would think.

Quote
/FixBoot
This option writes a new boot sector to the system partition by using a boot sector that's compatible with Windows Vista or Windows 7. Use this option if one of the following conditions is true:
The boot sector was replaced with a nonstandard Windows Vista or Windows 7 boot sector.
...etc

demonix01 · ‎18-07-2014

I would suggest that you do both since it's better to be safe then sorry if you do fixboot only and the problem still persists.

nanotm · ‎11-02-2013

use all of the commands if it gets corrupted
Bootrec.exe /FixMbr
Bootrec.exe /FixBoot
Bootrec.exe /ScanOs
Bootrec.exe /RebuildBcd
the last one can take ages to run though so plan for when your watching tv or something and only semi afk

last time I got boot virus I put the drive into a caddy and then auto scanned it so an AV could find and kill it (most checkers cant actually see the MBR partition so wont find the problem if your booted from that drive.....)
I frequently get asked to "help" with stupid people and there dodgy web habits borking there pc or laptop (I hate laptops cos there so fiddly) and I spent some time getting hold of UBCD for various versions of windows in the past (useful for when some well meaning but naïve muppet has put a password on the drive volume & backdoor account and then forgotten what it is/they are .....)

just because your paranoid doesn't mean they aren't out to get you

ReedRichards · ‎14-07-2009

I scanned the computer with an antivirus boot disc ('Kaspersky Rescue Disc') but that failed to detect the boot sector virus even though it claimed to scan the boot sector. The computer was an all-in-one which made it particularly awkward to remove the hard drive and connect that to another computer; otherwise I would have done so instead.
Using all the four commands recommended by nanotm is a belt-and-braces approach when you do not know what is necessary and what is not necessary. As far as I can see, only Bootrec.exe /FixBoot is necessary. But if somebody can offer an explanation why this is wrong I would be very interested.

ejs · ‎10-06-2010

I suppose it depends on where the "boot sector" virus actually is. If it's in the boot sector (i.e. the first sector) of the Windows partition, I guess that would be wiped by /FixBoot. If it's in the MBR (i.e. starting in the first sector of the hard disk), then /FixMbr would wipe that.

ReedRichards · ‎14-07-2009

Good point, ejs. My understanding is that the MBR is located on the first sector of the hard drive whereas any partition on the hard drive that contains an operating system will have a boot sector. So I guess in principle a virus located in the MBR could affect all operating systems on a multi-boot computer whereas a virus on the boot sector would only affect the OS to which that boot sector belongs.

Boot sector virus cidox.b

Boot sector virus cidox.b

Re: Boot sector virus cidox.b

Re: Boot sector virus cidox.b

Re: Boot sector virus cidox.b

Re: Boot sector virus cidox.b

Re: Boot sector virus cidox.b

Re: Boot sector virus cidox.b

Re: Boot sector virus cidox.b

Re: Boot sector virus cidox.b