Video Screencast Help

Boot.Cidox Removal Problems

Created: 08 Apr 2014 • Updated: 22 Apr 2014 | 8 comments
This issue has been solved. See solution.

I am having a difficult time removing this root kit from a user's workstation.  It appears to only affect his e-mails.  I tried to use the Norton Boot product but it wants a PIN.  Norton Power Eraser is of no use either.

Does anyone know how to get rid of this?  I checked the usual suspects like cleaning out the user's temp, prefetch and Registry "run" entries.

Thanks in advance!

Marc

Calspas14

Operating Systems:

Comments 8 CommentsJump to latest comment

Brɨan's picture

Try running a threat analysis scan

How to run the Threat Analysis Scan in Symantec Help (SymHelp)

padding: 1px;padding-bottom: 3px ;font: 12px Arial; text-align: left;">Article:TECH215519 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 0px;font: 12px Arial; text-align: left;">Created: 2014-03-03 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Updated: 2014-03-07 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">

Article URL http://www.symantec.com/docs/TECH215519

Is this the Norton tool you tried?

https://security.symantec.com/nbrt/nbrt.aspx?lcid=...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
Rafeeq's picture

For a PIN number put all 9s (9999999...9) untill full and click "I Agree"

SOLUTION
Mick2009's picture

Hi Calspas14,

To remove a MBR threat like this, the best tool is Norton™ Bootable Recovery Tool (NBRT).  (This is not the same tool as SERT.)

Download and run that (even if the computer has SEP and not Norton) and the infection should be cleared.

https://security.symantec.com/nbrt/nbrt.aspx?lcid=1033

Please update this thread with news of your progress!  &: )

Mick

With thanks and best regards,

Mick

SOLUTION
Calspas14's picture

OK, thanks to all for the info.

Rafeeq:  The code worked so it is scanning now.

I will post the results when available.

My sincerest thanks to all!

Marc

Calspas14's picture

Thanks guys!  This worked out well.

Cheers!

Marc

ttwodoo's picture

After fighting this thingsince last Friday (I thought I had removed it twice, but it came back both times), I found this website yeaterday. It took awhile but I went through the process of creating a Norton Bootable Recovery Tool and--this morning--booted from it and started the scan. Within three minutes it came up with not one, but two instances of Boot.Cidox.  The scan is still going. I will keep you posted...

bruce6230's picture

I tried the PIN provided above by Rafeeq and it is not working. The message is This is not a valid key or PIN....

Any ideas?

Brɨan's picture

Call support, they can provide a valid PIN

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.