Solved

How do I remove the virus "Trojan.Cidox Activity 3"

Posted on 2014-10-16
17
379 Views
Last Modified: 2014-10-24
Have a Windows 7 machine that was running slow.  It would have multiple copies for explorer.exe in the taskmgr.  It had an old copy of Symantec Anti-virus which last updated the virus definitions in 2013.

Removed old Symantec.  Installed new Symantec.  Performing much better now.  I still get two or three explorer.exe running, before it was more like 7 copies.

Did a full scan of the computer & Symantec found nothing.

Just leaving the computer on & connected to the Internet.  After a few minutes when I return to look at the screen, there is a warning from Symantec that it detected suspicious activity from "Trojan.Cidox Activity 3"

It does not have anyway to remove this virus.  In the logs you can see IP addresses that it was attempting to communicate with that Symantec has stopped.

Been on Symantec's web site and they identify this has a virus, but there are no removal steps provided.

How do you get rid of this thing?
0
Comment
Question by:rdo911
  • 7
  • 5
  • 5
17 Comments
 
LVL 13

Expert Comment

by:Rizzle
ID: 40384596
Hi,

Download and install Malwarebytes and ensure you disconnect the machine from the network after install and download.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40384599
Also worth doing a windows repair once the infection is removed to hopefully clear any bits the infection has left unturned.
0
 

Author Comment

by:rdo911
ID: 40384882
Downloaded Malwarebytes onto USB drive & copied it to the infected machine.  Infected machine has no Internet access.

Malwarebytes did not find any infections.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40384902
Not recommended i know but try running Malwarebytes in safe mode.

Here is more info on the infection:

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27475
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40385217
rdo911--
I do not use Symantec so I do not know how to interpret that "warning".  Normally if you really are infected there will be somewhere on that "warning" to direct you to Quarantine or something similar so you can get rid of the infection.  Have you looked into the Symantec app?  Have you tried contacting Symantec?

I found a reference on the internet that says the way to remove this Trojan is to delete

%AllUsersProfile%\random.exe

%AppData%\Roaming\Microsoft\Windows\Templates\random.exe

%AllUsersProfile%\Application Data\.dll

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Random “.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Random’

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Random

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” =Random

Source:  http://blog.vilmatech.com/remove-trojan-cidox-c-helpful-manual-approach/   I am not sure I trust clicking the button to "Chat".

If you create a Restore point before deleting anything you can always restore if things go wrong.

All this assumes you really are infected.
0
 

Author Comment

by:rdo911
ID: 40385268
Ran Malwarebytes in safe mode, still found nothing.  Don't these type of programs usually find hundreds of minor threats like tracking cookies?  In both regular & safe mode, it found zero threats.  I find that a little odd.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40385276
I'm afraid your best bet is either a System Restore point or Re-install Windows.

Maybe try AVG Internet Security 2015 on a trial and see if the helps but if it doesn't then my best advice would be a re-install of Windows.

In my experience its vary rare that an infection isn't removable but in the cases that it's difficult to remove or is un-detected can mean they have done unprecedented damage to the OS.
0
 

Author Comment

by:rdo911
ID: 40385294
jcimarron, to your comment about the Symantec warning, let me explain.  Symantec is detecting suspicious activity to a particular IP address.  In a yellow balloon in the bottom right corner, the Symantec warning mentions "Trojan.Cidox Activity 3", the IP address that its now blocking, and the blocking will last for 600 seconds.

If I leave it connected to the Internet, the warning keeps popping up from time to time, but the IP address is different everytime.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 50

Expert Comment

by:jcimarron
ID: 40385662
rdo911--
See the rest of my post http:#a40385217  deleting various files.
0
 

Author Comment

by:rdo911
ID: 40389200
jcimarron, I don't find any of those files or registry entries on the infected computer.  What I have found is that there is one explorer.exe running when the computer has no Internet access.  Within about 2 seconds after plugging in the Internet, Symantec comes up with the warning about suspicious activity "Trojan.Cidox Activity 3" and it blocks access for 5 minutes to the IP address.

And, when I check TaskMgr, how I have 3 or 4 explorer.exe programs running.  Usually they take up much more RAM that the legitimate one.  When I click on "Open File Location", all of them go to C:\Windows\explorer.exe which is last modified 2011/02/26 byte size of 2,803KB.

I've done searches for explorer.exe across the hard drive, there is only the 1 explorer.exe file on the drive.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40389222
rdo911--
"there is one explorer.exe running when the computer has no Internet access"
explorer.exe is Windows Explorer not Internet Explorer.  So that seems OK.  

Everything except the ""Trojan.Cidox Activity 3" message suggests that you are really not infected.  I suggest you contact Symantec to see if the message could be a false positive.  Have you used the Norton Power Eraser?
http://www.symantec.com/security_response/writeup.jsp?docid=2011-070712-0320-99&tabid=3
Or run these steps
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27587  ?
Also, as mentioned, I do not run Symantec so do not know if they have a Quarantine folder.  Perhaps that Trojan is parked there waiting for you to delete, but until you do, Symantec will detect it in the Quarantine folder!!
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40389232
Have you tried any of my suggestions?
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40389240
rdo911----
There is an explorer.exe file created by the Trojan in %UserProfile%/My Documents/AppData/explorer.exe .
But I understand you do not have this explorer.exe.
0
 

Author Comment

by:rdo911
ID: 40389259
Roshan, yes I did try your suggestion to run Malwarebytes in regular & safe mode.  I posted my results earlier.

Also tried Super Anti Spywear in regular & safe mode.
0
 

Accepted Solution

by:
rdo911 earned 0 total points
ID: 40389406
Solved!  On a tip from a friend, I tried running TDSSKiller from Kaspersky.  It was able to find the virus!  It was a rootkit virus.  That's what made it so hard to find. It did not reside on the C: drive nor did it require any registry entry to do its devilish crap.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40389461
rdo911--Thanks for telling us the fix.  It just reinforces the concept that not any one Antivirus/Antimalware app can do it all.
0
 

Author Closing Comment

by:rdo911
ID: 40401606
No one suggested using a product that was able to detect rootkit viruses.  It was the only one that could remove it.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now