Solved

How do I remove the virus "Trojan.Cidox Activity 3"

Posted on 2014-10-16
17
388 Views
Last Modified: 2014-10-24
Have a Windows 7 machine that was running slow.  It would have multiple copies for explorer.exe in the taskmgr.  It had an old copy of Symantec Anti-virus which last updated the virus definitions in 2013.

Removed old Symantec.  Installed new Symantec.  Performing much better now.  I still get two or three explorer.exe running, before it was more like 7 copies.

Did a full scan of the computer & Symantec found nothing.

Just leaving the computer on & connected to the Internet.  After a few minutes when I return to look at the screen, there is a warning from Symantec that it detected suspicious activity from "Trojan.Cidox Activity 3"

It does not have anyway to remove this virus.  In the logs you can see IP addresses that it was attempting to communicate with that Symantec has stopped.

Been on Symantec's web site and they identify this has a virus, but there are no removal steps provided.

How do you get rid of this thing?
0
Comment
Question by:rdo911
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 5
17 Comments
 
LVL 13

Expert Comment

by:Rizzle
ID: 40384596
Hi,

Download and install Malwarebytes and ensure you disconnect the machine from the network after install and download.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40384599
Also worth doing a windows repair once the infection is removed to hopefully clear any bits the infection has left unturned.
0
 

Author Comment

by:rdo911
ID: 40384882
Downloaded Malwarebytes onto USB drive & copied it to the infected machine.  Infected machine has no Internet access.

Malwarebytes did not find any infections.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 13

Expert Comment

by:Rizzle
ID: 40384902
Not recommended i know but try running Malwarebytes in safe mode.

Here is more info on the infection:

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27475
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40385217
rdo911--
I do not use Symantec so I do not know how to interpret that "warning".  Normally if you really are infected there will be somewhere on that "warning" to direct you to Quarantine or something similar so you can get rid of the infection.  Have you looked into the Symantec app?  Have you tried contacting Symantec?

I found a reference on the internet that says the way to remove this Trojan is to delete

%AllUsersProfile%\random.exe

%AppData%\Roaming\Microsoft\Windows\Templates\random.exe

%AllUsersProfile%\Application Data\.dll

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Random “.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Random’

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Random

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” =Random

Source:  http://blog.vilmatech.com/remove-trojan-cidox-c-helpful-manual-approach/   I am not sure I trust clicking the button to "Chat".

If you create a Restore point before deleting anything you can always restore if things go wrong.

All this assumes you really are infected.
0
 

Author Comment

by:rdo911
ID: 40385268
Ran Malwarebytes in safe mode, still found nothing.  Don't these type of programs usually find hundreds of minor threats like tracking cookies?  In both regular & safe mode, it found zero threats.  I find that a little odd.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40385276
I'm afraid your best bet is either a System Restore point or Re-install Windows.

Maybe try AVG Internet Security 2015 on a trial and see if the helps but if it doesn't then my best advice would be a re-install of Windows.

In my experience its vary rare that an infection isn't removable but in the cases that it's difficult to remove or is un-detected can mean they have done unprecedented damage to the OS.
0
 

Author Comment

by:rdo911
ID: 40385294
jcimarron, to your comment about the Symantec warning, let me explain.  Symantec is detecting suspicious activity to a particular IP address.  In a yellow balloon in the bottom right corner, the Symantec warning mentions "Trojan.Cidox Activity 3", the IP address that its now blocking, and the blocking will last for 600 seconds.

If I leave it connected to the Internet, the warning keeps popping up from time to time, but the IP address is different everytime.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40385662
rdo911--
See the rest of my post http:#a40385217  deleting various files.
0
 

Author Comment

by:rdo911
ID: 40389200
jcimarron, I don't find any of those files or registry entries on the infected computer.  What I have found is that there is one explorer.exe running when the computer has no Internet access.  Within about 2 seconds after plugging in the Internet, Symantec comes up with the warning about suspicious activity "Trojan.Cidox Activity 3" and it blocks access for 5 minutes to the IP address.

And, when I check TaskMgr, how I have 3 or 4 explorer.exe programs running.  Usually they take up much more RAM that the legitimate one.  When I click on "Open File Location", all of them go to C:\Windows\explorer.exe which is last modified 2011/02/26 byte size of 2,803KB.

I've done searches for explorer.exe across the hard drive, there is only the 1 explorer.exe file on the drive.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40389222
rdo911--
"there is one explorer.exe running when the computer has no Internet access"
explorer.exe is Windows Explorer not Internet Explorer.  So that seems OK.  

Everything except the ""Trojan.Cidox Activity 3" message suggests that you are really not infected.  I suggest you contact Symantec to see if the message could be a false positive.  Have you used the Norton Power Eraser?
http://www.symantec.com/security_response/writeup.jsp?docid=2011-070712-0320-99&tabid=3
Or run these steps
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27587  ?
Also, as mentioned, I do not run Symantec so do not know if they have a Quarantine folder.  Perhaps that Trojan is parked there waiting for you to delete, but until you do, Symantec will detect it in the Quarantine folder!!
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40389232
Have you tried any of my suggestions?
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40389240
rdo911----
There is an explorer.exe file created by the Trojan in %UserProfile%/My Documents/AppData/explorer.exe .
But I understand you do not have this explorer.exe.
0
 

Author Comment

by:rdo911
ID: 40389259
Roshan, yes I did try your suggestion to run Malwarebytes in regular & safe mode.  I posted my results earlier.

Also tried Super Anti Spywear in regular & safe mode.
0
 

Accepted Solution

by:
rdo911 earned 0 total points
ID: 40389406
Solved!  On a tip from a friend, I tried running TDSSKiller from Kaspersky.  It was able to find the virus!  It was a rootkit virus.  That's what made it so hard to find. It did not reside on the C: drive nor did it require any registry entry to do its devilish crap.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40389461
rdo911--Thanks for telling us the fix.  It just reinforces the concept that not any one Antivirus/Antimalware app can do it all.
0
 

Author Closing Comment

by:rdo911
ID: 40401606
No one suggested using a product that was able to detect rootkit viruses.  It was the only one that could remove it.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the features I've come to appreciate about Windows 7 and Windows Server 2008 R2 is the ability to pin applications to the task bar. As useful a feature as I've found this, it does have some quirks.  For example, have you ever tried pinning an…
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question