Solved

How do I remove the virus "Trojan.Cidox Activity 3"

Posted on 2014-10-16
17
376 Views
Last Modified: 2014-10-24
Have a Windows 7 machine that was running slow.  It would have multiple copies for explorer.exe in the taskmgr.  It had an old copy of Symantec Anti-virus which last updated the virus definitions in 2013.

Removed old Symantec.  Installed new Symantec.  Performing much better now.  I still get two or three explorer.exe running, before it was more like 7 copies.

Did a full scan of the computer & Symantec found nothing.

Just leaving the computer on & connected to the Internet.  After a few minutes when I return to look at the screen, there is a warning from Symantec that it detected suspicious activity from "Trojan.Cidox Activity 3"

It does not have anyway to remove this virus.  In the logs you can see IP addresses that it was attempting to communicate with that Symantec has stopped.

Been on Symantec's web site and they identify this has a virus, but there are no removal steps provided.

How do you get rid of this thing?
0
Comment
Question by:rdo911
  • 7
  • 5
  • 5
17 Comments
 
LVL 13

Expert Comment

by:Rizzle
ID: 40384596
Hi,

Download and install Malwarebytes and ensure you disconnect the machine from the network after install and download.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40384599
Also worth doing a windows repair once the infection is removed to hopefully clear any bits the infection has left unturned.
0
 

Author Comment

by:rdo911
ID: 40384882
Downloaded Malwarebytes onto USB drive & copied it to the infected machine.  Infected machine has no Internet access.

Malwarebytes did not find any infections.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40384902
Not recommended i know but try running Malwarebytes in safe mode.

Here is more info on the infection:

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27475
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40385217
rdo911--
I do not use Symantec so I do not know how to interpret that "warning".  Normally if you really are infected there will be somewhere on that "warning" to direct you to Quarantine or something similar so you can get rid of the infection.  Have you looked into the Symantec app?  Have you tried contacting Symantec?

I found a reference on the internet that says the way to remove this Trojan is to delete

%AllUsersProfile%\random.exe

%AppData%\Roaming\Microsoft\Windows\Templates\random.exe

%AllUsersProfile%\Application Data\.dll

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Random “.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Random’

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Random

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” =Random

Source:  http://blog.vilmatech.com/remove-trojan-cidox-c-helpful-manual-approach/   I am not sure I trust clicking the button to "Chat".

If you create a Restore point before deleting anything you can always restore if things go wrong.

All this assumes you really are infected.
0
 

Author Comment

by:rdo911
ID: 40385268
Ran Malwarebytes in safe mode, still found nothing.  Don't these type of programs usually find hundreds of minor threats like tracking cookies?  In both regular & safe mode, it found zero threats.  I find that a little odd.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40385276
I'm afraid your best bet is either a System Restore point or Re-install Windows.

Maybe try AVG Internet Security 2015 on a trial and see if the helps but if it doesn't then my best advice would be a re-install of Windows.

In my experience its vary rare that an infection isn't removable but in the cases that it's difficult to remove or is un-detected can mean they have done unprecedented damage to the OS.
0
 

Author Comment

by:rdo911
ID: 40385294
jcimarron, to your comment about the Symantec warning, let me explain.  Symantec is detecting suspicious activity to a particular IP address.  In a yellow balloon in the bottom right corner, the Symantec warning mentions "Trojan.Cidox Activity 3", the IP address that its now blocking, and the blocking will last for 600 seconds.

If I leave it connected to the Internet, the warning keeps popping up from time to time, but the IP address is different everytime.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 50

Expert Comment

by:jcimarron
ID: 40385662
rdo911--
See the rest of my post http:#a40385217  deleting various files.
0
 

Author Comment

by:rdo911
ID: 40389200
jcimarron, I don't find any of those files or registry entries on the infected computer.  What I have found is that there is one explorer.exe running when the computer has no Internet access.  Within about 2 seconds after plugging in the Internet, Symantec comes up with the warning about suspicious activity "Trojan.Cidox Activity 3" and it blocks access for 5 minutes to the IP address.

And, when I check TaskMgr, how I have 3 or 4 explorer.exe programs running.  Usually they take up much more RAM that the legitimate one.  When I click on "Open File Location", all of them go to C:\Windows\explorer.exe which is last modified 2011/02/26 byte size of 2,803KB.

I've done searches for explorer.exe across the hard drive, there is only the 1 explorer.exe file on the drive.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40389222
rdo911--
"there is one explorer.exe running when the computer has no Internet access"
explorer.exe is Windows Explorer not Internet Explorer.  So that seems OK.  

Everything except the ""Trojan.Cidox Activity 3" message suggests that you are really not infected.  I suggest you contact Symantec to see if the message could be a false positive.  Have you used the Norton Power Eraser?
http://www.symantec.com/security_response/writeup.jsp?docid=2011-070712-0320-99&tabid=3
Or run these steps
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27587  ?
Also, as mentioned, I do not run Symantec so do not know if they have a Quarantine folder.  Perhaps that Trojan is parked there waiting for you to delete, but until you do, Symantec will detect it in the Quarantine folder!!
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40389232
Have you tried any of my suggestions?
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40389240
rdo911----
There is an explorer.exe file created by the Trojan in %UserProfile%/My Documents/AppData/explorer.exe .
But I understand you do not have this explorer.exe.
0
 

Author Comment

by:rdo911
ID: 40389259
Roshan, yes I did try your suggestion to run Malwarebytes in regular & safe mode.  I posted my results earlier.

Also tried Super Anti Spywear in regular & safe mode.
0
 

Accepted Solution

by:
rdo911 earned 0 total points
ID: 40389406
Solved!  On a tip from a friend, I tried running TDSSKiller from Kaspersky.  It was able to find the virus!  It was a rootkit virus.  That's what made it so hard to find. It did not reside on the C: drive nor did it require any registry entry to do its devilish crap.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40389461
rdo911--Thanks for telling us the fix.  It just reinforces the concept that not any one Antivirus/Antimalware app can do it all.
0
 

Author Closing Comment

by:rdo911
ID: 40401606
No one suggested using a product that was able to detect rootkit viruses.  It was the only one that could remove it.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

I found out last night windows update has a problem regarding 4 latest updates that fail.  The way to get all 4 them installed is install sp1 first and restart then one by one with a resart in between as they fail every time if all the four updates …
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now