How do I remove the virus "Trojan.Cidox Activity 3"

Have a Windows 7 machine that was running slow.  It would have multiple copies for explorer.exe in the taskmgr.  It had an old copy of Symantec Anti-virus which last updated the virus definitions in 2013.

Removed old Symantec.  Installed new Symantec.  Performing much better now.  I still get two or three explorer.exe running, before it was more like 7 copies.

Did a full scan of the computer & Symantec found nothing.

Just leaving the computer on & connected to the Internet.  After a few minutes when I return to look at the screen, there is a warning from Symantec that it detected suspicious activity from "Trojan.Cidox Activity 3"

It does not have anyway to remove this virus.  In the logs you can see IP addresses that it was attempting to communicate with that Symantec has stopped.

Been on Symantec's web site and they identify this has a virus, but there are no removal steps provided.

How do you get rid of this thing?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Download and install Malwarebytes and ensure you disconnect the machine from the network after install and download.
Also worth doing a windows repair once the infection is removed to hopefully clear any bits the infection has left unturned.
rdo911DirectorAuthor Commented:
Downloaded Malwarebytes onto USB drive & copied it to the infected machine.  Infected machine has no Internet access.

Malwarebytes did not find any infections.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Not recommended i know but try running Malwarebytes in safe mode.

Here is more info on the infection:
I do not use Symantec so I do not know how to interpret that "warning".  Normally if you really are infected there will be somewhere on that "warning" to direct you to Quarantine or something similar so you can get rid of the infection.  Have you looked into the Symantec app?  Have you tried contacting Symantec?

I found a reference on the internet that says the way to remove this Trojan is to delete



%AllUsersProfile%\Application Data\.dll

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Random “.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Random’

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Random

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” =Random

Source:   I am not sure I trust clicking the button to "Chat".

If you create a Restore point before deleting anything you can always restore if things go wrong.

All this assumes you really are infected.
rdo911DirectorAuthor Commented:
Ran Malwarebytes in safe mode, still found nothing.  Don't these type of programs usually find hundreds of minor threats like tracking cookies?  In both regular & safe mode, it found zero threats.  I find that a little odd.
I'm afraid your best bet is either a System Restore point or Re-install Windows.

Maybe try AVG Internet Security 2015 on a trial and see if the helps but if it doesn't then my best advice would be a re-install of Windows.

In my experience its vary rare that an infection isn't removable but in the cases that it's difficult to remove or is un-detected can mean they have done unprecedented damage to the OS.
rdo911DirectorAuthor Commented:
jcimarron, to your comment about the Symantec warning, let me explain.  Symantec is detecting suspicious activity to a particular IP address.  In a yellow balloon in the bottom right corner, the Symantec warning mentions "Trojan.Cidox Activity 3", the IP address that its now blocking, and the blocking will last for 600 seconds.

If I leave it connected to the Internet, the warning keeps popping up from time to time, but the IP address is different everytime.
See the rest of my post http:#a40385217  deleting various files.
rdo911DirectorAuthor Commented:
jcimarron, I don't find any of those files or registry entries on the infected computer.  What I have found is that there is one explorer.exe running when the computer has no Internet access.  Within about 2 seconds after plugging in the Internet, Symantec comes up with the warning about suspicious activity "Trojan.Cidox Activity 3" and it blocks access for 5 minutes to the IP address.

And, when I check TaskMgr, how I have 3 or 4 explorer.exe programs running.  Usually they take up much more RAM that the legitimate one.  When I click on "Open File Location", all of them go to C:\Windows\explorer.exe which is last modified 2011/02/26 byte size of 2,803KB.

I've done searches for explorer.exe across the hard drive, there is only the 1 explorer.exe file on the drive.
"there is one explorer.exe running when the computer has no Internet access"
explorer.exe is Windows Explorer not Internet Explorer.  So that seems OK.  

Everything except the ""Trojan.Cidox Activity 3" message suggests that you are really not infected.  I suggest you contact Symantec to see if the message could be a false positive.  Have you used the Norton Power Eraser?
Or run these steps  ?
Also, as mentioned, I do not run Symantec so do not know if they have a Quarantine folder.  Perhaps that Trojan is parked there waiting for you to delete, but until you do, Symantec will detect it in the Quarantine folder!!
Have you tried any of my suggestions?
There is an explorer.exe file created by the Trojan in %UserProfile%/My Documents/AppData/explorer.exe .
But I understand you do not have this explorer.exe.
rdo911DirectorAuthor Commented:
Roshan, yes I did try your suggestion to run Malwarebytes in regular & safe mode.  I posted my results earlier.

Also tried Super Anti Spywear in regular & safe mode.
rdo911DirectorAuthor Commented:
Solved!  On a tip from a friend, I tried running TDSSKiller from Kaspersky.  It was able to find the virus!  It was a rootkit virus.  That's what made it so hard to find. It did not reside on the C: drive nor did it require any registry entry to do its devilish crap.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rdo911--Thanks for telling us the fix.  It just reinforces the concept that not any one Antivirus/Antimalware app can do it all.
rdo911DirectorAuthor Commented:
No one suggested using a product that was able to detect rootkit viruses.  It was the only one that could remove it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.