Saturday, May 17, 2014

Trojan.Cidox.C, Remove the Trojan That Steals Information


OUTLINE
  • About Trojan.Cidox.C
1. Dissemination routine
2. Purpose
  • The reason why anti-virus programs will not remove Trojan.Cidox.C
  • Expert guide shows how to remove Trojan.Cidox.C
  • Trojan.Cidox.C summary plus


Trojan.Cidox.C Generality 


Trojan.Cidox.C was firstly discovered on May 7, 2014. It is classified as Trojan horse that mainly targets Windows platforms. According to Global PC Support Center, Trojan.Cidox.C adopts MD5: 17673e4cb266f8e6e90caf74ce093a93 to prevent from easy rectification by installed security utilities. Once Trojan.Cidox.C gets into a system, it would get stated to copy itself in large numbers under %systemroot%. Usually, it is displayed as an executable file. As a consequence, Trojan.Cidox.C is enabled to replaces the swap file(see the reference in the end of this article) and modify the content under HKCR\exefile\shell\open\command so that any launch of an installed program would activate the Trojan horse.

Generally speaking, Trojan.Cidox.C owns the below several dissemination routines:
  1. Trojan.Cidox.C has been found to be heavily downloaded by Trojan downloader (which means that there has been virus before Trojan.Cidox.C’s infiltration).
  2. Trojan.Cidox.C piggybacks on counterfeit web pages.
  3. The Trojan horse attacks loosely built programs and web sites and thus lurks there.
  4. Trojan.Cidox.C is capable of attacking the machines with obvious vulnerability/loophole/bug.
What Trojan.Cidox.C wants is money. By sticking to a machine and compromising the security system, it manages to load its files and keyloggers for confidential information. Such information can either be resold to other cyber criminals and online operators who badly want to know where to allocate promotional information or taken advantage by its maker to rob bank card should the related information has been recorded.



Trojan.Cidox.C Cannot Be Removed by Anti-virus Program


It is believed that the installed anti-virus program is the very first help tool that people would think of to deal with the crasher. But very often, Trojan.Cidox.C reappears after a reboot as what the security program asks after it claims to remove the Cidox Trojan successfully. As a matter of fact, anti-virus program is not powerful enough to take it down. Let’s have a look into root.

The below files are a small part of the ones Trojan.Cidox.C generates once landing on a machine:
7AF43F5D.sys.vir
487B7646.sys
5E4F15AD.sys
778D42B1.sys
101.decrypted
0C312C29.sys
System32.zip 
3B662CD5.sys 
Rdrv.sys 
As what you can see now that most files end up with “.sys” (this suffix indicates that the file belongs to system); zip file would pack Trojan.Cidox.C in a small size so that its infiltration will not be noticed by installed security defense timely; Trojan.Cidox.C adopts decryptions to attack weak password system and affect valuable items on the target machine. It is clear that Trojan.Cidox.C is highly elusive and that manual removal method becomes the most efficient solution. However, one should be experienced in removing Trojan and well equipped with computer skills; otherwise, complete removal cannot be achieved as:
  1. Trojan.Cidox.C manages to open up a backdoor to load down additional items and new commands to resist removal.
  2. Remove Trojan.Cidox.C in wrong order or remove certain vicious component incompletely would enable the Trojan to restore all removed items.
Below is the instruction offered by VilmaTech Online Support according to the virus sample. In the event of unexpected situation and it is overwhelming you, please do feel free to get exclusive help by starting a live chat window to contact senior technicians.
live chat to get expert help in removing Trojan.Cidox.C



Help Guide to Remove Trojan.Cidox.C


Step1 Get started by entering into Safe Mode.

Windows 7/Vista/XP
  • Restart the system to keep tapping on F8 functional key when the system is restarting.
  • Choose “Safe Mode” when “Windows Advanced Options Menu” occurs.
  • Hit Enter key.

Windows 8
  • Restart the system to hold down Shift key and keep tapping on F8 functional key when the system is restarting.
  • Choose ‘See advanced repair options’ >‘Troubleshoot’ >‘Advanced Options’ >‘Windows Startup Settings’ > hit “Restart” button to enter into Safe Mode.





Step2. Access Task Manager to remove the items with the path directing to Trojan.Cidox.C according to the installed anti-virus program.
(tip: if you are not able to access Task Manager with the key combination, please access Run box from Start menu and type “CMD”; hit Enter key to put in “taskkill.exe /im msblast.exe” or “taskkill.exe /im teekids.exe” or “taskkill.exe /im penis32.exe”)

Access Task Manager > View > select columns > tick "PID" and "Path name" > go to open up System Information > end the process with path name directing to  Trojan.Cidox.C's path(according to the threat alert) or the path that doesn't belong to system.
select Colunms to tick PID and Path Name
(tip: if some vicious processes reappear, one could find the PPID through PID functionality; please then remove the parent process(es) with the command “taskkill /im system.exe /f” through DOS window.)




Step3.
Unveil hidden files and folders to remove the ones created by Trojan.Cidox.C.

Windows 7/XP/Vista - Control Panel > user accounts and family safety > Folder Options > View tab > tick ‘Show hidden files and folders’ > non-tick ‘Hide protected operating system files (Recommended)’ > OK button.

Windows 8 - Windows Explorer > View tab > tick ‘File name extensions’ and ‘Hidden items’ > OK button.

  • Access the detected path and remove all the items there.
  • Access the following folders to remove the items generated on the day when  Trojan.Cidox.C was firstly detected:
    (tip: if one owns Windows XP, it is suggested to execute the following steps after closing down System Restore function: right click on “My Computer”/”Computer” > Property > navigate to System Restore tab > tick “Turn off System Restore”)
    turn off system restore to prevent from Trojan.Cidox.C's reimage
%SystemRoot%\system32\%Temp%\
%SystemDriver%\
C:\Windows
C:\Windows\System32
C:\windows\winstart.bat
C:\windows\wininit.ini
C:\windows\Autoexec.bat
C:\Users\[your username]\Documents\
C:\users\user\appdata\local\
C:\Program Files\

variable declarations
  • %SystemDriver% - the system division is "C:\" by default.          
  • %SystemRoot% - the directory of WINDOWS is known as“C:\Windows” by default.
  • %Documents and Settings% - the user's document is commonly referring to as “C:\Documents and Settings”.
  • %Temp% - it is commonly known as“C:\Documents and Settings\[current user name]\Local Settings\Temp”.
  • %ProgramFiles% - the default installation directory of system programs defaults to“C:\ProgramFiles”.



Step4.
Access DataBase to make rectifications.

  • Press down Win key and R key together.
  • Type “regedit” and hit Enter key.
  • Navigate to the following entry to see and remove the values (C:\WINDOWS\system32\system.exe) under “Run” that you have not seen before:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • Then search for the processes detected in step2 to remove them in Database.



Step5
Remove cookies from browser settings.

Internet Explorer
Tools icon > Safety > “Delete browsing history” option in > tick “Cookies” > “Delete” button.

Chrome
‘Customize and control’ menu > Tools > “Clear Browsing Data” option > tick “Delete cookies … “> “Clear browsing data”.
Firefox
Tools menu > “Cookie Manager” > “Manage Stored Cookies” > remove all cookies.
Opera
Open up Opera and make it as the current browser > Alt+P key combination > Privacy and Safety > “Cookie” > click on “all cookies and website data” button.




Step6. Remove temp files generated by Trojan.Cidox.C.
  1. Press Win key and R key together, you’ll get a pop-up Run box.
  2. Type “%Temp%” in the box and hit Enter key, you’ll be led to all temp files.
  3. Remove the ones that are not loaded by system.
  4. When done, return to the previous menu to click open “Temporary Internet Files”.
  5. Locate the folder ”Content.[the browser you are using]+[the version you are using] ”, for example, content.ie5.
  6. Remove all the files there (except index.dat).



Trojan.Cidox.C Affection

  1. Additional virus can be expected since:
    • By introducing in more virus, its maker can get extra income.
    • The compromised system will not be able to ward off aggressive virus.
  2. Multiple and strange processes are caught to run in the background consuming plenty of CPU, leading to freezes frequently.
  3. Some programs and applications installed on the machine are gone somehow.
  4. Some system services are disabled.
  5. Error messages would occur to result in malfunction/dysfunction.

Finally, remove all of the virus if Trojan.Cidox.C has brought in more infections onto a target machine; otherwise, the Trojan horse will never get off a computer. Please go to VilmaTech virus reservoir for corresponding solution to the additional virus should there be other infections or simply get quick fix according to your concrete situation by starting a live chat window here.
get expert help in removing Trojan.Cidox.C


Reference:

Swap file – Wikipedia 

Remove Trojan.Cidox.C with Helpful Manual Approach



No comments: