Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus:Win32/Rovnix.gen!B Help!


  • This topic is locked This topic is locked
17 replies to this topic

#1 Action Print

Action Print

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:55 PM

Posted 06 February 2014 - 11:56 AM


Microsoft Security Essentials keeps saying I have this virus. Nothing seems to get rid of it. And I can not get the Windows Defender Offline to work. Made the cd as said but while booting from the cd the computer always freezes. I have no clue what to do. 
 
Message on MSE: 
Category: Virus
 
Description: This program is dangerous and replicates by infecting other files.
 
Recommended action: Remove this software immediately.
 
Items: 
rootkit:Rovnix->Vbr::Rovnix
 
Get more information about this item online.
 
Ran this Security Check.
Results of screen317's Security Check version 0.99.79  
   x86   
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Security Center service is not running! This report may not be accurate! 
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Spybot - Search & Destroy 
 CCleaner     
 Mozilla Thunderbird (24.2.0) 
 Google Chrome 32.0.1700.102  
 Google Chrome 32.0.1700.107  
````````Process Check: objlist.exe by Laurent````````  
 Spybot Teatimer.exe is disabled! 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:: 6% 
````````````````````End of Log`````````````````````` 


BC AdBot (Login to Remove)

 


#2 Action Print

Action Print
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:55 PM

Posted 06 February 2014 - 12:05 PM

Farbar Service Scanner Version: 02-02-2014
Ran by Administrator (administrator) on 06-02-2014 at 11:04:44
Running from "C:\Documents and Settings\Administrator\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Unable to retrieve ServiceDll of sharedaccess. The value does not exist.
Checking LEGACY_sharedaccess: ATTENTION!=====> Unable to open LEGACY_sharedaccess\0000 registry key. The key does not exist.
 
 
Firewall Disabled Policy: 
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall" registry value does not exist.
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.
 
 
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
 
Extra List:
=======
Avgtdix(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) 
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.
 
**** End of log ****


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:55 PM

Posted 06 February 2014 - 12:18 PM

Hello AP

I moved this from XP to the Am I Infected forum.

 

Lets run the Rovnix Cleaner


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Action Print

Action Print
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:55 PM

Posted 06 February 2014 - 12:26 PM

Ok Thank you! 

 

The Scan says Ronvix was not found on your system.

So why does MSE keep saying its there?


Edited by Action Print, 06 February 2014 - 12:30 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:55 PM

Posted 06 February 2014 - 01:07 PM

Can you post where MSE shows it?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Action Print

Action Print
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:55 PM

Posted 06 February 2014 - 01:42 PM

i wasn't sure how to post images so hopefully this will work

 

 

http://imageshack.com/a/img849/2221/3hy0.jpg


Edited by Action Print, 06 February 2014 - 01:46 PM.


#7 Action Print

Action Print
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:55 PM

Posted 06 February 2014 - 01:44 PM

http://imageshack.com/a/img811/4918/xaoj.jpg


Edited by Action Print, 06 February 2014 - 01:49 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:55 PM

Posted 06 February 2014 - 03:41 PM

It's showing it in it's Quarantine folder. It removed it and put it thee ... Empty the quarantine

To be sure its gone,,
run ESET.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Action Print

Action Print
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:55 PM

Posted 06 February 2014 - 03:43 PM

If I select them and click the remove all button. Next time I run the scan it shows up.

I will run the ESET.



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:55 PM

Posted 06 February 2014 - 08:52 PM

Ok, we will get it.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Action Print

Action Print
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:55 PM

Posted 07 February 2014 - 09:17 AM

C:\Documents and Settings\Administrator\Desktop\New Folder (2)\frutiger-55-roman.exe Win32/InstalleRex.C potentially unwanted application deleted - quarantined
C:\Documents and Settings\Administrator\My Documents\Downloads\Babylon10_setup.exe a variant of Win32/Toolbar.Babylon.E potentially unwanted application deleted - quarantined
C:\Documents and Settings\Administrator\My Documents\Downloads\cbsidlm-cbsi134-Should_I_Remove_It-SEO-75834044.exe a variant of Win32/CNETInstaller.B potentially unwanted application deleted - quarantined
C:\Documents and Settings\Administrator\My Documents\Downloads\ccsetup407.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined
C:\Documents and Settings\Administrator\My Documents\Downloads\rcpsetup1_dcomnew_util_728_dcomnew_util_728.exe Win32/Systweak.B potentially unwanted application deleted - quarantined
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0WHNFSPK\distro-search-protect-fix-2[1] Win32/Distromatic potentially unwanted application deleted - quarantined
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JZTOJ3WX\distro-search-protect-fix-2[1] Win32/Distromatic potentially unwanted application deleted - quarantined
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JZTOJ3WX\distro-search-protect-fix-3[1] a variant of Win32/Distromatic.B potentially unwanted application deleted - quarantined
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XPMA45S3\distro-abb-fix[1] a variant of Win32/Distromatic.B potentially unwanted application deleted - quarantined
C:\Program Files\NCH Software\ExpressBurn\burnsetup_v4.52.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
C:\Program Files\NCH Software\ExpressBurn\expressburn.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
C:\Program Files\NCH Software\ExpressBurn\uninst.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
C:\Program Files\NCH Software\ExpressZip\expresszip.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
C:\Program Files\NCH Software\ExpressZip\expresszipsetup_v2.09.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
D:\tools\Nero6.rar a variant of Win32/Keygen.CY potentially unsafe application deleted - quarantined
H:\WD SmartWare.swstor\LEWIS\Volume.91b84cf0.f17f.11dc.bcc1.806d6172696f\tools\Nero6.rar a variant of Win32/Keygen.CY potentially unsafe application deleted - quarantined


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:55 PM

Posted 07 February 2014 - 12:17 PM

Appears there is a keygen.
This tool generates software keys.

Malware is often installed along with this tool.
the infection may be in the tool or the apps it was run on.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Action Print

Action Print
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:55 PM

Posted 07 February 2014 - 12:40 PM

Ok. So how do I get rid of it? Or did that get rid of it?


Edited by Action Print, 07 February 2014 - 12:41 PM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:55 PM

Posted 07 February 2014 - 12:57 PM

Hi, I see we need to go in and find all it's parts. We need to get a deeper look.
Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Action Print

Action Print
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:55 PM

Posted 07 February 2014 - 01:54 PM

Not sure if I'm doing something wrong but I only got an Attach.txt not the other one.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users