Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Rovnix


  • Please log in to reply
8 replies to this topic

#1 Darloman

Darloman

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sussex UK
  • Local time:08:13 AM

Posted 05 July 2014 - 05:52 AM

My desktop XP Home has been infected with virus: DOS/Rovnix.gen!A.  Security Essentials finds it but only partially removes it.  MS Emergency Repair Tool also finds it and claims to remove it but does not!  There are sites out there offering manual removalmethods which are incomplete or unclear and do not work either.  Anybody know how to get rid of this pest?

 

Thanks to all.


Edited by Orange Blossom, 05 July 2014 - 09:19 AM.
Moved from XP to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 wpgwpg

wpgwpg

  • Members
  • 1,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US of A
  • Local time:03:13 AM

Posted 05 July 2014 - 10:19 AM

 You could try the free versions of AVG and Avast.  If you can't get rid of the virus in normal mode, try Safe Mode.  Bear in mind that you can't have more than one antivirus installed at the same time.

 

Good luck.


Everyone with a computer should back his system up to an external hard drive regularly.  :thumbsup:

#3 Uselesslight

Uselesslight

  • Members
  • 146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Armstrong, BC
  • Local time:12:13 AM

Posted 05 July 2014 - 01:24 PM

I would like to recommend you to upgrade your Windows XP operating system to a more modern one, such as Windows 7 or maybe Windows 8 because Microsoft discontinued support for Windows XP on April 8 of this year. 

If the upgrade isn't possible at this time, there are a few steps you can take to remove the infection.  Security Essentials will not be receiving anymore updates and it's actually not available for download on WinXP anymore, that is a possible reason for it being ineffective in removing the virus.  I would recommend at this point to try and do a scan with Sophos Virus Removal Tool, after you download it, it will need to be updated before you scan.  If Sophos doesn't work in normal mode, like wpgwpg stated with other AV scans, try it in Safe Mode as well.

After Sophos has finished, download and scan your machine with Adwcleaner, it will need to restart the machine after it finishes scanning and removal.  The last thing I would do is to perform a full system scan with Norton Antivirus, if you don't own Norton Antivirus you can download a 30-day trial from their website and you will be able to conduct a full virus scan.  I encourage you to purchase the software if you like it.



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:13 AM

Posted 05 July 2014 - 01:40 PM

Hi Darloman,
 
I suggest trying this first, as it is effective in detecting MBR and VBR malware which Rovnix is.

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters
     
     
    tds2.jpg
  • Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now
     
     
    2012081514h0118.png
  • Click Start Scan and allow the scan process to run
     
     
    tds4-1.jpg
  • If threats are detected select Skip or Cure (if available) for all of them unless otherwise instructed.
    ***Do NOT select Delete!
  • Click Continue
     
     
    tds6.jpg
  • Click Reboot computer
  • Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply

xXToffeeXx~


Edited by xXToffeeXx, 05 July 2014 - 01:41 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 Darloman

Darloman
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sussex UK
  • Local time:08:13 AM

Posted 06 July 2014 - 04:16 AM

Thanks for all suggestions.  I shall give them each a try.  Might take some time.  The last full scan I did with MSE took 18 hours!  I did try Sophos but it would not run because "administrator has set policies which prevent this".  I think that is result of a small utility "cryptoprevent" intended to protect against ransomeware.  Will try and undo the policies and give Sophos another try.

 

Thanks All.



#6 Darloman

Darloman
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sussex UK
  • Local time:08:13 AM

Posted 07 July 2014 - 11:01 AM

Hats off to xXToffeeXx and Bleepingcomputer.  TDSSKiller seems to have done the trick.  It found Rootkit.boot.cidox.b which no other scan did and "cured" it.  MSE now scans clear and the computer seems to be its old self.


The Log file is too large to post but here is the last section of it:
12:04:51.0296 0x0984  LightScribe Control Panel - ok
12:04:51.0375 0x0984  AV detected via SS1: Microsoft Security Essentials, 4.4.0304.0, disabled, updated
12:04:51.0375 0x0984  AV detected via SS1: Microsoft Security Essentials, 2.1.6805.0, disabled, updated
12:04:51.0375 0x0984  Win FW state via NFM: enabled
12:04:51.0375 0x0984  ============================================================
12:04:51.0375 0x0984  Scan finished
12:04:51.0375 0x0984  ============================================================
12:04:51.0421 0x097c  Detected object count: 1
12:04:51.0421 0x097c  Actual detected object count: 1
12:06:48.0875 0x097c  \Device\Harddisk0\DR0\Partition1 - copied to quarantine
12:06:48.0937 0x097c  \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b ) - will be cured on reboot
12:06:48.0937 0x097c  \Device\Harddisk0\DR0\Partition1 - ok
12:06:48.0937 0x097c  \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b ) - User select action: Cure
12:06:50.0609 0x097c  KLMD registered as C:\WINDOWS\system32\drivers\02033241.sys
12:06:54.0843 0x0710  Deinitialize success

 

Time for a new computer and op sytem I think.

 

Thanks for help,  Darloman.
 



#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:13 AM

Posted 07 July 2014 - 11:09 AM

Hi Darloman,

 

You're welcome, glad to see that did the trick :)

 

Just to let you know, Cidox is a backdoor which steals information like passwords and banking details (if you do banking on that computer). Changing passwords is necessary and reinstalling windows is recommended due to it possibly making changes to your computer.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 Darloman

Darloman
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sussex UK
  • Local time:08:13 AM

Posted 08 July 2014 - 09:49 AM

Thanks xXToffeeXx.  Cidox sounds nasty.  Luckily I don't think I have anything sensitive on the PC.

I am puzzled as to how these things got in.  I have suspected EITHER an upgrade to Firefox which caused Firefox to run slowly afterwards OR an I/net search via Yahoo.  The trouble started after that.  Neither seem likely as source of baddies.

 

I have lost confidence in Microsoft Security Essentials, especially as it now displays a message more or less saying it is unsafe since XP no longer supported.   But a change of OS is due anyway.

 

regards, Darloman.



#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:13 AM

Posted 08 July 2014 - 10:23 AM

Thanks xXToffeeXx.  Cidox sounds nasty.  Luckily I don't think I have anything sensitive on the PC.

I am puzzled as to how these things got in.  I have suspected EITHER an upgrade to Firefox which caused Firefox to run slowly afterwards OR an I/net search via Yahoo.  The trouble started after that.  Neither seem likely as source of baddies.

 

I have lost confidence in Microsoft Security Essentials, especially as it now displays a message more or less saying it is unsafe since XP no longer supported.   But a change of OS is due anyway.

 

regards, Darloman.

Yes, it is quite nasty. Cidox is spread by exploits where you may not have kept your programs up to date (especially web browser, adobe products, java and windows), or via emails. This can differ though, as certain things are patched and 

 

I would recommend Avast free for anyone still running Windows XP as it will support XP for a number of years more and provides good protection. Yes, upgrading OS or changing to linux is preferable to sticking to XP.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users