Trojan Rovnix.r (1500) explorer.exe

[larry d]

Just put a new copy of w7 pro on sisters laptop by phone. Just one quick question. Will a format of the drive get rid of it completely? Nod32 says its in the operating memory. Nothing is loaded on the computer so a format would not be a problem. Thanks for any advice. p.s. I told her to wait to go online because I had not finished installing Nod32. She didn't listen obviously!

 

[Computer0304]

Install https://www.malwarebytes.org/mwb-download/ and tell her to run a custom scan on the hard drive.

 

[derekimo]

Just put a new copy of w7 pro on sisters laptop by phone. Just one quick question. Will a format of the drive get rid of it completely? Nod32 says its in the operating memory. Nothing is loaded on the computer so a format would not be a problem. Thanks for any advice. p.s. I told her to wait to go online because I had not finished installing Nod32. She didn't listen obviously!

Malwarebytes is a good suggestion by computer0304.

I'll defer to the security experts when they arrive but if it was me, I would format and reinstall.

You may want to keep her away from it till you finish the install and load the security programs this time.

 

[larry d]

Hello and thanks for the help. Here is what I have done so far. I downloaded superantispyware and ran it. it missed the Trojan. I then sent her a copy of spyware hunter 4 paid copy. updated and ran it. It caught it an cleaned. On reboot it was back and nod32 caught it and cleaned it. But it still remained. It is in the operating memory. So rather then do a reg hack I thought a clean install would be best at this point . just want to make sure the clean install is all I need to do to get rid of it.

 

[derekimo]

It should be all you need, I would use the diskpart clean command,

During installation, once the Languages screen opens, do this:

1. Press SHIFT+F10 - a cmd window will open
2. Type diskpart and hit enter
3. Type list disk and hit enter
4. Type select disk # and hit enter - # = the disk number you wish to clean/format
5. Type clean and hit enter

Once complete (its quick) close the Window and continue with installation.

Just out of curiosity what are you using for install media?

 

[Computer0304]

Hello and thanks for the help. Here is what I have done so far. I downloaded superantispyware and ran it. it missed the Trojan. I then sent her a copy of spyware hunter 4 paid copy. updated and ran it. It caught it an cleaned. On reboot it was back and nod32 caught it and cleaned it. But it still remained. It is in the operating memory. So rather then do a reg hack I thought a clean install would be best at this point . just want to make sure the clean install is all I need to do to get rid of it.

Did you try Malwarebytes yet?

 

[larry d]

I'm using a cd I picked up for 68.00 w7 pro. I have not tried malwarebytes yet. My sister is at the wheel and she is not so savvy with computers. But I do like the diskpart Idea. Thanks everyone for the help. This is the best forum ever!! Your all super people! I will let you know how it goes.

 

[larry d]

Malwarebytes found it but after reboot it came right back. I'm going to go with derekimo's suggestion . Thanks to all of you! Larry D

 

[derekimo]

Yeah, that's what I would do, specially since it's a recent install anyway.

I was asking about the install media in case you may have got a sketchy downloaded one but you should be good with the disc and the diskpart clean to wipe the drive.

You mention doing this over the phone, was the first install an upgrade or clean install?

 

[larry d]

The os came with the coa so it has to be liget right? Im on the phone with her now and she is having trouble getting it to boot from the rom. I walked her thru the bios to have it boot from the rom, but I do not know why it's not. Because I'm remote I cant access the bios. I just hope she didn't doo something wrong! Damn!! Im thinking about trying to remove it thru the reg? Is it possible?

 

[derekimo]

Yeah, it should be OK if you got it from a legitimate source, the COA is a good sign.

Yeah, it can be tough trying to do these things remotely.

If you want to wait for further advice from a security expert, that certainly is an option, although the remote thing may be a bit of a hindrance there too.

 

[andrew129260]

Doing this remotely will be next to impossible, especially with a unsavvy user.

As annoying as it is, it might be best to have them ship you the computer, or maybe you can find a nice legit small buisness computer shop that will not rob her blind and get them to wipe the disk and install windows. Once that is done, you could use teamviewer to reset them up and make sure all security software is applied as well as all the updates.

 

[larry d]

Andrew, I think your right about that. One hour just to set it to boot from the rom! I was pulling my hair out!! she finally got it and after reboot it still went past the cd-rom drive and booted in to windows. I will never do this again! I told her to just ship it to me or take it to a shop. It is extremely hard when you can't see what buttons the other person is pushing. I'm lucky she didn't blow up the bios!! LOL.
Lesson learned. Thanks again for the help everyone.

 

[andrew129260]

Andrew, I think your right about that. One hour just to set it to boot from the rom! I was pulling my hair out!! she finally got it and after reboot it still went past the cd-rom drive and booted in to windows. I will never do this again! I told her to just ship it to me or take it to a shop. It is extremely hard when you can't see what buttons the other person is pushing. I'm lucky she didn't blow up the bios!! LOL.
Lesson learned. Thanks again for the help everyone.

No problem, glad you got things squared away.

My suggestions so this (hopefully) does not happen again: (email this to them)

I advise you to install and use the following security programs so you do not get infected again:

-Panda antivirus -You can only have 1 antivirus installed at a time, I recommend using this one and uninstalling what you are using now.

-Malwarebytes
-Superantispyware
-Should I remove it

Run them around once every 2 weeks.

Should I remove it is not a malware scanner. What it does is it looks at all of the installed programs on your PC and gives you a percentage % of how many people uninstall the software. If the percentage % is high, I would remove it as it is most likely not a good program. It also gives a ton of information about what the program does and how it behaves.

I also suggest using a standard user account in windows, and only using an admin account when you need to install software:

http://www.sevenforums.com/tutorials/181024-user-account-create.html

When using a standard account and you make a change or install a program that affects the whole system, UAC will prompt you to continue. Make sure the setting or program you are tying to install is listed, then click yes to continue. If you are just browsing the web and the prompt appears with a program you have not heard of, or do not know what it is, it is much safer to click no then yes. No will block the action, and if you were trying to do something, you can always start it again and choose yes.

UAC makes this easy, see here:

What is user account control (UAC)?

I also suggest choosing always notify for UAC:

What are User Account Control settings?

I also recommend that you use bleeping computers suggestions which can be found here:

So how Did I get Infected?


Those are my recommendations to you, and I Highly suggest you follow them.