Solved

Potential Threat: Rovnix.W and Rovnix.gen!C

Posted on 2014-01-19
18
1,467 Views
Last Modified: 2014-01-24
Microsoft Security Essentials keeps finding 2 potential threats:

1) Virus:DOS/Rovnix.W
Details:   boot\\.\PHYSICALDRIVE0\PARTITION1 (NTFS)->[Obfuscator]

2) Virus:Win64/Rovnix.gen!C
Details:  rootkit:Rovnix->Vbr::Rovnix

I have tried to "clean" these, later tried to "Remove" these threats with Microsoft Security Essentials.  I've scanned with Malwarebytes, I've also tried Roguekiller, MBAR, and Combofix.
Nothing has been successful.
Help!
0
Comment
Question by:tcexperts77
  • 6
  • 5
  • 3
  • +1
18 Comments
 
LVL 24

Expert Comment

by:aadih
ID: 39793066
If possible, restore your computer to an earlier time.
0
 
LVL 50

Assisted Solution

by:jcimarron
jcimarron earned 500 total points
ID: 39793085
tcexperts77--
Here is a suggestion on how to remove the Virus:DOS/Rovnix.W virus
http://computervirusmanualremval.blogspot.com/2013/12/how-to-remove-trojan-dosrovnixw.html

 Virus:Win64/Rovnix.gen!C is more difficult.  See up through post #6 here though I see you have tried TDSSKiller already.
http://www.bleepingcomputer.com/forums/t/515309/mse-says-it-removed-win64rovnixgena-but/
0
 

Author Comment

by:tcexperts77
ID: 39793497
I always thought these things infect System Restore, so that probably wouldn't help?

I have not run TDSS Killer - should I?

I've already tried the website from jcimarron.
There is no Registry entry with Trojan DOS/Rovnix.W. or any of those words (except DOS).
There is no task in Task Manager with Trojan DOS/Rovnix.W. or any of those words (except DOS).
There are no folders with Trojan DOS/Rovnix.W. or any of those words (except DOS).

My concern is about the location of Virus:DOS/Rovnix.W  : boot\\.\PHYSICALDRIVE0\PARTITION1
Doesn't that mean it is in a location on the hard drive before (or right at) where it loads Windows? Will any virus removal programs even be able to remove it?
0
 
LVL 50

Accepted Solution

by:
jcimarron earned 500 total points
ID: 39794581
tcexperts77--
"I have not run TDSS Killer - should I?"
Nothing to lose.  It worked for LaLady in
http://www.bleepingcomputer.com/forums/t/515309/mse-says-it-removed-win64rovnixgena-but/
0
 

Author Comment

by:tcexperts77
ID: 39799172
I removed the hard drive, scanned it with TDSS Killer on another PC.
The rootkit was found and removed.  
Only problem now is Windows doesn't load in the normal or safe mode.
Normal mode goes to desktop, mouse moves, but there is nothing to click on.
Safe mode doesn't go beyond the list of commands ("Loading Windows files").
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 39800308
tcexperts77--
Some rogue programs hide the desktop icons.  The unhide program should fix that
http://www.bleepingcomputer.com/download/unhide/
0
 

Author Comment

by:tcexperts77
ID: 39802251
OK - check this out:

I ran the Dell pre-boot diagnostics (this is an Optiplex 7010) and the hard drive failed!
Dell is going to send a replacement drive, as this PC is less than 1 year old.
Could this Rootkit - or any virus - actually cause a hard drive to fail?
0
 

Author Comment

by:tcexperts77
ID: 39802372
What is:
Blind links deleted.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 91

Expert Comment

by:nobus
ID: 39802708
here they say MS security essentials detects and removes it :  http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Virus%3ADOS%2FRovnix.W
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 39803764
tcexperts77--
Did you try the unhide program to restore Desktop icons?  http:#a39800308
0
 

Author Comment

by:tcexperts77
ID: 39805907
I tried everything imaginable.  I realized something else may be wrong because the PC wasn't even responding to my mouse & keyboard actions.  I couldn't even start it in the safe mode.  That is when I decided to shut down the computer, wait, then restart it and run the Dell diagnostics program BEFORE it booted into Windows.  When the diagnostics program showed the hard drive was bad, I called Dell to get a replacement drive.  I don't plan to do anything more with the bad drive (that was infected previously and cleaned with TDSSKiller) when I get the good hard drive.

My final question was if the original rootkit infection could have caused the hard drive to go bad.  I think this is a very important question because I have never heard of a virus physically damaging a hard drive.  I think this rootkit may have stressed out (overworked?) this drive and actually wore it out.  Does anybody else have any knowledge on this -- or should I start a new topic?
0
 
LVL 91

Expert Comment

by:nobus
ID: 39806212
>>  My final question was if the original rootkit infection could have caused the hard drive to go bad  <<  i've not yet seen one virus that caused  the drive to die
0
 
LVL 24

Expert Comment

by:aadih
ID: 39806408
No, it is highly improbable that a root-kit infection will cause a hard drive to fail; but stranger things have happened.
0
 

Author Closing Comment

by:tcexperts77
ID: 39806721
Since the drive failed at the same time, I won't know for sure.
TDSSKiller did find and remove the rootkit when nothing else was successful.
Thanks for all the info.
0
 
LVL 91

Expert Comment

by:nobus
ID: 39806788
>>  Since the drive failed at the same time, I won't know for sure.  <<  why not runa long diag on it, from i'ts manufacturer? seagate for seagates, WD for WD..
i use UBCD for it all teh time :
Hardware diagnostic CD    UBCD

go to the download page, scroll down to the mirror section, and  click on a mirror to start the download
Download the UBCD and make the cd   <<==on a WORKING PC, and boot the problem PC from it
Here 2 links, one to the general site, and a direct link to the download

since the downloaded file is an ISO file, eg ubcd527.iso - so you need to use an ISO burning tool
if you don't have that software, install cdburnerXP : http://cdburnerxp.se/

If you want also the Ram tested - run memtest86+ at least 1 full pass,  - you should have NO errors!
 
For disk Diagnostics run the disk diag for your disk brand (eg seagate diag for seagate drive)  from the HDD section -  long or advanced diag !  (runs at least for30 minutes)

http://www.ultimatebootcd.com/                        ultimate boot cd
http://www.ultimatebootcd.com/download.html             download page


you may even be able to repair it with HDDRegenerator (not free), but run the trial, and see if it fixes the first sector    http://www.dposoft.net/hdd.html
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 39806922
tcexperts77--Glad to have helped.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

When you use the right mouse button (assuming you're right handed) to click something in Windows, you usually get what is called a "context menu".  It's called that because the items in the menu vary according to context, that is, according to where…
The Display applet of Windows 7 Control Panel has changed a great deal since Windows XP  (it was missing and more or less replaced in Windows Vista by the Personalization applet.)  Below is a screenshot of what the Display applet of Windows XP, whic…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now