Solved

Potential Threat: Rovnix.W and Rovnix.gen!C

Posted on 2014-01-19
18
1,479 Views
Last Modified: 2014-01-24
Microsoft Security Essentials keeps finding 2 potential threats:

1) Virus:DOS/Rovnix.W
Details:   boot\\.\PHYSICALDRIVE0\PARTITION1 (NTFS)->[Obfuscator]

2) Virus:Win64/Rovnix.gen!C
Details:  rootkit:Rovnix->Vbr::Rovnix

I have tried to "clean" these, later tried to "Remove" these threats with Microsoft Security Essentials.  I've scanned with Malwarebytes, I've also tried Roguekiller, MBAR, and Combofix.
Nothing has been successful.
Help!
0
Comment
Question by:tcexperts77
  • 6
  • 5
  • 3
  • +1
18 Comments
 
LVL 24

Expert Comment

by:aadih
ID: 39793066
If possible, restore your computer to an earlier time.
0
 
LVL 50

Assisted Solution

by:jcimarron
jcimarron earned 500 total points
ID: 39793085
tcexperts77--
Here is a suggestion on how to remove the Virus:DOS/Rovnix.W virus
http://computervirusmanualremval.blogspot.com/2013/12/how-to-remove-trojan-dosrovnixw.html

 Virus:Win64/Rovnix.gen!C is more difficult.  See up through post #6 here though I see you have tried TDSSKiller already.
http://www.bleepingcomputer.com/forums/t/515309/mse-says-it-removed-win64rovnixgena-but/
0
 

Author Comment

by:tcexperts77
ID: 39793497
I always thought these things infect System Restore, so that probably wouldn't help?

I have not run TDSS Killer - should I?

I've already tried the website from jcimarron.
There is no Registry entry with Trojan DOS/Rovnix.W. or any of those words (except DOS).
There is no task in Task Manager with Trojan DOS/Rovnix.W. or any of those words (except DOS).
There are no folders with Trojan DOS/Rovnix.W. or any of those words (except DOS).

My concern is about the location of Virus:DOS/Rovnix.W  : boot\\.\PHYSICALDRIVE0\PARTITION1
Doesn't that mean it is in a location on the hard drive before (or right at) where it loads Windows? Will any virus removal programs even be able to remove it?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 50

Accepted Solution

by:
jcimarron earned 500 total points
ID: 39794581
tcexperts77--
"I have not run TDSS Killer - should I?"
Nothing to lose.  It worked for LaLady in
http://www.bleepingcomputer.com/forums/t/515309/mse-says-it-removed-win64rovnixgena-but/
0
 

Author Comment

by:tcexperts77
ID: 39799172
I removed the hard drive, scanned it with TDSS Killer on another PC.
The rootkit was found and removed.  
Only problem now is Windows doesn't load in the normal or safe mode.
Normal mode goes to desktop, mouse moves, but there is nothing to click on.
Safe mode doesn't go beyond the list of commands ("Loading Windows files").
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 39800308
tcexperts77--
Some rogue programs hide the desktop icons.  The unhide program should fix that
http://www.bleepingcomputer.com/download/unhide/
0
 

Author Comment

by:tcexperts77
ID: 39802251
OK - check this out:

I ran the Dell pre-boot diagnostics (this is an Optiplex 7010) and the hard drive failed!
Dell is going to send a replacement drive, as this PC is less than 1 year old.
Could this Rootkit - or any virus - actually cause a hard drive to fail?
0
 

Author Comment

by:tcexperts77
ID: 39802372
What is:
Blind links deleted.
0
 
LVL 92

Expert Comment

by:nobus
ID: 39802708
here they say MS security essentials detects and removes it :  http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Virus%3ADOS%2FRovnix.W
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 39803764
tcexperts77--
Did you try the unhide program to restore Desktop icons?  http:#a39800308
0
 

Author Comment

by:tcexperts77
ID: 39805907
I tried everything imaginable.  I realized something else may be wrong because the PC wasn't even responding to my mouse & keyboard actions.  I couldn't even start it in the safe mode.  That is when I decided to shut down the computer, wait, then restart it and run the Dell diagnostics program BEFORE it booted into Windows.  When the diagnostics program showed the hard drive was bad, I called Dell to get a replacement drive.  I don't plan to do anything more with the bad drive (that was infected previously and cleaned with TDSSKiller) when I get the good hard drive.

My final question was if the original rootkit infection could have caused the hard drive to go bad.  I think this is a very important question because I have never heard of a virus physically damaging a hard drive.  I think this rootkit may have stressed out (overworked?) this drive and actually wore it out.  Does anybody else have any knowledge on this -- or should I start a new topic?
0
 
LVL 92

Expert Comment

by:nobus
ID: 39806212
>>  My final question was if the original rootkit infection could have caused the hard drive to go bad  <<  i've not yet seen one virus that caused  the drive to die
0
 
LVL 24

Expert Comment

by:aadih
ID: 39806408
No, it is highly improbable that a root-kit infection will cause a hard drive to fail; but stranger things have happened.
0
 

Author Closing Comment

by:tcexperts77
ID: 39806721
Since the drive failed at the same time, I won't know for sure.
TDSSKiller did find and remove the rootkit when nothing else was successful.
Thanks for all the info.
0
 
LVL 92

Expert Comment

by:nobus
ID: 39806788
>>  Since the drive failed at the same time, I won't know for sure.  <<  why not runa long diag on it, from i'ts manufacturer? seagate for seagates, WD for WD..
i use UBCD for it all teh time :
Hardware diagnostic CD    UBCD

go to the download page, scroll down to the mirror section, and  click on a mirror to start the download
Download the UBCD and make the cd   <<==on a WORKING PC, and boot the problem PC from it
Here 2 links, one to the general site, and a direct link to the download

since the downloaded file is an ISO file, eg ubcd527.iso - so you need to use an ISO burning tool
if you don't have that software, install cdburnerXP : http://cdburnerxp.se/

If you want also the Ram tested - run memtest86+ at least 1 full pass,  - you should have NO errors!
 
For disk Diagnostics run the disk diag for your disk brand (eg seagate diag for seagate drive)  from the HDD section -  long or advanced diag !  (runs at least for30 minutes)

http://www.ultimatebootcd.com/                        ultimate boot cd
http://www.ultimatebootcd.com/download.html             download page


you may even be able to repair it with HDDRegenerator (not free), but run the trial, and see if it fixes the first sector    http://www.dposoft.net/hdd.html
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 39806922
tcexperts77--Glad to have helped.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So many times I have seen the words written in a question "if only I could show you" or " I know how hard it is for you since you can't see it" in any zone. That has inspired me to write about this tool in windows 7 called "Problem Steps Recorder…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question