1 2 Previous Next 10 Replies Latest reply on Apr 27, 2014 11:56 AM by Hayton

    Virus found only 2 weeks old appears on every Boot

    freshcliff

      I have encountered dozens of viruses and malware on a Windows 7 64 Bit Home Premium laptop. Malware bytes reports it as Rovnix.gg but most websites don't recognise it. Microsoft websites returned show Rovnix.a etc but not .gg

       

      It says it's removed / dealt with / quarantined but any rebooting causes the symptom to reoccur. This is the Explorer.exe crashing every 3 seconds resulting in no chance to run programs even in Safe Mode. For those not fully understanding this - the Windows crashes and says it has encountered an error and is restarting. Because of this starting Anti-Virus scans from desktop or usb is incredibly diffficult, sometimes impossible. I have tried Diagnostic/ Selective start-up mode and I have tried changing the memory. MalwareBytes finds the malware but as said above it never fully goes away while McAfee Total protection has 300 days before expiry but will not find anything wrong. I tried McAfee Stinger standard and set to Very Sensitive and reporting only.

       

      I have three times got stable usage, every time by running the Windows Memory Diagnostic which also finds nothing but then Boots and shows significant improvement in Windows (Explorer) Stability. Which is why one of the changes was the memory. Rovnix had disabled Security and enabled or encouraged other Malware to infest/infect the system and most if not all were dealt with giving back internet and Security settings/services etc that originally would not start or stay started. So I've made fantastic progress to have it working for the last few hours with no crashing etc but I am certain it will begin again when it is rebooted. The only constant is MalwareBytes finding Rovnix.gg again after booting. I've tried the manual removal found on the link below but did not find the associated files. Though I did not get through all of the registry in the 20 minutes dedicated to finding the entries shown. And having 3 user profiles the hidden virus/malware could be Anywhere though I'd have hope a throurough scan of C: would encompass all users (the whole HDD).

       

      http://blog.teesupport.com/how-to-completely-remove-virus-dosrovnix-v-removal-gu ide/

       

      found on Google while trying to fing a cure for this issue - you can see it also is NOT .gg but .V

       

      Can anyone help with how to remove .gg yet or should I remove McAfee to use Microsoft Security Essentials which apparently can cure it according to my Google search? The factor of it working correctly after a memory diagnostic may be quite significant but I cant think of more to do to use that fact apart from the new Memory installed.

       

      The issue then would be  - The system is not mine and the Owner would have paid for a years usage of McAfee Total Protection that I would have taken off therefore having him pay for nothing.

       

      Tag - DOS/Rovnix.gg

        • 1. Re: Virus found only 2 weeks old appears on every Boot
          Peter M

          It's a trojan dropper, not a virus so antivirus applications often trip up detecting such things.   Your protection is to be extra careful downloading and avoid file sharing if at all possible.  Your best approach, as Malwarebytes detects it would be to ask them on their forums.  But if you look in the last link in my signature below and scroll down to the Hijackthis section you will see that their malware removal forum is one of the recommended ones to post a Hijackthis log.  They can analyse it for you and suggest steps to take.

          Also BleepingComputer forums are linked there.  They are another excellent source of help in these situations.  Pick one or the other.

          Don't install MSE unless you uninstall McAfee first, but I doubt very much that it will completely rid you of it as I see it only detects one variation of it.

          Best to get advice from the specialists as suggested in that link.

           

           

           

          .

           

           

           

          Message was edited by: Ex_Brit on 26/04/14 8:32:37 EDT PM
          • 2. Re: Virus found only 2 weeks old appears on every Boot
            catdaddy


            Hi freshcliff,

                      The Two individual Forums that Ex_Brit suggested are indeed "Highly Reputable" and are Specialists when dealing with Difficult Malware/Infections. It seems that you have attempted to take the proper steps to eradicate this particular piece of Malware. However, upon "Reboot" it again reappears. Did you run MalwareBytes in "Normal Mode", or try running it in "Safe Mode"?

             

                       Even then it may remove it, as you stated already. Only to re-propogate itself upon "Reboot"

             

                       I found some information on the Microsoft Threat Encyclopedia ( Rovnix.gg ) If you read closely, both the Summary/Technical Information on this threat. It states that to entirely remove/prevent it from returning upon "Reboot", it may be necesarry to run the "Bootrec.exeTool after removal, before rebooting.

             

                         It clearly gives you instructions/Guidelines on how to do so. Their are different variants of this Trojan.Dropper. Here is the Link I mentioned:

            http://ri.search.yahoo.com/_ylt=A0LEV10kW1xToT4AoYVXNyoA;_ylu=X3oDMTEzY29rN2k5BH NlYwNzcgRwb3MDMwRjb2xvA2JmMQR2dGlkA1ZJUDM3MF8x/RV=2/RE=1398590373/RO=10/RU=http % 3a%2f%2fwww.microsoft.com%2fsecurity%2fportal%2fthreat%2fencyclopedia%2fEntry.a s px%3fName%3dVirus%253aDOS%252fRovnix.GG/RK=0/RS=FCF4SvVMbNJj9stqIXi4fUy_CsE-

             

            Sorry ref the mess

             

             

                           I might add in addition, you may try to run the Latest McAfee Getsusp Tool, and list your Email Address in "Preferences" before scanning. This will submit this to the McAfee Global Threat Intelligent Base. You can find this tool either under my Signature,or Ex_Brit,s.( Anti-Spyware/Malware & Hijacker Tools) Last Link.

             

                           Should you choose to run Getsusp, please post back the "Work Item #"-Analysis ID #" After scanning, and submitting you should receive a reply back from McAfee Labs verifying your submittal. Just thought I would add to the Discussion, Again, I fully agree with the suggestions Ex_Brit gave.

             

                         By scanning with Getsusp, it adds this to McAfee,s Database.

             

            Actually here is a case of Bleeping Computer assisting in removal of "Rovnix.gg"

                                                     It can be found Here

             

            Wishing you all the best,

             

            Edited due to broken link

             

             

             

             

             

             

             

             

             

             

             

             

             

             

             

            Message was edited by: catdaddy on 4/26/14 11:04:35 PM CDT
            1 of 1 people found this helpful
            • 3. Re: Virus found only 2 weeks old appears on every Boot
              Hayton

              I don't yet know what the McAfee classification is (their naming conventions are nothinglike Microsoft's) but :-

               

              http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Vir us%3aDOS%2fRovnix.GG

               

              Microsoft Security Essentials doesn't get rid of it either, because this thing modifies the Boot Record. It could be a rootkit, and they're sometimes tricky.

               

              First detected on: Mar 06, 2014

              This entry was first published on: Apr 17, 2014
              This entry was updated on: Apr 23, 2014

              This threat is a malicious Volume Boot Record (VBR), which is loaded at boot time.

              It intercepts the hard disk I/O (input/output) operation, or system memory layout functions, to patch the PC's boot module. It also tries to tamper with Windows kernel data to load its own malicious driver. When your PC starts, the malware is loaded instead, and you may experience crashes.

               

              <sigh> Thanks to ongoing hacking around with this site the link to the McAfee program I was looking for is unavailable (Useful Links, above, Anti-Virus tools) - I get "http://vil.nai.com/custom_errors/custom-404.htm"

               

               

              So : you may have to run TDSSKiller, following the instructions on this BleepingComputer page

               

              If you've got Java that's one known means of infection; so if you have it and don't need it, you're better off without it.

              1 of 1 people found this helpful
              • 4. Re: Virus found only 2 weeks old appears on every Boot
                catdaddy

                I couldn,t get the link to stick, as you were capable of doing  (Grrrr). Not without all of the scrambled Hyperlink. I think that the last link I posted,was same as yours? At this point in time, so frustrated trying to insert things....I digress.

                 

                 

                I went back and tried again to insert the Hyperlink within (Here) and this time it worked?

                Go figure...Calling it a night...

                 

                Message was edited by: catdaddy on 4/26/14 9:50:33 PM CDT
                • 5. Re: Virus found only 2 weeks old appears on every Boot
                  freshcliff

                  Good morning,

                  Lots of replies all looking like great info. Thank you for your insight - I call all of them Viruses as a General term for Malware, Trojans etc. I will attempt to follow the suggestions after replying to a few of these comments/answers.

                   

                  Things to do check Forums -

                  Malwarebytes

                  Hijackthis

                  Bleeping Computer

                  • 6. Re: Virus found only 2 weeks old appears on every Boot
                    freshcliff

                    Good morning Catdaddy

                    I have tried SAFEMode but Malwarebytes reports it cannot be run in SafeMode

                    I downloaded the Chameleon last night before bed but not used it as of yet

                    I have never come across McAfee GetSusp - even in the week or two of attempting to get rid of this or find info on it at least.

                    The not reading carefully could just be me being tired - a few other jobs/repairs done and this still hanging around driving me nuts.

                    I see the Bootrec advice but finding a Windows 7 CD may be the problem with that solution. Office in chaos more than usual after a recent flood from bathroom.

                     

                    The Bleeping computer link must have 50 pages (including logs) to go through so I'm already frustrated and not looking forward to Searching/reading through the 3 forums suggested.

                     

                    But THANK YOU for your time as well.

                     

                    (Will be hard to pick an answer as "correct" - tempted to pick Ex_Brit's as assumed correct)

                    • 7. Re: Virus found only 2 weeks old appears on every Boot
                      freshcliff

                      Joined Malwarebytes forum and attached the RogueKiller log just done

                       

                      see

                       

                      https://forums.malwarebytes.org/index.php?showtopic=147639

                       

                      couldnt paste log -

                       

                      RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software

                      mail : http://www.adlice.com/contact/

                      Feedback : http://forum.adlice.com

                      Website : http://www.adlice.com/softwares/roguekiller/

                      Blog : http://www.adlice.com

                       

                       

                      Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

                      Started in : Safe mode with network support

                      User : beatricetrigg [Admin rights]

                      Mode : Scan -- Date : 04/27/2014 08:59:16

                      | ARK || FAK || MBR |

                       

                       

                      ¤¤¤ Bad processes : 0 ¤¤¤

                       

                       

                      ¤¤¤ Registry Entries : 6 ¤¤¤

                      [HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

                      [HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

                      [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND

                      [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND

                      [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

                      [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

                       

                       

                      ¤¤¤ Scheduled tasks : 2 ¤¤¤

                      [V1][SUSP PATH] AffiliatedUpdate.job : C:\Users\victor\APPLIC~1\AFFILI~1\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

                      [V1][SUSP PATH] UpdaterEX.job : C:\Users\victor\APPLIC~1\UPDATE~1\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

                       

                       

                      ¤¤¤ Startup Entries : 0 ¤¤¤

                       

                       

                      ¤¤¤ Web browsers : 0 ¤¤¤

                       

                       

                      ¤¤¤ Browser Addons : 1 ¤¤¤

                      [CHR][PUP] Default : Ebay Shopping Assistant by Spigot

                       

                       

                      ¤¤¤ Particular Files / Folders: ¤¤¤

                       

                       

                      ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

                       

                       

                      ¤¤¤ External Hives: ¤¤¤

                       

                       

                      ¤¤¤ Infection : PUP ¤¤¤

                       

                       

                      ¤¤¤ HOSTS File: ¤¤¤

                      --> %SystemRoot%\System32\drivers\etc\hosts

                       

                       

                       

                       

                      127.0.0.1          www.007guard.com

                      127.0.0.1          007guard.com

                      127.0.0.1          008i.com

                      127.0.0.1          www.008k.com

                      127.0.0.1          008k.com

                      127.0.0.1          www.00hq.com

                      127.0.0.1          00hq.com

                      127.0.0.1          010402.com

                      127.0.0.1          www.032439.com

                      127.0.0.1          032439.com

                      127.0.0.1          www.0scan.com

                      127.0.0.1          0scan.com

                      127.0.0.1          www.1000gratisproben.com

                      127.0.0.1          1000gratisproben.com

                      127.0.0.1          1001namen.com

                      127.0.0.1          www.1001namen.com

                      127.0.0.1          100888290cs.com

                      127.0.0.1          www.100888290cs.com

                      127.0.0.1          www.100sexlinks.com

                      127.0.0.1          100sexlinks.com

                      [...]

                       

                       

                       

                       

                      ¤¤¤ MBR Check: ¤¤¤

                       

                       

                      +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS545032B9SA00 +++++

                      --- User ---

                      [MBR] c65afb7fd39b37da69c7c16967bc883d

                      [BSP] 921ee4147372bad14cab39d6fa592ecc : Windows 7/8 MBR Code

                      Partition table:

                      0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13468 MB

                      1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 27584512 | Size: 100 MB

                      2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 27789312 | Size: 291675 MB

                      User = LL1 ... OK!

                      User = LL2 ... OK!

                       

                       

                      +++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) SMI USB DISK USB Device +++++

                      --- User ---

                      [MBR] ae46273e2e22c4d11d5d10aa704eb6eb

                      [BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code

                      Partition table:

                      0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 959 MB

                      User = LL1 ... OK!

                      Error reading LL2 MBR! ([0x32] The request is not supported. )

                       

                       

                      Finished : << RKreport[0]_S_04272014_085916.txt >>

                       

                       

                      Really late now - should be elsewhere 7 minutes ago

                       

                      Thanks ALL

                       

                      Message was edited by: freshcliff on 27/04/14 04:08:43 CDT
                      • 8. Re: Virus found only 2 weeks old appears on every Boot
                        Peter M

                        Logs are meaningless to us, we don't analyse them here.  I see a respionse from MBAM forums telling you that you are posting the wrong area.   As I've never heard of RogueKiller I have no idea as regards it's use or usefulness.

                        I recommended posting a Hijackthis log only and in a different area of their forums.

                        • 9. Re: Virus found only 2 weeks old appears on every Boot
                          catdaddy

                          I would follow Ex_Brit,s advice/suggestions as his opinion, or any other Moderators advice "Superceeds" mine.

                          The only reason I mentioned (Getsusp) is that it could possibly detect the discussed Trojan.Dropper, and would be in their Data-Base as such for future possible instances.

                           

                          You can obtain the latest Download for (Getsusp) from HERE

                          As there are many different variants of this Malware-Pum-Pup.

                           

                          I concur with you also, go with Ex_Brit  in considering it to be the (Correct) answer.

                          I was only chiming in...

                           

                          Good Luck....

                           

                           

                           

                           

                           

                          Message was edited by: catdaddy on 4/27/14 7:17:10 AM CDT
                          1 2 Previous Next