Microsoft security software detects and removes this threat.

This trojan can make your PC crash unexpectedly. If you can reboot your PC after the crash, you should run a full antivirus scan.

This threat spreads using a software vulnerability in Java. It can also be installed by other malware, for example TrojanDropper:Win32/Rovnix.I.

What to do now

The following free Microsoft software detects and removes this threat:

However, in some cases you may need to use the free tool Windows Defender Offline to fully clean your PC:

The following articles may help if you're having trouble getting the tool to work:

After you've used Windows Defender Offline, you should make sure your security software is up to date and run a full scan:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Run the Bootrec.exe tool

To completely remove this threat you might need to run the Bootrec.exe tool using your Windows installation CD.

For Windows 8:

  1. Put your Windows 8 media in the DVD drive and restart your PC.
  2. Select a language, time and currency, and keyboard or input method, and then click Next.
  3. Click Repair your computer.
  4. Click Troubleshoot, then Advanced options.
  5. Click Command Prompt and then type Bootrec /FixBoot and then presss Enter.
  6. Type Exit and the press Enter.
  7. At the Choose an Option screen click Continue.
  8. Remove the Windows 8 CD from your DVD drive and restart your PC.

For Windows 7:

  1. Put your Windows 7 media in the DVD drive and restart your PC
  2. Press any key when you are prompted.
  3. Select a language, time and currency, and keyboard or input method, and then click Next.
  4. Click Repair your computer.
  5. Select the operating system that you want to repair, and then click Next.
  6. In the SystemRecovery Options dialog box, click Command Prompt.
  7. Type Bootrec.exe /fixboot, and then press Enter.
  8. Remove the Windows 7 CD from your DVD drive and restart your PC.

Threat behavior

DOS/Rovnix.V is a malicious Volume Boot Record (VBR), which is loaded at boot time. It tries to tamper with some Windows kernel data to load its own malicious driver. This might bypass the Driver Signature Enforcement on a 64-bit system.

The malicious driver injects other malware components, for example Trojan:Win32/Claretore.L, into the explorer.exe process.

To hide its presence in your PC, the loaded driver intercepts the hard disk I/O (input/output) operation, and returns the original clean copy if the VBR is accessed.


Alerts from your security software may be the only symptom.


Alert level: Severe
First detected by definition:
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Nov 20, 2013
This entry was first published on: Dec 31, 2013
This entry was updated on: Apr 16, 2014

This threat is also detected as:
No known aliases