Win32/Renos, need to get it off my comp

Dell / Inspiron 530
July 27, 2009 at 15:57:57
Specs: Microsoft Windows Vista Home Premium, 2.394 GHz / 3316 MB
Hello and thank you in advance for any help.

Well I was downloading a file wich gave me a malware called Win32/Renos and am trying to get rid of it. I found this post But I still need help ... step by step would be very much appreciated. I have run into the same problems as the person in the other post ... I got Malwarebytes and tried to install it and got an error message so I changed the .EXE file name to 123.EXE .... tried to get AVG and could not get it to install.

See More: Win32/Renos, need to get it off my comp

Report •

July 27, 2009 at 16:02:02
Well malwarebytes allmost got done with it's scan and it stoped responding :( I need help!!

Report •

July 27, 2009 at 17:33:43
Download and run Kaspersky AVP tool in safe mode:
Once you download and start the tool in safe mode:
# Check below options:

    * Select all the objects/places to be scanned. 

# Click Scan
# Fix what it detects
# Zip/Rar Scan log/Summary and upload it to Post download link in your next message.

Illustrated tutorial:

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 27, 2009 at 18:35:11
Well I could not use the link you posted as the virus kept me frome it but I was able to download and install version 8.0 by changing the name of the .exe file but it was not successful at finding anything ;( .... I got a program (Prevx) but I would have to pay for it and I am not going to pay for something to just end up using once at the moment ... but anyway it sais that it found 4 threats .... I can not get a report as I will not pay for the program .... but it does have some clues as to what the virus is and were it is located ... it sais that the viruses are in c:/windows/system32 and c:/windows/system32/drivers .... and the program has some more clues on its site that it gave me when I clicked on one of the search results and this is what it gave me .... O and on the scan result the one that I clicked on it has it labled as (High Risk fraudulent security Program) and the other three are labled as (Medium Risk Malware)

I realy hope this helps and thank you for your quick responce .... you are a good person

Report •

Related Solutions

July 27, 2009 at 18:36:16
Hmmm I think the link was broken ... ........... I dont know if the virus is just blocking me or if the link is broken so here is what it sais on the page it sends me to.

Your PC is infected. The file called ESQULWIJRSEBDRDIHQMBGMBCXQQBVRFHGQJFU.DLL is considered unsafe and there may be other infections on your PC.

You should urgently check your PC and remove any malicious software including ESQULWIJRSEBDRDIHQMBGMBCXQQBVRFHGQJFU.DLL as soon as possible. The free version of Prevx 3.0 will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx 3.0.

Associated Malware Groups
The filename is associated with the malware group:

Fraudulent Security Program
File Behavior
ESQULWIJRSEBDRDIHQMBGMBCXQQBVRFHGQJFU.DLL has been seen to perform the following behavior:

Uses low level functions to hide itself from the user and from system/security processes
Found on infected systems and resists interrogation by security products
Country Of Origin
The filename ESQULWIJRSEBDRDIHQMBGMBCXQQBVRFHGQJFU.DLL was first seen on Jul 13 2009 in the following geographical region of the Prevx community:

CANADA on Jul 13 2009

File Name Aliases
ESQULWIJRSEBDRDIHQMBGMBCXQQBVRFHGQJFU.DLL can also use the following file names:(rite here is saposed to be all of the other names it goes by but it is just a bunch of leters and there are like 200 of them so if you need them just ask)

This file has been seen with the following file size:

23,552 bytesVendor, Product and Version Information
This file has no vendor, product or version information specified in the file header.
File Type
The filename ESQULWIJRSEBDRDIHQMBGMBCXQQBVRFHGQJFU.DLL refers to a dynamic link library.

Report •

July 27, 2009 at 18:44:03
Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode and make sure you are connect to internet. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called inside. Upload that file to and paste the link here.

Image Tutorial

2) Follow these steps in order numbered:

1) Download GMER:
[This version will download a randomly named file (Recommended).]

2) Disconnect from the Internet and close all running programs.

3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)

6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your NO.

7) Now click the Scan button. If you see a rootkit warning window, click OK.

8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it Post the download link to the uploaded file in your post.

9) Exit GMER and re-enable all active protection when done.

Note: Please give me the exact name of the file you downloaded in step 1 + post your log from step 8 in your next post.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

July 27, 2009 at 19:49:41

and were I got the AVZ frome .....

I know downloading from brothersoft is stupid but I had no other choice due to the fact that the virus was blocking my access to the the site you posted

And again thank you very much for your help

Report •

July 27, 2009 at 20:57:45
Try this link: and redo all of Response Number 5

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

Report •

July 28, 2009 at 06:44:50
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

SearchRootkit(true, true);

2) Redo Response Number 5 and generate new set of logs.

If I'm helping you and I don't reply within 24 hours send me a PM.

Report •

Ask Question