trojan downloader win32 renos.io and bloodhou

June 13, 2009 at 13:32:57
Specs: Windows Vista
I was using LimeWire yesterday. I have
Symantec antivirus and Windows Defender
messages popping up now. Symantec Auto-
Protect message says
Bloodhound.Exploit.196 virus has been
quarantined. This message pops up over and
over again. Windows Defender message says
that it has detected the Trojan Downloader
Win32 renos.io program and asks if I want to
remove it. I click 'remove' and a few minutes
later it says that it has been removed. But,
the same message pops back up after a while.
I can't open Firefox or Internet Explorer
browsers since this happened either.

See More: trojan downloader win32 renos.io and bloodhou

Report •


#1
June 14, 2009 at 06:55:21
What is the filename and location of file that's being detected?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#2
June 14, 2009 at 13:31:57
I'm sorry, but I don't know that info. The Windows Defender
message doesn't tell me a file name or location. The Symantec
message gives a file name, but it has been a different file every
time - always a pdf. That message hasn't popped up again
today. However, I am still unable to open Firefox or IE web
browsers.

Is there something I can do to determine the file name and
location without waiting for the message to pop up again?


Report •

#3
June 14, 2009 at 13:36:51
Pause/stop you symantec and windows defender. Then follow:

Download and run Kaspersky AVP tool: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool:

# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Attach Scan log/Summary to your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
June 14, 2009 at 14:48:23
The devbuilds link isn't working...

Report •

#5
June 14, 2009 at 14:51:16
i can't read your mind ... what error are you getting... try: ftp://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/index.html still doesn't work download it on another computer and transfer it over via usb.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#6
June 14, 2009 at 19:47:17
Hi guys, I'm going in circles. I have a trojan by the name of "trojan downloader Win32/renos.IO. I hate this stupid thing that is affecting my OS. I'm alot slower and alot of my software is inoperatable at sometimes. I have 2 photo links that I'm hoping you will be able to view. Can someone show me a legit program or if you can show me how to manually uninstall it.

http://i151.photobucket.com/albums/...

http://i151.photobucket.com/albums/...


Report •

#7
June 15, 2009 at 07:55:28
Scan
----
Scanned: 877729
Detected: 15
Untreated: 0
Start time: 6/14/2009 4:35:10 PM
Duration: 06:02:19
Finish time: 6/14/2009 10:37:29 PM


Detected
--------
Status Object
------ ------
not found: Trojan program Trojan.Win32.Agent.clxm File:
globalroot\systemroot\system32\MSIVXivcgvqweumphsdyeok
wfjjveccdxrdbq.dll
deleted: Trojan program Trojan-
Downloader.Win32.FraudLoad.epp File:
c:\windows\temp\109305548.tmp
deleted: Trojan program Exploit.Win32.Pidief.azu File:
C:\ProgramData\Symantec\Symantec AntiVirus Corporate
Edition\7.5\Quarantine\0EE80001.VBN//CryptZ
deleted: Trojan program Exploit.Win32.Pidief.azu File:
C:\ProgramData\Symantec\Symantec AntiVirus Corporate
Edition\7.5\Quarantine\13F80003.VBN//CryptZ
deleted: Trojan program Trojan-Downloader.WMA.GetCodec.a
File: C:\ProgramData\Symantec\Symantec AntiVirus
Corporate
Edition\7.5\Quarantine\0B000000\4BCE889D.VBN//CryptZ
deleted: Trojan program Exploit.Win32.Pidief.azu File:
C:\ProgramData\Symantec\Symantec AntiVirus Corporate
Edition\7.5\Quarantine\0EE80000\4EFADD99.VBN//CryptZ
deleted: Trojan program Exploit.Win32.Pidief.azu File:
C:\ProgramData\Symantec\Symantec AntiVirus Corporate
Edition\7.5\Quarantine\12340000\5A36FBCB.VBN//CryptZ
deleted: Trojan program Exploit.Win32.Pidief.azu File:
C:\ProgramData\Symantec\Symantec AntiVirus Corporate
Edition\7.5\Quarantine\12340001\5A36FE99.VBN//CryptZ
deleted: Trojan program Exploit.Win32.Pidief.azu File:
C:\ProgramData\Symantec\Symantec AntiVirus Corporate
Edition\7.5\Quarantine\12340002\5A3708B4.VBN//CryptZ
deleted: Trojan program Exploit.Win32.Pidief.azu File:
C:\ProgramData\Symantec\Symantec AntiVirus Corporate
Edition\7.5\Quarantine\12340003\5A373C86.VBN//CryptZ
deleted: Trojan program Exploit.Win32.Pidief.azu File:
C:\ProgramData\Symantec\Symantec AntiVirus Corporate
Edition\7.5\Quarantine\13F80000\5BFBC90B.VBN//CryptZ
deleted: Trojan program Exploit.Win32.Pidief.azu File:
C:\ProgramData\Symantec\Symantec AntiVirus Corporate
Edition\7.5\Quarantine\13F80001\5BFBC957.VBN//CryptZ
deleted: Trojan program Exploit.Win32.Pidief.azu File:
C:\ProgramData\Symantec\Symantec AntiVirus Corporate
Edition\7.5\Quarantine\13F80002\5BFC149B.VBN//CryptZ
deleted: Trojan program Trojan-Downloader.JS.Agent.ecn
File: C:\Users\JT's Lawschool
PC\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Content.IE5\XWY3FWQL\1[1].htm
deleted: virus Worm.Win32.AutoRun.gbc File:
C:\Users\JT's Lawschool
PC\AppData\Local\Temp\tmp82A8.tmp


Events
------
Time Name Status Reason
---- ---- ------ ------
6/14/2009 4:35:27 PM Running module:
smss.exe\smss.exe ok scanned
6/14/2009 4:35:27 PM File:
C:\Windows\System32\smss.exe ok scanned
6/14/2009 4:35:27 PM Running module:
smss.exe\ntdll.dll ok scanned
6/14/2009 4:35:27 PM File:
C:\Windows\system32\ntdll.dll ok scanned
6/14/2009 4:35:27 PM Running module:
csrss.exe\csrss.exe ok scanned
6/14/2009 4:35:28 PM File:
C:\Windows\system32\csrss.exe ok scanned
6/14/2009 4:35:28 PM Running module:
csrss.exe\ntdll.dll ok scanned
6/14/2009 4:35:28 PM File:
C:\Windows\system32\ntdll.dll ok scanned
6/14/2009 4:35:28 PM Running module:
csrss.exe\CSRSRV.dll ok scanned
6/14/2009 4:35:28 PM File:
C:\Windows\system32\CSRSRV.dll ok scanned
6/14/2009 4:35:28 PM Running module:
csrss.exe\basesrv.dll ok scanned
6/14/2009 4:35:28 PM File:
C:\Windows\system32\basesrv.dll ok scanned
6/14/2009 4:35:28 PM Running module:
csrss.exe\winsrv.dll ok scanned
6/14/2009 4:35:28 PM File:
C:\Windows\system32\winsrv.dll ok scanned
6/14/2009 4:35:28 PM Running module:
csrss.exe\USER32.dll ok scanned
6/14/2009 4:35:28 PM File:
C:\Windows\system32\USER32.dll ok scanned
6/14/2009 4:35:28 PM Running module:
csrss.exe\KERNEL32.dll ok scanned
6/14/2009 4:35:28 PM File:
C:\Windows\system32\KERNEL32.dll ok scanned
6/14/2009 4:35:28 PM Running module:
csrss.exe\GDI32.dll ok scanned
6/14/2009 4:35:28 PM File:
C:\Windows\system32\GDI32.dll ok scanned
6/14/2009 4:35:28 PM Running module:
csrss.exe\ADVAPI32.dll ok scanned
6/14/2009 4:35:28 PM File:
C:\Windows\system32\ADVAPI32.dll ok scanned
6/14/2009 4:35:28 PM Running module:
csrss.exe\RPCRT4.dll ok scanned
6/14/2009 4:35:28 PM File:
C:\Windows\system32\RPCRT4.dll ok scanned
6/14/2009 4:35:28 PM Running module:
csrss.exe\LPK.DLL ok scanned
6/14/2009 4:35:28 PM File:
C:\Windows\system32\LPK.DLL ok scanned
6/14/2009 4:35:28 PM Running module:
csrss.exe\USP10.dll ok scanned
6/14/2009 4:35:28 PM File:
C:\Windows\system32\USP10.dll ok scanned
6/14/2009 4:35:28 PM Running module:
csrss.exe\msvcrt.dll ok scanned


Statistics
----------
Object Scanned Detected Untreated Deleted Moved
to Quarantine Archives Packed files Password
protected Corrupted
------ ------- -------- --------- ------- ------------------- --------
------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Custom
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search Yes
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----


Report •

#8
June 15, 2009 at 08:17:53
Note: I can help you remove virus manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#9
June 15, 2009 at 10:42:55
Here's the avz log:
http://rapidshare.com/files/2448854...

I will post the other links as soon as I have done step 2.


Report •

#10
Report •

#11
June 15, 2009 at 11:04:35
Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\Program Files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe','');
 QuarantineFile('C:\Program Files\DeskPins\DeskPins.exe','');
 QuarantineFile('C:\Windows\TEMP\mc252C0.tmp','');
 QuarantineFile('\\?\globalroot\systemroot\system32\MSIVXivcgvqweumphsdyeokwfjjveccdxrdbq.dll','');
 QuarantineFile('C:\windows\system32\MSIVXivcgvqweumphsdyeokwfjjveccdxrdbq.dll','');
 DeleteFile('C:\windows\system32\MSIVXivcgvqweumphsdyeokwfjjveccdxrdbq.dll'); 
 DeleteFile('\\?\globalroot\systemroot\system32\MSIVXivcgvqweumphsdyeokwfjjveccdxrdbq.dll');
 DeleteFile('C:\Windows\TEMP\mc252C0.tmp');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) After reboot execute following script in AVZ:

begin
CreateQurantineArchive('C:\quarantine1.zip');    
end.


A file called quarantine1.zip should be created in C:\.


3) Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#12
June 15, 2009 at 11:44:13
combofix is running on my machine right now. I am on another computer. I have been using this computer to download the AVPTool and the avz as my other computer would not open the links you had provided (the error message I was getting was that the link appeared to be broken). Now, I fear I may have transferred the virus to this computer through the USB that I am using. The following Symantec message just appeared on this computer:

Scan type: Manual Scan
Event: Security Risk Found!
Risk: Trojan.Brisv.A!inf
File: C:\Documents and Settings\Justin\Incomplete\Preview-T-3430251-your call radio version - best track ever.mp3
Location: C:\Documents and Settings\Justin\Incomplete
Computer: JUSTIN-MIRANDA
User: JUSTIN-MIRANDA\Justin
Action taken: Delete succeeded
Date found: Monday, June 15, 2009 11:23:10 AM

What should I do? I thank you very much for all the help you have provided thus far to me.


Report •

#13
June 15, 2009 at 11:51:49
Here's the combofix log

http://rapidshare.com/files/2449096...


Report •

#14
June 15, 2009 at 12:49:23
Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('c:\windows\TEMP\mc2365B.tmp','');
 DeleteFile('c:\windows\TEMP\mc2365B.tmp'); 
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) Run this script in AVZ:

begin
CreateQurantineArchive('c:\quarantine.zip');
end.

3) A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload it, C:\quarantine.zip and C:\quarantine1.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download links to the uploaded files.

4) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok.

If I'm helping you and I don't reply within 24 hours send me a PM.

PS: For your other computer follow Response Number 3. Keep your usb attached to other computer when running the scan.


Report •

#15
June 15, 2009 at 13:54:26
Thanks for the files. Please follow these steps in order numbered and post summary log after each step.

1) If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q...
Run a full scan with http://www.eset.com/onlinescan/

# Check the box next to YES, I accept the Terms of Use.
# Click Start
# When asked, allow the activex control to be installed.
# Click Start
# Check below options:

    * Remove found threats
    * Scan archives
    * Scan for potentially unwanted applications (Advance Settings).
    * Enable Anti-Stealth technology (Advance Settings).

# Click Scan
# Wait for the scan to finish
# When it finishes it will create a log file here: C:\Program Files\ESET\ESET Online Scanner\log.txt
# Attach this logfile to your next message.

Illustrated tutorial: http://img155.imageshack.us/img155/...

Note: Turn system restore back on, if you wish; this to remove malware from system volume information files.

2) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

3) House cleaning. Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#16
June 15, 2009 at 15:52:33
I'm running the AVP scan on my second computer. It's been going for 3 hours now, but it's only 2% done. The projected finish time is four days from now. It's been scanning song files in my iTunes folder for the last hour or more. Is there something I can do to speed the scan up?

Report •

#17
June 15, 2009 at 15:55:16
Pause/Stop any current Antivirus/Spyware programs you have on it. Also close any unnecessary background processes and don't use your computer till scanning is finished.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#18
June 15, 2009 at 17:21:14
Here's the text of the ESET logfile. I hope this is all it was supposed to say cause it's not much.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251


4 threats were found and deleted by this program


Report •

#19
June 15, 2009 at 17:27:10
Log is empty. Post the correct log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#20
June 15, 2009 at 17:59:10
That's the only log in that file location. Should I run that scan again?

Here's a link to the actual file:
http://rapidshare.com/files/2450047...


Report •

#21
June 15, 2009 at 18:02:47
Continue with next step, no need to rut it again.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#22
June 15, 2009 at 19:25:52
On my second computer I just received a blue screen that stated the following:

KERNEL_DATA_INPAGE_ERROR

and down a little further under technical information it said the following:

PartMgr.sys - Address F877CE91 base at F877A000, DateStamp 3b7dc5a7

This occurred while the AVP scan was in progress. Should I restart the scan?


Report •

#23
Report •

#24
June 15, 2009 at 19:49:17
Here is the link to the Malwarebytes scan log:

http://rapidshare.com/files/2450243...


Report •

#25
June 15, 2009 at 19:54:55
I also wanted to mention that when I restart my computer (the original computer) I am asked if I want to allow a program entitled is-3HLAC.exe to have access to my computer. I have not allowed as I don't know what that program is, but it has come up as I've restarted the last couple of times.

Report •

#26
June 15, 2009 at 19:57:51
Find is-3HLAC.exe upload it to rapidshare.com and private message me download link.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#27
June 15, 2009 at 20:09:44
That file is legit and belongs to Kaspersky AVP tool.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#28
June 15, 2009 at 21:17:00
Here's the link for the SUPERAntiSpyware log:

http://rapidshare.com/files/2450381...


Report •

#29
June 15, 2009 at 23:38:54
Renos.IO and Renos.Bah are variants or Trojan win 32 renos that installs malicious program onto infected pc.Trojan win32 Renos can be removed manually, see manual removal steps here http://darfuns.com/trojan-removal/w...

Report •

#30
June 16, 2009 at 06:33:32
Your original problem solved?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#31
June 16, 2009 at 07:33:34
Sorry. I went to bed before your last post last
night. And I had to go in to work this morning
so I won't be able to do anything more until
this evening.

Also, I left the AVP scan going on my other
computer and this morning I checked it and
the same blue screen had come up on it.


Report •

#32
June 16, 2009 at 07:47:43
Did you run chkdsk? Run these aswell:

1) http://onecare.live.com/site/en-Us/...

2) http://onecare.live.com/site/en-Us/...

What was the stop error code on the blue screen ?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#33
June 16, 2009 at 08:11:15
I did run chkdsk yesterday and everything
appeared to be fine. The message on the
blue screen was the same as yesterday - see
response 22.

I'll have to run those other things when I get
home this evening.


Report •

#34
June 16, 2009 at 21:59:27
The MS Malicious Software Removal Tool scan on my first computer just finished and reported no malicious software. I am able to use all of my programs just fine now, so I think this computer is working properly now. Thank you so much for helping me fix it.

I am defragmenting the second computer with the onecare link from above and when that is done, I will start the AVP scan again on the computer and hope for the best.


Report •

#35
June 17, 2009 at 06:07:51
Ok post scan results.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#36
June 17, 2009 at 09:13:26
The defragmentation was 92% done last night and the computer got another blue screen. I tried to run the defragmentation again this morning and it happened again.

The bluescreen says to disable or uninstall any anti-virus, disk defragmentation or backup utilities. It also says to run CHKDSK /F and then to restart the computer. I disabled my antivirus and tried to run chkdsk /f, but it said the drive was in use by some other process. What should I do?


Report •

#37
June 17, 2009 at 09:18:55
What is the *** STOP: error code? Also post or check in windows forum as i don't believe its malware problem.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#38
June 17, 2009 at 11:31:10
Unfortunately, I didn't write that info down. So, I thought if I ran the defragmentanting scan again, the blue screen would pop up again. But, instead the scan went all the way to the end. So, I am just starting the AVP scan again right now.

Report •

#39
June 17, 2009 at 13:16:45
Ok post the log if it completes successfully.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#40
June 17, 2009 at 19:54:00
OK, so the same blue screen as before came up with the KERNEL_DATA_INPAGE_ERROR. The *** STOP code is: 0x0000007A (0c0C07C14C8, 0xc000009C, 0xF8299B13, 0x1347A860).

Report •

#41
June 17, 2009 at 20:08:12
Go to http://www.updatexp.com/stop-messag... and look up that Stop error. It seems like you might have a faulty hardware. Please get it fixed post back if you have malware problem.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •


Ask Question