Hi, I found this forum when searching Internet for solution to my problem!
Since yesterday suddenly I get constant warnings from Windows Defender about Trojan:win32/renos.n and the alert level is high.
I click "remove all" and Defenders works few seconds but then in an hour or so, the same message pops up again.
I have run a full system scan with Defender and my F Prot Antivirus program but they say the system is clean.
I followed your guidelines for new members, I run and attached the files to this post (attach.txt only as attachment, DDS.txt and RootRepeal.txt are in this text)
I understand renos.n is spying on logins etc. and now I am afraid to log in to my bank or use credit card online which I use daily.
Any help would be highly appreciated.
Kim
DDS (Ver_09-06-26.01) - NTFSx86
Run by Kim Wist at 21:41:58,41 on ke 30.09.2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3326.2102 [GMT 3:00]
AV: F-PROT Antivirus for Windows *On-access scanning disabled* (Outdated) {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\Ctxfihlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Kim Wist\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = www.mbnet.fi/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [AdobeBridge] "c:\program files\adobe\adobe bridge cs4\Bridge.exe" -stealth
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [F-PROT Antivirus Tray application] c:\program files\frisk software\f-prot antivirus for windows\FProtTray.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Software4u-UpdateServer] c:\program files\software4u\registry cleanup 2008\Software4u.UpdateServer.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Muutavalikkoa - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: RF Työkalupalkki - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: Tallenna lomakkeet - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Täytä lomakkeet - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235408705107
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
================= FIREFOX ===================
FF - ProfilePath - c:\users\kimwis~1\appdata\roaming\mozilla\firefox\profiles\03152zjq.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");
============= SERVICES / DRIVERS ===============
R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [2009-8-31 682840]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2009-2-24 150568]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-4-29 176128]
R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\frisk software\f-prot antivirus for windows\FPAVServer.exe [2009-8-27 75424]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-2-24 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-2-24 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-2-24 72728]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2009-2-23 36864]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-2-23 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-2-24 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-2-24 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-2-24 72728]
=============== Created Last 30 ================
2009-09-30 21:39 <DIR> --d----- c:\users\kim wist\regBackup
2009-09-30 20:52 <DIR> --d----- c:\program files\Microsoft
2009-09-30 20:52 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-09-30 20:51 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-09-30 20:46 <DIR> --d----- c:\program files\common files\Windows Live
2009-09-30 19:22 <DIR> --d----- c:\program files\Enigma Software Group
2009-09-30 11:53 12,218 a------- c:\windows\system32\msdx92.dll
2009-09-30 11:53 <DIR> --d----- c:\programdata\Software4u
2009-09-30 11:53 <DIR> --d----- c:\progra~2\Software4u
2009-09-30 11:53 <DIR> --d----- c:\users\kimwis~1\appdata\roaming\Software4u
2009-09-29 17:11 158,208 a------- c:\windows\msa.exe
2009-09-29 16:40 <DIR> --d----- C:\cygwin
2009-09-29 16:39 <DIR> --d----- c:\users\kimwis~1\appdata\roaming\e
2009-09-29 11:00 <DIR> --d----- c:\program files\iPod
2009-09-29 11:00 <DIR> --d----- c:\program files\iTunes
2009-09-27 13:22 <DIR> --d----- c:\programdata\FLEXnet
2009-09-27 13:12 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-09-20 12:15 23 a------- c:\windows\SWFDecompiler.INI
2009-09-20 12:15 <DIR> --d----- c:\program files\common files\SourceTec
2009-09-20 12:15 <DIR> --d----- c:\program files\SourceTec
2009-09-19 21:29 106,496 a------- c:\windows\system32\TwnLib20.dll
2009-09-19 21:29 1,568,768 -------- c:\windows\system32\ImagX7.dll
2009-09-19 21:29 476,320 -------- c:\windows\system32\ImagXpr7.dll
2009-09-19 21:29 471,040 -------- c:\windows\system32\ImagXRA7.dll
2009-09-19 21:29 364,544 -------- c:\windows\system32\TwnLib4.dll
2009-09-19 21:29 262,144 -------- c:\windows\system32\ImagXR7.dll
2009-09-19 21:29 38,912 -------- c:\windows\system32\picn20.dll
2009-09-19 21:29 155,648 a------- c:\windows\system32\NeroCheck.exe
2009-09-19 20:42 <DIR> --d----- c:\programdata\DVD Shrink
2009-09-19 20:42 <DIR> --d----- c:\program files\DVD Shrink
2009-09-17 15:59 <DIR> --d----- c:\program files\Macromedia
2009-09-17 12:12 54,760 a------- c:\windows\system32\BMXStateBkp-{00000005-00000000-00000002-00001102-00000005-00311102}.rfx
2009-09-17 12:12 54,760 a------- c:\windows\system32\BMXState-{00000005-00000000-00000002-00001102-00000005-00311102}.rfx
2009-09-17 12:12 1,080 a------- c:\windows\system32\settingsbkup.sfm
2009-09-17 12:12 1,080 a------- c:\windows\system32\settings.sfm
2009-09-17 12:12 788 a------- c:\windows\system32\DVCState-{00000005-00000000-00000002-00001102-00000005-00311102}.rfx
2009-09-17 12:11 <DIR> --d----- c:\windows\system32\vi-VN
2009-09-17 12:11 <DIR> --d----- c:\windows\system32\eu-ES
2009-09-17 12:11 <DIR> --d----- c:\windows\system32\ca-ES
2009-09-17 11:47 <DIR> --d----- c:\windows\system32\EventProviders
2009-09-17 10:04 1,362,944 a------- c:\windows\system32\wbem\cimwin32.dll
2009-09-15 12:10 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-09-15 12:10 26,600 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-15 12:10 <DIR> --d----- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-15 12:10 <DIR> --d----- c:\progra~2\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-15 12:10 <DIR> --d----- c:\program files\Bonjour
2009-09-15 12:09 <DIR> --d----- c:\programdata\Apple Computer
2009-09-13 00:30 <DIR> --d----- c:\windows\CheckSur
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts
2009-09-02 22:11 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-09-02 22:11 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-01 14:04 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-09-01 10:56 <DIR> --d----- c:\windows\system32\xlive
==================== Find3M ====================
2009-09-27 14:04 73,312 a------- c:\windows\system32\drivers\adfs.sys
2009-09-17 15:59 86,016 a------- c:\windows\inf\infstrng.dat
2009-09-17 15:59 86,016 a------- c:\windows\inf\infstor.dat
2009-09-17 15:59 51,200 a------- c:\windows\inf\infpub.dat
2009-09-17 12:11 665,600 a------- c:\windows\inf\drvindex.dat
2009-09-17 12:10 444,952 a------- c:\windows\system32\wrap_oal.dll
2009-09-17 12:10 109,080 a------- c:\windows\system32\OpenAL32.dll
2009-08-29 05:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-29 05:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-29 05:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-29 05:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-27 16:25 682,840 a------- c:\windows\system32\drivers\FStopW.sys
2009-08-14 19:27 904,776 a------- c:\windows\system32\drivers\tcpip.sys
2009-08-14 18:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 16:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 16:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 16:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 16:49 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 16:49 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 16:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 16:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 16:48 30,720 a------- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 16:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-08-07 19:51 15,308,424 a------- c:\windows\system32\xlive.dll
2009-08-07 19:51 13,642,888 a------- c:\windows\system32\xlivefnt.dll
2009-07-22 00:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-22 00:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-22 00:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 23:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-17 16:54 71,680 a------- c:\windows\system32\atl.dll
2009-07-15 15:40 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-15 15:39 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-15 15:39 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 15:39 7,680 a------- c:\windows\system32\spwmp.dll
2009-07-11 22:01 513,536 a------- c:\windows\system32\wlansvc.dll
2009-07-11 22:01 302,592 a------- c:\windows\system32\wlansec.dll
2009-07-11 22:01 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-07-11 22:01 65,024 a------- c:\windows\system32\wlanapi.dll
2009-07-11 20:03 127,488 a------- c:\windows\system32\L2SecHC.dll
2009-07-10 12:15 306,544 a------- c:\windows\WLXPGSS.SCR
2009-02-25 20:13 174 a--sh--- c:\program files\desktop.ini
2006-11-02 15:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 15:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 12:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 12:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 12:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-06-24 09:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe
2009-06-11 14:52 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-06-11 14:52 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-06-11 14:52 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-06-11 14:52 245,760 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-02-26 00:11 16,384 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2009-02-26 00:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009022520090226\index.dat
============= FINISH: 21:42:42,05 ===============
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/30 21:46
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x955C3000 Size: 32768 File Visible: No Signed: -
Status: -
Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x955B8000 Size: 45056 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA0190000 Size: 49152 File Visible: No Signed: -
Status: -
Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!
Path: C:\Windows\System32\audiodg.exe
PID: 1228 Status: Locked to the Windows API!
==EOF==
Edited by gimmick, 30 September 2009 - 12:57 PM.