TrojanDownloader:Win32/Renos.JS "not detected by avast"

I found a Trojan that is not detected by avast. (TrojanDownloader:Win32/Renos.JS) Detected by Windows Defender

downloaded from malicious site wXw.amprox.com (its blocked by network shield, you need turn off before accessing this site.)

I already sent it to virus@avast.com

TrojanDownloader:Win32/Renos.JS is a generic detection for a family of trojans that connect to certain websites in order to download arbitrary files. This may include other TrojanDownloader:Win32/Renos components, and rogue antivirus software such as Trojan:Win32/FakeSecSen or Trojan:Win32/FakeXPA.

Archive: Advance Vista Optimizer 2009 Serial

Details:

Category: Trojan Downloader
Description: This program displays deceptive product messages.
Resources:
process:
pid:476

Resources: C:/windows/task/{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
File: C:/Users/AppData/Local/Temp/b.exe
Task Scheduler: {BB65B0FB-5712-401b-B616-E69AC55E2757}.job

runkey:
HKCU@S-1-5-21-3267215710-2182103882-456097124-1000\Software\Microsoft\Windows\CurrentVersion\Run\PopRock

More detailed information here:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TrojanDownloader%3AWin32%2FRenos.JS&threatid=4295112008

Hi Llanziel,

And this was the cause of the site has malcode: WordPress 2.6.2 - Warning: Old version of WordPress. It may be vulnerable. Please upgrade.
And with this content also very likely: hxtp://amprox.com/converters/4393/imtoo-dvd-to-ipod-converter-40-serial-keygen-carck-
The technical analysis of the malware in question:
http://www.microsoft.com/Security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader:Win32/Renos.JS&ThreatID=144712 (it is Smitfraud related virus - update your Java version)
Nice removal instructions link: http://www.bleepingcomputer.com/forums/topic69886.html

polonus

Hello,

Has there been any progress with removing this virus with Avast!? I seem to have contracted it as well, and I was about to follow the suggested

Nice removal instructions link: http://www.bleepingcomputer.com/forums/topic69886.html

but the instructions are from 2006 and so I do not know if they are still applicable. I ran a full, high sensitivity Avast! scan this morning and it picked up nothing, but windows defender detects it. Plus, it effectively opens up many IE windows displaying random advertisements, so I know that defender has failed to remove it even though it says the removal was successful.

Thanks for the help,
~Tanya

Hoi Tanya,

Hier een nog wat recentere (here a somewhat more recent one:)
http://www.pctipp.ch/forum/showthread.php?p=108881
Je zou MBAM kunnen gebruiken om deze malware te verwijderen:
(you could use MBAM to remove this malware)
MBAM download link: http://www.malwarebytes.org/mbam-download.php

groetjes,

polonus

Thanks for your reply! That’s what I did - used MBAM - and I believe it worked. Just for the sake of clarity, here is my log:


Malwarebytes’ Anti-Malware 1.41
Database version: 2985
Windows 6.0.6001 Service Pack 1

19/10/2009 2:18:32 PM
mbam-log-2009-10-19 (14-18-32).txt

Scan type: Quick Scan
Objects scanned: 91146
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\hbmain.commband (Adware.Zango) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband.1 (Adware.Zango) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain (Adware.Zango) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain.1 (Adware.Zango) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui (Adware.Zango) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui.1 (Adware.Zango) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl (Adware.Zango) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl.1 (Adware.Zango) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)


Looks like it found some other stuff too :stuck_out_tongue: But thanks for the advice! I also switched back to using Firefox with Noscript, I was using Chrome. I prefer Chrome, but I’m not going to switch back to it until they come out with some kind of Noscript equivalent (I think they’re working on it).

Thanks again! And nice picture of Rotterdam, plonus!