TrojanDownloader:Win32/Renos automatically downloads unwanted software such as SpySheriff, SpyAxe, SpyFalcon, SpyDawn, SpywareStrike, and other similarly named programs. These programs typically present erroneous warnings claiming the system is infected with spyware and offer to remove the alleged spyware for a fee. In some cases, the programs may also cause system instability.

What to do now

Manual removal is not recommended for this threat. Use the Microsoft Windows Defender, Microsoft Malicious Software Removal Tool, Microsoft Security Essentials, Microsoft Safety Scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see

Threat behavior

TrojanDownloader:Win32/Renos usually copies itself to C:\winstall.exe and runs that file, which in turn may create the following additional files:
%windows%\<random filename>.exe
To load when Windows is started, TrojanDownloader:Win32/Renos may modify the registry as follows:
Adds value: Windows installer
or value: Windows update loader
With data: <path to dropped executable>
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Some variants install a Browser Helper Object that loads when Microsoft Internet Explorer is opened.
Some variants also drop a DLL in the %system% folder.


Symptoms of a Win32/Renos infection may differ according to the particular variant. The trojan may display a red (possibly blinking) icon in the system tray, such as the one in the following image:
Win32/Renos may also display a deceptive message which warns that the computer is infected; the warning encourages the user to download certain software that allegedly provides malware or spyware protection. Following are two variations of a warning message that may appear:


Alert level: Severe
First detected by definition:
Latest detected by definition: 1.203.795.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Sep 13, 2006
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win32.Renos (F-secure)