TechSpot

help remove Win32:Trojano-2365 remon.sys

By thepossessed
Jan 26, 2006
  1. Help please, i tried almost every solution to remove this trojan but it keeps on coming back.

    C:\WINDOWS\system32\remon.sys
    Win32:Trojano-2365 [Trj]
    Trojan Horse
    0604-2, 01/25/2006

    Below is my hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:21:06 AM, on 1/27/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\ftp.exe
    C:\WINDOWS\nvidGUIv.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\hijackthis\HijackThis.exe

    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\xtras\mssysmgr.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    any help would be appreciated.

    thanks!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    remon.sys is a hacktool rootkit infection, and HJT will do nothing against it.

    Go HERE and follow the instructions.

    Regards Howard :wave: :wave:
     
  3. swker98

    swker98 TechSpot Paladin Posts: 1,077

    EDIT: Howards beat me to it

    i would get your computer scaned here also
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE

    Turn off system restore.(XP/ME only) See how HERE

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE

    Open your task manager by pressing ctrl/alt/delete keys together, and click on the processes tab. End process for(if there)

    nvidGUIv.exe.

    Close task manager.

    Run HJT with no other programmes open, and let HJT fix the following(if there) by placing a tick in the little box next to.

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    Close HJT.

    Click start/run, and type services.msc into the run box, and press the enter key.

    When the window appears, maximise it, and locate the service above.

    Double click on it, and select stop if it`s running. Set the startup type to disabled. Click apply ok.

    Delete the following bold file(if there)

    C:\WINDOWS\System32\nvsvc32.exe

    Boot into normal mode, and turn system restore back on.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...