help remove Win32:Trojano-2365 remon.sys

Status
Not open for further replies.
Help please, i tried almost every solution to remove this trojan but it keeps on coming back.

C:\WINDOWS\system32\remon.sys
Win32:Trojano-2365 [Trj]
Trojan Horse
0604-2, 01/25/2006

Below is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:21:06 AM, on 1/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\nvidGUIv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\xtras\mssysmgr.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

any help would be appreciated.

thanks!
 
Hello and welcome to Techspot.

remon.sys is a hacktool rootkit infection, and HJT will do nothing against it.

Go HERE and follow the instructions.

Regards Howard :wave: :wave:
 
Boot into safe mode. See how HERE

Turn off system restore.(XP/ME only) See how HERE

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE

Open your task manager by pressing ctrl/alt/delete keys together, and click on the processes tab. End process for(if there)

nvidGUIv.exe.

Close task manager.

Run HJT with no other programmes open, and let HJT fix the following(if there) by placing a tick in the little box next to.

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Close HJT.

Click start/run, and type services.msc into the run box, and press the enter key.

When the window appears, maximise it, and locate the service above.

Double click on it, and select stop if it`s running. Set the startup type to disabled. Click apply ok.

Delete the following bold file(if there)

C:\WINDOWS\System32\nvsvc32.exe

Boot into normal mode, and turn system restore back on.

Regards Howard :)
 
Status
Not open for further replies.
Back