Author Topic: remon.sys (Read 11639 times)

ki · « **on:** November 10, 2005, 02:42:01 PM »

i am having problem deleting the file remon.sys
avast says it's gone an repaired but it's still there.
what can i do? this bad file blocked local network and internet as well.
i cant sent or receive mail!!!!!!!!!!!!!!!!!!!
and the worst i am on line with dial-up connection
PLEASE HELP ME

Lisandro · « **Reply #1 on:** November 10, 2005, 03:21:08 PM »

Are you using Windows XP?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.

Access denied means, generally, that the file is in use by another process (program) and cannot be repaired/cleaned/moved/handled by avast!

DavidR · « **Reply #2 on:** November 10, 2005, 03:46:57 PM »

A forum search for remon.sys will provid some information on this as it has been covered a few times.

FreewheelinFrank · « **Reply #3 on:** November 10, 2005, 07:18:37 PM »

UnHackMe claims to fix this rootkit:

http://www.greatis.com/unhackme/

I don't thimk anybody has tested it. Ki, maybe you could try it and let us know if it works?

ki · « **Reply #4 on:** November 11, 2005, 09:22:04 AM »

well i hane windows 2000 and avast finds the file and says that removes it but it keeps coming back... i tried allmost everything but nothing seems to work.
i download ewido and for 2 hours i thought that was gone but... i dont have local network either interent.... this is a very tricky file!
the name of the infected file is remon.sys and has been infected by rootkit.agent.ab
i tried with hijackthis but i cant find out wich programms may use this file.

FreewheelinFrank · « **Reply #5 on:** November 11, 2005, 09:41:56 AM »

Hi Ki,

avast! cannot remove these rootkits. You will have to use a specialist anti-rootkit program.

Please try the anti-rootkit program UnHackMe above. You could also try BlackLight from F-Secure:

http://www.f-secure.com/blacklight/

If neither of these two work, please post a HijackThis! log.

http://www.bleepingcomputer.com/forums/tutorial42.html

ki · « **Reply #6 on:** November 11, 2005, 09:55:34 AM »

i did with this with the f-secure application
i am sending the HJT file

FreewheelinFrank · « **Reply #7 on:** November 11, 2005, 10:06:11 AM »

Quote

UnHackMe claims to fix this rootkit:

http://www.greatis.com/unhackme/

Have you tried UnHackMe?

ki · « **Reply #8 on:** November 11, 2005, 12:32:02 PM »

nothing happened. unhackme fids nothing.the real problem is that this file remon.sys an the rootkit.agent.ab or whatever this is called stops rooter from sharing the ip adresses right so this is why internet & local network not working properly. i suppose cause i am not expert on these things. this is the first time i try to fix something like that.
i need simple steps in order to make something with tis threat

FreewheelinFrank · « **Reply #9 on:** November 11, 2005, 08:09:55 PM »

Try this disinfector tool:

http://www.sophos.com/support/cleaners/tlbtwgui.com

Run HijackThis! again. Follow this advice from the BleepingComputer link above:

Quote

Use HijackThis to delete the service. You can click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens you should then enter the service name and press OK.

Look for and delete this service:

O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINNT\construct.exe (file missing)

The problem may be gone already but your internet connection may be broken: try using WinsockXPfix to repair your internet connection:

http://www.snapfiles.com/get/winsockxpfix.html

Spiritsongs · « **Reply #10 on:** November 11, 2005, 08:50:55 PM »

I looked thru your HijackThis log and did NOT see any
antiSPYWARE programs listed; do you have any on this
computer ? If yes, what are their name(s) ? Also the log
indicates you have an out-of-date version of the Java
program; would be best if you went to www.java.com
and installed the latest AFTER you uninstall your current
version. However, this should be done AFTER you get the
rootkit OFF your computer.
Having a rootkit, I think it would be best if you got the
assistance of a HijackThis program Expert on one of the
many AntiSPYWARE forums and would suggest you try
www.landzdown.com . This forum is staffed by the
volunteer experts that used to advise on the now-defunct
Lavasoft Ad-Aware Support forums.

ki · « **Reply #11 on:** November 16, 2005, 04:24:40 PM »

well, i had avast, spybot, ad-aware and all these i download for this thing ewido, hjt, f-secure, norton corp edition and some more.
i cant delete the file roemon.sys the network is not working and i dont have internet!
i did what you said i am sending the hjt file

FreewheelinFrank · « **Reply #12 on:** November 16, 2005, 06:15:22 PM »

Trend Micro seem to have added this pest:

http://www.trend.net.au/consumer/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=3&VName=WORM_SDBOT.COO

Remove the rootkit with their Damage Cleanup Engine:

http://www.trend.net.au/consumer/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=2&VName=TROJ_ROOTKIT.S

ki · « **Reply #13 on:** November 16, 2005, 06:51:48 PM »

i cant follow the link! my pc is crazy

Lisandro · « **Reply #14 on:** November 16, 2005, 06:53:04 PM »

Quote from: ki on November 16, 2005, 04:24:40 PM

norton corp edition

What about avast?

Are you using the Corporate version of Norton?

Author Topic: remon.sys (Read 11639 times)

ki

remon.sys

Lisandro

Re: remon.sys

DavidR

Re: remon.sys

FreewheelinFrank

Re: remon.sys

ki

Re: remon.sys

FreewheelinFrank

Re: remon.sys

ki

Re: remon.sys

FreewheelinFrank

Re: remon.sys

ki

Re: remon.sys

FreewheelinFrank

Re: remon.sys

Spiritsongs

Re: remon.sys

ki

Re: remon.sys

FreewheelinFrank

Re: remon.sys

ki

Re: remon.sys

Lisandro

Re: remon.sys