Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: GinaPA on September 23, 2005, 07:14:22 PM
-
I tried finding help for my problem on Avast's website before posting this, but I was unable to find any so I hope someone here can help me.
Avast alerted me that I have the Win32:Trojano-2502 [Trj] and suggested that I "move it to chest." Unfortunately, when I do this, a pop-up box tells me it "cannot access the file because it is being used by another process." The file showing is "cursors\rasvb.dll." I ran SpyBot but it found nothing. I even downloaded Avast's virus cleaner but I haven't installed it yet because this trojan is not listed as one that this program will fix.
Can someone help me get rid of this please?
Thank you,
GinaPA
-
I hope you get a response to this because I am having the exact same problem with the exact same trojan (and have tried everything you have to fix it). I am very careful about what I download and read, so am not sure where it came from. Ewido (I have several spyware removers I use regularly) froze up when it got to this file: C:\WINDOWS\system\runole.dll which is where Avast is saying this trojan is. I am running Win XP if that helps.
-
Files in use are protected by windows from being moved or deleted.
If you have winXP/NT/win2k you can schedule a boot-time scan from within avast!
(http://img.photobucket.com/albums/v325/for-dwr/boottime.jpg)
If not, boot into safe mode (press the F8 key on boot) and start avast and run a scan.
-
I ran avast in safe mode and it still wouldn't move the file to chest (saying it was used by another process or something like that). I Googled the trojan and found nothing about it, so I'm at a loss to what to do next. Did it work for you, GinaPA?
-
I ran avast in safe mode and it still wouldn't move the file to chest (saying it was used by another process or something like that). I Googled the trojan and found nothing about it, so I'm at a loss to what to do next. Did it work for you, GinaPA?
It's not safe mode but boot time scanning :)
-
DavidR wrote:
If you have winXP/NT/win2k you can schedule a boot-time scan from within avast!
If not, boot into safe mode (press the F8 key on boot) and start avast and run a scan.
DraykoDog wrote:
I ran avast in safe mode and it still wouldn't move the file to chest (saying it was used by another process or something like that).
Tech wrote:
It's not safe mode but boot time scanning
^ Tech, I don't know what OS DraykoDog has but I think DavidR was refering to those who do not have "winXP/NT/win2k" OS's (i.e. WIN98) when heĀ said "If not, boot into safe mode (press the F8 key on boot) and start avast and run a scan."
Correct me if I'm wrong, but it is my understanding that I would have to apparently run Avast in safe mode in this case since Avast cannot run a boot time scan for WIN98.
-
I ran avast in safe mode and it still wouldn't move the file to chest (saying it was used by another process or something like that). I Googled the trojan and found nothing about it, so I'm at a loss to what to do next.
Do as I suggested and schedule a boot-time scan from within avast, open the simple user interface as if you were going to run a scan and click the menu and select the schedule boot-time scan as in the image above. That way the file won't be in use so it can be deleted or moved.
-
Correct me if I'm wrong, but it is my understanding that I would have to apparently run Avast in safe mode in this case since Avast cannot run a boot time scan for WIN98.
You are not wrong avast can only schedule a boot-time scan with only the NT based OSes I mentioned.
The rest including win98 have to use safe mode which is not as effective as some viruses are obviously still active in safe mode.
-
I ran the boot scan and got the file moved...yay! Thank you everyone for your help! :D
-
Well done, welcome to the forums.
-
I ran avast in safe mode and it still wouldn't move the file to chest (saying it was used by another process or something like that). I Googled the trojan and found nothing about it, so I'm at a loss to what to do next. Did it work for you, GinaPA?
I'm not sure yet (I'll explain in a minute)??? BTW...I also did a check with Google and couldn't find info on it either.
I was able to run a boot-time scan from the option shown on the Avast warning box. It took about 45 minutes!! :o
It caught a few problems for me. The first was a vbs:malware [script]
I tried selecting "repair it", then "repair all" when nothing happened. When nothing happened again I choose "Delete all." (That always makes me nervous though)!!
Then the scan then continued.
The FIRST trojan was located at:
c\documents and settings\owner\localsettings\temporaryinternetfiles\content.IE5\ULW9YTE3\ifm[1] and it was infected by win32:trojano-2502 YES!! :D
It deleted this automatically (I supppose because I chose this option earlier) and the scan continued.
I ran into a second and third malware script that was deleted and the scan resumed automatically.
THEN....it found the second win32trojano-2502 at:
c:\windows\cursors\rasvb.dll
HOWEVER...Rather than doing anything on its own, Avast asked if I REALLY wanted to delete this. THAT made me nervous because earlier I was told it was also used by another process--so instead I said no. I chose "repair" but nothing happened. The only thing left (other than to delete it), was "ignore." That got the scan moving again and it was finished shortly after that.
I'm a little confused because I expected the warning to come up again since I ignored that second infected file--but it booted up with no warning about it given!
I immediately came here to post my scan results but a minute ago a small box came up (several times, actually) that said: "Error loading c:\window\cursors\rasvb.dll" and I had to click "OK" to get rid of it.
So, can you tell me what this means and how I should proceed??
Thanks again.......Gina
-
It caught a few problems for me. The first was a vbs:malware [script]
I tried selecting "repair it", then "repair all" when nothing happened. When nothing happened again I choose "Delete all." (That always makes me nervous though)!!
Well, trojans can't be repaired as the 'malware' is the entire file, I mean, to repair you need to delete it. Some virus just attach a part of the file and then this part could be repaired. Trojans don't.
Everything is fine.
It deleted this automatically (I supppose because I chose this option earlier) and the scan continued.
Yes, works like it should.
THEN....it found the second win32trojano-2502 at:
c:\windows\cursors\rasvb.dll
HOWEVER...Rather than doing anything on its own, Avast asked if I REALLY wanted to delete this. THAT made me nervous because earlier I was told it was also used by another process--so instead I said no. I chose "repair" but nothing happened. The only thing left (other than to delete it), was "ignore." That got the scan moving again and it was finished shortly after that.
If you go there to the boot time scanning scheduler you'll see all this options. If you read the help file either.
There is not a surprise. Everythink is like it should. This file is under a system folder (windows) and the system, for precaution, ask a second time.
Deleting a necessary file could avoid the system to boot.
I'm a little confused because I expected the warning to come up again since I ignored that second infected file--but it booted up with no warning about it given! I immediately came here to post my scan results but a minute ago a small box came up (several times, actually) that said: "Error loading c:\window\cursors\rasvb.dll" and I had to click "OK" to get rid of it. So, can you tell me what this means and how I should proceed??
When you ignore the infection it stays there... Could you run an avast! scanning into Windows and see what you get. I mean, not at boot time but right now, into Windows.
-
When you ignore the infection it stays there... Could you run an avast! scanning into Windows and see what you get. I mean, not at boot time but right now, into Windows.
i'm not sure what you mean by this or how to do it?
I guess I should tell you that I just restarted my computer before reading your response because many of my normal startup programs weren't loaded when I did the Avast boot-time scan. I thought (and after reading your reply I thought you also felt), that the ignored, infected file would still be in my computer because I had chosen "ignore." So I was expecting to get the Avast warning even after restarting, but so far nothing!!?? Could this mean it DID get rid of the virus (because I had originally only gotten the one warning regarding the virus infecting C:windows\cursors\rasvb.dll)?????
I'm so confused!!!! ???
-
i'm not sure what you mean by this or how to do it?
Start Menu > avast! antivirus > avast!
Mark to scan the whole disks whit archive scanning too.
Then click on the 'play' buttom to run a scan.
I thought (and after reading your reply I thought you also felt), that the ignored, infected file would still be in my computer because I had chosen "ignore." So I was expecting to get the Avast warning even after restarting, but so far nothing!!?? Could this mean it DID get rid of the virus (because I had originally only gotten the one warning regarding the virus infecting C:windows\cursors\rasvb.dll)?????
Take it easy. Don't get confuse... it will be worse.
Run an avast! scan like I posted before. And post what you get. It's safer send the file to Chest not delete it.
-
OK--I ran it--it took forever!! the log came up. NOTHING was found, BUT....the results from the 880 lines shown all say "unable to scan ar...." (I assume that means "Archive?") Does this mean after all that time it was not able to scan ANYTHING????
Unfortunately, for whatever reason, everytime I try to click on that log window, it goes to the background--even if I try to hit "Action" or "close??????"
It's after 11:00 here on the east coast and I have to get up early for work in the morning, so I better shutdown for the night-- but I would appreciate any other info you can give me! I will be sure to check here as soon as I get home.
Thank you so much for trying to help me. Good night.......Gina
-
Run an avast! scan like I posted before. And post what you get. It's safer send the file to Chest not delete it.
OK--I booted up this morning and have not received any alerts from Avast! Could this mean that the virus IS in the chest and that I'm safe (the one infected file did go there with no problem)??? I was unsure if my choice during the boot-time scan for that other infected file was the correct choice, but since I'm not getting any further warnings, is it possible that I did get rid of the virus????
I really appreciate all the help you've given me. You people here are great.......Gina
-
Files unable to be scanned could be in use, could be password protected. I won't worry with them.
Please, on the 'Report file' options just click on the 'Infected files' unchecking the other options (hard errors, soft errors, etc.).
-
Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others.
When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can't be scanned.
By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to.
Files that can't be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.
-
Files unable to be scanned could be in use, could be password protected. I won't worry with them.
Please, on the 'Report file' options just click on the 'Infected files' unchecking the other options (hard errors, soft errors, etc.).
All 880 items were shown as "unable to scan ar...."!!!!????
-
You can expand the column width to view the complete text, hover your mouse pointer over the gap between the column titles and the mouse pointer will change to something like this <-|-> click the left mouse button, hold it and drag it to the right.
-
I opened Avast's log viewer but it was blank! Does this mean I didn't save it and need to run a scan all over again??????
-
The scan log is not saved in the home version only the Pro version.
You can only view at the time of creation in the window that is opened after the scan. I wouldn't worry about doing it now, just check it the next routine scan that you do (I do mine once a week as a part of my regular system maintenance).
As I have said before files that can't be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned, so don't worry unduly.
-
The scan log is not saved in the home version only the Pro version.
You can only view at the time of creation in the window that is opened after the scan. I wouldn't worry about doing it now, just check it the next routine scan that you do (I do mine once a week as a part of my regular system maintenance).
That's not true, I'm afraid ;)
Obviously, you are talking about report file. You just have to turn on the creation of the report file and select what kind of records should be written there - the setting is available in program settings, even in the Home version.
However, it's important not to confuse the report file and the event logs (which is what you see with avast! Log Viewer). You can also configure what is stored in the logs (program settings, Logging), but it's something else than the scan report file.
-
That's not true, I'm afraid ;)
Obviously, you are talking about report file.
Thanks Igor
-
I thought I was OK after not getting any warnings since moving that one infected file to the chest last night, but I just got the warning again a few minutes ago. It was the same Trojan-2502, but the file was different. This time it was C:\system\VolumeInformation\_restore{10D4B4EE-7C0B-4339-9C7........" HOWEVER...I was able to move it to the chest!!! :D
Assuming I'm OK now, should I leave the trojan in the chest permanently, or do you delete worms and viruses after so long?? You also said you run it once a week--I haven't been doing that with Avast because I thought it's supposed to alert you when you have a problem (which it has)???? I do run run my spy programs weekly for adware so I didn't think I needed to do anything more!??
I think I need to spend some time looking through the help files and read about the different options using Avast. I know I did this when I first installed it (quite a while back), but I think it's time to go over it all again........Gina
-
I have just ticked the Create Report file and found that if you don't view the report file whilst the simple user interface is open the View Scan Reports... option is grayed out when you come back in again, so to is the Last Ccan Results...
This is what I was really getting on about if they don't view it at directly after the scan you can't view it using the SUI menu, rather the user would have to know where the default report file is located "D:\Program Files\Alwil Software\Avast4\DATA\report\Simple user interface.txt".
I also see that the two reports are slightly different in that the excluded files are listed on the Last Scan Results... but not on the View Scan Reports...
-
This time it was C:\system\VolumeInformation\_restore{10D4B4EE-7C0B-4339-9C7........" HOWEVER...I was able to move it to the chest!!!
Somehow or other I doubt that it has been moved as the System Volume Information folder is a part of System Restore and as such is protected by windows. To totally remove it you will need to disable system restore (this will clear all restore points including the infected one), reboot and scan again, if it is clear you can then enable system restore again.
Re files in the virus chest.
Leave the file in the avast Chest, a protected area where it can do no harm. You should leave it there for a week or two to ensure no harmful effects of having moved it. If there are no harmful effects, then scan it again if that scan also confirms it as infected you can delete it from within the chest.
-
Just to add some words to Igor ones.
With the Pro version you can work with the results, click and take an action.
With the Home version you have only the report, a txt file, and you have to take actions (rescan, send to Chest, etc.) manually.
Gina, after all, can we help you in anything more?
-
Somehow or other I doubt that it has been moved as the System Volume Information folder is a part of System Restore and as such is protected by windows. To totally remove it you will need to disable system restore (this will clear all restore points including the infected one), reboot and scan again, if it is clear you can then enable system restore again.
Oh no!!! Yesterday when it wouldn't move a file to the chest, it told me it couldn't do it--so today, when the alert disappeared after I chose to move this latest file there, that it did do it!!!??? Now I'm REALLY confused (I was looking for a "gone insane" smileycon to insert here--but there isn't one)!!!!!.......Gina
-
What are you confused about? my crystal ball is on the blink ;D
Win XP-ME - How to disable System Restore (http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm)
Once you have disabled system restore, reboot, that should automatically delete the contents of the _Restore folders. Scan your PC again and if clear enable system restore.
-
What are you confused about? my crystal ball is on the blink ;D
I was confused because the alert box did go away when I moved it to the chest. But now it seems that apparently I only thought my problem was gone! (That's what I get for thinking)!!
Ok--I'm going to try what you said, although it probably won't be until tomorrow cuz I've got to eat dinner now. It's just a little late--8:00 here on the east coast!
Thank you AGAIN.....Gina
-
:) Hi GinaPA :
Having read through this thread & coming from an anti-
spyware "orientation", it seems you should ask for help
from experts on the forum of your anti-spyware app !?
If you have Ad-Aware, go to www.landzdown.com and if
you have Spybot,
http://forums.net-integration.net/index.php? . Both forums
have experts in the use of the HijackThis program, which
may be needed to remove whatever you have, which may
be more that what is showing up on your scans !?
-
Hi everyone, I'm a newbie here. I came here as a last resort, and I have the exact same problem as Gina! I have a little different twist, though. When I schedule a boot-time scan, the scan completes correctly, but when the results appear and I'm given choices about whether to delete, delete all, etc., my computer locks up and my only option is to reboot, at which time I cannot get Avast to move or delete the Trojan because the file is in use when Windows starts. Running in safe mode will not allow its removal, either. I've tried everything that was suggested here on the forum, but nothing has worked. This has been going on for days, and I'm perplexed as to what I should do next. I even downloaded AVG to see if I had better luck with the removal, but still no success. I did Symantec's online scan, which gave me the same results, and suggested that it came from someone clicking on a link in Instant Messenger, which my daughter uses for hours every day, although she swears she has never clicked on any links nor downloaded files via IM. I followed Symantec's instructions for removal using the registry, but the files they told me to look for aren't even IN my registry---or at least, they don't say they are associated with this particular Trojan. I have my doubts as to whether it's possible to remove it that way, anyhow, since it always seems to be in use when Windows is running. Any further advice, before I go stark raving mad? Thanks!!
Kim G
-
KimG, can you post the name of the infected file and full path?
Which action did you take that freeze the computer at boot time?
Please, uninstall avast! to use AVG otherwise they will conflict.
-
Kim,
The computer may freeze during a boot time scan if you are using a cordless mouse. (The mouse driver isn't loaded during the scan.) Try plugging in an old corded mouse if you have one.
-
suggested that it came from someone clicking on a link in Instant Messenger
Your daughter may indeed be innocent (at least this time!!! ;) ) --I haven't used an instant messenger in ages so I couldn't have gotten infected that way. I'm suspecting I picked up the worm from a website I visited because I also never open e-mail attachments.
BTW....My computer still seems to be acting OK [A big thanks and applause]--no warnings yesterday or today--(But I still cringe out of fear that it will happen for the first hour or so after I boot up)!! That was the first infection I've ever had in 8 years of owning a computer and I don't EVER want another one!.......Gina
-
I seem to be having a similar problem.
Last night, I clicked on delete at startup. From the log, it appears it's still there.
The problem today is that when I booted my laptop, I didn't see anything but the background on my screen - no icons, etc. - and had to use task manager to get into things.
Does anyone have any idea what I did do, if I still have the trojan, and what might work to fix this?
This is what part of my log says:
9/26/2005 9:06:11 PM 1127786771 SYSTEM 1836 Sign of "Win32:Trojano-2502 [Trj]" has been found in "C:\WINDOWS\Downloaded Installations\dbimg.dll" file.
9/26/2005 9:38:11 PM 1127788691 SYSTEM 1836 Sign of "Win32:Trojano-2502 [Trj]" has been found in "C:\WINDOWS\Downloaded Installations\dbimg.dll" file.
9/26/2005 9:43:07 PM 1127788987 SYSTEM 1836 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://update-spui.nscpcdn.com/update/safetynet.2005.09.26.xpi (C:\WINDOWS\TEMP\_avast4_\PxB539.tmp) returning error, 0000A474.
9/26/2005 10:10:11 PM 1127790611 SYSTEM 1836 Sign of "Win32:Trojano-2502 [Trj]" has been found in "C:\WINDOWS\Downloaded Installations\dbimg.dll" file.
9/26/2005 10:42:10 PM 1127792530 SYSTEM 1836 Sign of "Win32:Trojano-2502 [Trj]" has been found in "C:\WINDOWS\Downloaded Installations\dbimg.dll" file.
9/27/2005 3:52:57 PM 1127854377 SYSTEM 1536 Sign of "Win32:Trojano-2502 [Trj]" has been found in "C:\WINDOWS\Downloaded Installations\dbimg.dll" file.
9/27/2005 3:53:59 PM 1127854439 SYSTEM 1536 Sign of "Win32:Trojano-2502 [Trj]" has been found in "C:\WINDOWS\Downloaded Installations\dbimg.dll" file.
9/27/2005 4:26:43 PM 1127856403 SYSTEM 1536 Sign of "Win32:Trojano-2502 [Trj]" has been found in "C:\WINDOWS\Downloaded Installations\dbimg.dll" file.
-
This file is under a system folder (windows) and the system, for precaution, ask a second time.
Deleting a necessary file could avoid the system to boot.
Now my neighbor is infected with trojano 2365 so here I am asking for your help once again!
She ran into the same problem that I did where Avast asked if she is sure she wants to delete an infected file. This came up after she initially chose "repair all" and got a message stating "repair error 42060." Selecting "move all" did nothing either. Can she select "delete all" in this case? And if you select delete, does this mean it will only delete the worm or could it delete an important file and disable your computer?? Please help-- Although my computer is running fine now, my mind was so boggled that I forget how I finally did end up getting rid of trojano 2502!! Thanks.......Gina
-
Can she select "delete all" in this case? And if you select delete, does this mean it will only delete the worm or could it delete an important file and disable your computer??
The better will be running avast! at normal Windows section and send the files to Chest for further analysis and to check if the system will be harmed.
It will be better than running a boot time scanning with a lot of infected files. At that time, boot time, the Chest is not available.
Can you boot, login Windows and run avast?
-
I just came back from her house and hopefully got her straightened out--thanks to all the help you all gave me in getting rid of my worm! Once I saw her Avast boot-time scan window I recalled what you told me to do. Afterwards, I stayed to make sure her computer was running fine for quite awhile before I figured it was OK to leave.
Thanks (AGAIN) for your help! As for me, I've gone back to using Foxfire and Thunderbird--I can't use the emoticons here now (guess they're only designed to work with IE), but that's OK. I'll gladly sacrifice some minor perks on a few websites here and there for security (I'm not kidding myself, I know FF and Thunderbird has had a few breaches reported, but considering that no browser is 100% safe, I got to go with one that I feel is MUCH more secure)........Gina
-
The emoticons work just fine with firefox if you have the latest version or any one from about 1.0.4 on I think latest version is 1.0.7 :)
I still use the firefox BBCode extension quicker to use and stay in the Quick Reply window as it has the editing tools.
-
I still use the firefox BBCode extension
Thanks! I'm going to have to look into that.......Gina :)
-
hye, I also have the same problem... my laptop is infected by the same virus name but its not trojano-2502... its win32:trojano-2365[trj]... I'm using windows XP pro service pack 1. I did the boot-time scan.. it ask me weather I'm sure or not to delete the infected file. I choose delete.. then my laptop booted just fine... I thought it was ok but just to be safe, I did the scan again in windows... Avast! detect the same file again at the same directory !!! Please, I dont know what else to do... the name and the directory of the file infected is C:\WINDOWS\System32\Remon.sys when ask to move to chest, it cannot move the file because it is being used by another program but I already did the boot-time scan !!!!
I AM SO HELPLESS RIGHT NOW !!!!
PLEASE HELP !!!
:'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'(
-
hye, I also have the same problem... my laptop is infected by the same virus name but its not trojano-2502... its win32:trojano-2365[trj]... can i do the same step as the others?? I mean run a boot-time scan for this virus...
Do you have Windows XP in your laptop? If so, go ahead.
I'd like to suggest you to run, first, a full scan of avast! into Windows, sendind infected files to Chest, then the boot time scanning for residual infections.
-
hye, I also have the same problem... my laptop is infected by the same virus name but its not trojano-2502... its win32:trojano-2365[trj]... I'm using windows XP pro service pack 1. I did the boot-time scan.. it ask me weather I'm sure or not to delete the infected file. I choose delete.. then my laptop booted just fine... I thought it was ok but just to be safe, I did the scan again in windows... Avast! detect the same file again at the same directory !!! Please, I dont know what else to do... the name and the directory of the file infected is C:\WINDOWS\System32\Remon.sys when ask to move to chest, it cannot move the file because it is being used by another program but I already did the boot-time scan !!!!
I AM SO HELPLESS RIGHT NOW !!!!
PLEASE HELP !!!
:'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'(
-
I'm using windows XP pro service pack 1.
Why not SP2? You'll be more protected...
C:\WINDOWS\System32\Remon.sys
Search Google for Remon.sys and you'll find a lot of info. It's not easy to get rid from it...
-
Description: http://www.sophos.com/virusinfo/analyses/w32tilebots.html and http://de.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?VName=TROJ_ROOTKIT.S
Removal: http://www.sophos.com/virusinfo/analyses/w32tilebots.html
-
hmm... I see.. so, this remon.sys is quite tuff virus.. is it? How bout if I just reformat my laptop, will the virus be gone by doing that...?? neways, thanks for all the help..
-
How bout if I just reformat my laptop, will the virus be gone by doing that...??
It's a hard solution but should work. If you'll do so, better will have a DOS floppy and use fdisk to delete the partion. When you create a new one, not only it could be formated but the boot sector of the disk is renewed, avoiding boot viruses.
-
It would appear to be a rootkit virus which is not only hard to detect it is hard to remove.
Try this first to see if it is running as a hidden service.
* As an administrator user, right-click on My Computer, select Properties/Hardware and click on the Device Manager button;
* Select View/Show Hidden Devices - this will reveal a new category "Non-Plug and Play Drivers";
* Expand this to see the legacy drivers - any belonging to uninstalled software can be removed by right-clicking and selecting Uninstall.
If so this will stop the service and hopefully allow you to delete the remon.sys file.
You will also have to see if there are any registry entries for this as well, they are likely to be in the HKEY CURRENT USER keys so a search of the registry for remon.sys. Or you could try a registry cleaner.
This is not an easy process but I feel less of an issue than a format and start from scratch.
I would also suggest you read this to help stop things like this getting a toe hold in the first place - Security Tips & Tricks - DropMyRights (http://forum.avast.com/index.php?topic=7204.msg128315#msg128315)
-
I have followed your instruction to uninstalled the non plug and play devices... I did found the Remon in the list and I've already uninstalled the file.. after restarting the laptop I try to delete the file remon.sys but it still wont delete.
You will also have to see if there are any registry entries for this as well, they are likely to be in the HKEY CURRENT USER keys so a search of the registry for remon.sys. Or you could try a registry cleaner.
I'm not really familliar with all this... how to search for the registry?? how to clean it?? how can I know that certain registery is for remon.sys??
uwaaaaa!! :'( :'( :'(
what should I do now?? the laptop is brand new and I dont want it to crash... can the virus do any damage to the hardware as well??
Please help...
p/s: actually where did this type of virus come from?? is it from IM or email attachment or IE browser??
-
what should I do now?? the laptop is brand new and I dont want it to crash... can the virus do any damage to the hardware as well??
I really doubt it... but if you aren't able to clean it, can't you format and start again?
p/s: actually where did this type of virus come from?? is it from IM or email attachment or IE browser??
Generally, any shared network could get it. I mean, could be by any of the ways you've written.
-
I have followed your instruction to uninstalled the non plug and play devices... I did found the Remon in the list and I've already uninstalled the file.. after restarting the laptop I try to delete the file remon.sys but it still wont delete.
You will also have to see if there are any registry entries for this as well, they are likely to be in the HKEY CURRENT USER keys so a search of the registry for remon.sys. Or you could try a registry cleaner.
I'm not really familliar with all this... how to search for the registry?? how to clean it?? how can I know that certain registery is for remon.sys??
Ensure that the remon.sys device has been removed from the list (uninstalled) and reinstalled. If you haven't already disabled system restore do that otherwise when you delete a file from a system folder windows saves it in a restore point and if you use system restore at a later time you could reinstate the remon.sys file. Once everything is resolved you can enable system restore again.
Boot into safe mode Press F8 during boot and select safe mode from the options. Log on as the Administrator so you have full permissions to delete remon.sys.
From the Start, Run, type regedit this will open the registry and search for remon.sys as I have mentioned above.
-
ok.. I did exactly just like u told me too... I did boot in safe mode and delete the file.. then I check the registry and did a registry clean.. but then, when I restart again in normal boot the file is still there...
warghh !!!
why is it like that?? does the file have the capability to restore itself?? what should I do know?? just do reformatting?? but I want to be sure the virus is not there after I do reformatting...
-
The problem is the nature of rootkit infections they are able to hide below system level to hide processes, which could in theory restore the file.
Did you disable system restore as I said before booting into safe mode?
Reformatting is a tool of last resort and I don't think we are there yet, I do understand that with you experience level this is more daunting than it is for me.
A Google search for remon.sys returns many hits this is just one http://www.techspot.com/vb/topic33610.html but it does go further than we have so far in looking at another tool hijackthis.
Also useful as a diagnostic tool - Download HiJackThis.zip (http://www.spywareinfo.com/~merijn/files/hijackthis.zip) - HJT Information HiJackThis Tutorial 1 (http://www.bleepingcomputer.com/forums/tutorial42.html) or HiJackThis Tutorial 2 (http://www.tomcoyote.org/hjt/#introduction)
For an on-line analysis - HiJackThis Log file - On-line Analysis (http://hijackthis.de/index.php)
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2 (http://hjt.iamnotageek.com/)
-
:) Hi BABy ziE:
You may want to seriously consider using "RootkitRevealer"
from www.sysinternals.com/Utilities/rootkitrevealer.html
to see if this program may solve your problem !? If not,
I would recommend you post a request for help in the
forums of your anti-spyware provider; if you happen to
have Ad-Aware, go to www.landzdown.com/index.php .
You do need an unzipping app for RootkitRevealer.
-
Rootkit Revealer is somewhat akin to hijackthis in that it only provides information, it doesn't remove/kill them, you have to know what to do with it.
-
Did you disable system restore as I said before booting into safe mode?
I did disable it...
Also useful as a diagnostic tool - Download HiJackThis.zip (http://www.spywareinfo.com/~merijn/files/hijackthis.zip) - HJT Information HiJackThis Tutorial 1 (http://www.bleepingcomputer.com/forums/tutorial42.html) or HiJackThis Tutorial 2 (http://www.tomcoyote.org/hjt/#introduction)
For an on-line analysis - HiJackThis Log file - On-line Analysis (http://hijackthis.de/index.php)
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2 (http://hjt.iamnotageek.com/)
ok, I did the scan with hijackthis...
and the result is this.. (I dont know what to do with it)
Logfile of HijackThis v1.99.1
Scan saved at 10:42:34, on 01/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\javapanel.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Hijackthis\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
Lead me on please... I'm just counting on u guys now... :(
-
ok, I did the scan with hijackthis...
and the result is this.. (I dont know what to do with it)
That is why I gave you links to two HJT tutorials and the links to on-line analysis tools. Because we are not sitting next to you if you learn to use the tools available you learn more too, not just us. I visit the same on-line analysis sites as I don't know everything that may be on your system.
1. your OS needs updating to SP2 this will patch some vulnerabilities which can and may be being exploited.
2. your browser too can be updated after the OS is up to date as with IE6 you can't get SP2 for it unless you have XP SP2 installed.
3. it doesn't appear that you are using a firewall.
This is a trojan back-door that could well be being hidden by a rootkit and needs fixed (tick the box) in HJT. A firewall should stop this phoning home but without one you could be losing confidential data, etc.
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe
There are a number of other unknown entries in your log file analysis that you will need to check (like I did for taskcntr.exe above) using Google (http://www.google.com/search?&q=taskcntr.exe) or your choice Yahoo. If you have any queries about these unknown entries after checking google/yahoo then get back to us about them.
This is a copy of the on-line analysis for your log (available 72 hrs.) - http://hijackthis.de/logfiles/3d811663523ee3996dc7f96a7da12d8a.html
-
hye...
I did the search, turns out there're another 3 backdoor trojan on my system... :o :o
I was so stressed bout it... I handed the laptop to my boyfriend, he continued with the hijackthis repairing stuff...
Finally, my laptop is now clean... ;D I didnt get any warning from Avast! till now (which is already 19 hours since after the cleaning process )... and, the remon.sys is also deleted... this time it didnt came back. so, I assume my laptop is fine...
Thanks again guys ( specially DavidR :-* ) for your supports and advice... I dont think me n my boyfriend can handle it without ur help...
Thanks a bunch !!!
;) ;D
p/s:
1. your OS needs updating to SP2 this will patch some vulnerabilities which can and may be being exploited.
2. your browser too can be updated after the OS is up to date as with IE6 you can't get SP2 for it unless you have XP SP2 installed.
3. it doesn't appear that you are using a firewall.
I'll upgrade my system to XP pro SP2, update my browser and install a firewall... thanks a lot !!
-
You are welcome, well done for sticking with it, a lot less painful than a format and start from scratch. Now the tasks in hand first install a firewall, this will give you a fighting chance to do the other tasks. Zone Alarm free is a relatively friendly user interface and works OK with avast, but read this first.
http://www.avast.com/eng/webshield_issues.html
If you are using ZoneAlarm Free you should click NO, because privacy features are not present in ZoneAlarm Free this will not turn off webshield transparent mode proxy.
Use a text editor and edit the avast4.ini file, the default installation location is C:\Program Files\Alwil Software\Avast4\DATA\avast4.ini (I would advise you copy avast4.ini before editing it, just in case).
Locate the line containing ZoneAlarmCompatibility= and delete that line. Save the edited avast4.ini file.
-
Kerio also has a highly-rated free firewall that works well with Avast. You can download it here: http://www.kerio.com/kpf_download.html
Don't be mislead from the paragraph that begins by saying you only have it for 30 days--that is just the full version (they give you this as a trial). If you don't purchase the full version, you will lose only those premium services after 30 days--but you are still left with the free version--and the free version is sufficient. I've also had no problems running Kerio with Avast (I did with ZoneAlarm). Of course, all of our computers are different so this may or may not be the case with you. Just thought I'd throw this out as another option........Gina
-
Hi.
I have exactly the same problem with bABy`ziE. C:\WINDOWS\System32\Remon.sys is infected by win32:trojano-2365[trj].
Although I followed the instructions you gave, I didn't solve it. I uninstalled remon.sys, turned off System Restore, tried to delete the file after booting but no luck. The file was still infected. I finally ran HijackThis and after that I a ran boot-scan with Avast. I found 2 viruses which I couldn't delete/repair/move to chest. I only could move them to a folder: C:\Program Files\Alwil Software\Avast4\DATA\moved. These files are Dc2.sys and remon.sys.
One problem I have is that each time I connect to the Internet, I can't update any spyware/adaware or Avast program. Besides that, I can't access a web page at once but after a few tries (by pressing "Refresh" button). This happens with either Mozilla or Internet Explorer.
Can I avoid formatting my disk? Should I try to install ZoneAlarm Internet Security Suite 6.0? I heard it's a "top" firewall. If so, should I uninstall any antivirus or firewall program first?
Please help me
It's very urgent :(
-
There was a lot more than simply deleting remon.sys and running HiJackThis (running HJT doesn't do anything on its own).
I suggest that you print out the instructions on page 4 of this thread in full and follow it step by step. Including visiting the HJT tutorials and the on-line analysis sites.
Why couldn't avast delete or move to chest?
Did you run the avast scan from safe mode when it likely things will not be in use.
We can't help when we are working with limited information. However, it sounds like you have more than just remon.sys if you can't update security software.
Post the contents of you HJT log here and we will see if there is anything else.
-
This is the logfile of HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 12:55:43 AM, on 10/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\javapanel.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GK57E5~1.GK-\LOCALS~1\Temp\Rar$EX00.422\HijackThis.exe
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Does it help you? Can you understand it?
-
Well to me it seem a little short on content.
Did you run it in safe mode?
Where is avast?
You need to update your OS as it is way out of date and many vulnerabilities have been patched, not to mention additional security enhancements.
The same is true of your browser when you update your OS to XP SP2 you can get the latest version of IE6 SP2.
The following entries should be fixed in hijackthis.
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
This is the most serious, it would appear to be a hacktool rootkit, see the link below, you will need to follow the instructions on page 4 to ensure its full removal. It also has to be fixed in HJT and the service has to be stopped, the file deleted
javapanel - possible HackTool RootKit (http://www.techspot.com/vb/all/windows/t-33507-Hacktoolrootkit-took-over-my-friends-laptop.html)