Author Topic: Win32:Trojano-2502 [Trj] Alert help  (Read 41889 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:Trojano-2502 [Trj] Alert help
« Reply #45 on: September 29, 2005, 02:06:28 PM »
I'm using windows XP pro service pack 1.
Why not SP2? You'll be more protected...

C:\WINDOWS\System32\Remon.sys
Search Google for Remon.sys and you'll find a lot of info. It's not easy to get rid from it...
The best things in life are free.


bABy`ziE

  • Guest
Re: Win32:Trojano-2502 [Trj] Alert help
« Reply #47 on: September 29, 2005, 04:29:02 PM »
hmm... I see.. so, this remon.sys is quite tuff virus.. is it? How bout if I just reformat my laptop, will the virus be gone by doing that...?? neways, thanks for all the help..

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:Trojano-2502 [Trj] Alert help
« Reply #48 on: September 29, 2005, 04:55:25 PM »
How bout if I just reformat my laptop, will the virus be gone by doing that...??
It's a hard solution but should work. If you'll do so, better will have a DOS floppy and use fdisk to delete the partion. When you create a new one, not only it could be formated but the boot sector of the disk is renewed, avoiding boot viruses.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89053
  • No support PMs thanks
Re: Win32:Trojano-2502 [Trj] Alert help
« Reply #49 on: September 29, 2005, 05:28:10 PM »
It would appear to be a rootkit virus which is not only hard to detect it is hard to remove.

Try this first to see if it is running as a hidden service.
    * As an administrator user, right-click on My Computer, select Properties/Hardware and click on the Device Manager button;
    * Select View/Show Hidden Devices - this will reveal a new category "Non-Plug and Play Drivers";
    * Expand this to see the legacy drivers - any belonging to uninstalled software can be removed by right-clicking and selecting Uninstall.

If so this will stop the service and hopefully allow you to delete the remon.sys file.

You will also have to see if there are any registry entries for this as well, they are likely to be in the HKEY CURRENT USER  keys so a search of the registry for remon.sys. Or you could try a registry cleaner.

This is not an easy process but I feel less of an issue than a format and start from scratch.

I would also suggest you read this to help stop things like this getting a toe hold in the first place - Security Tips & Tricks - DropMyRights
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

bABy`ziE

  • Guest
Re: Win32:Trojano-2502 [Trj] Alert help
« Reply #50 on: September 30, 2005, 07:44:56 AM »
I have followed your instruction to uninstalled the non plug and play devices... I did found the Remon in the list and I've already uninstalled the file.. after restarting the laptop I try to delete the file remon.sys but it still wont delete.

You will also have to see if there are any registry entries for this as well, they are likely to be in the HKEY CURRENT USER keys so a search of the registry for remon.sys. Or you could try a registry cleaner.

I'm not really familliar with all this... how to search for the registry?? how to clean it?? how can I know that certain registery is for remon.sys??

uwaaaaa!!  :'(  :'(  :'(

what should I do now?? the laptop is brand new and I dont want it to crash... can the virus do any damage to the hardware as well??

Please help...

p/s: actually where did this type of virus come from?? is it from IM or email attachment or IE browser??
« Last Edit: September 30, 2005, 12:42:55 PM by bABy`ziE »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:Trojano-2502 [Trj] Alert help
« Reply #51 on: September 30, 2005, 02:15:54 PM »
what should I do now?? the laptop is brand new and I dont want it to crash... can the virus do any damage to the hardware as well??
I really doubt it... but if you aren't able to clean it, can't you format and start again?

p/s: actually where did this type of virus come from?? is it from IM or email attachment or IE browser??
Generally, any shared network could get it. I mean, could be by any of the ways you've written.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89053
  • No support PMs thanks
Re: Win32:Trojano-2502 [Trj] Alert help
« Reply #52 on: September 30, 2005, 02:39:33 PM »
I have followed your instruction to uninstalled the non plug and play devices... I did found the Remon in the list and I've already uninstalled the file.. after restarting the laptop I try to delete the file remon.sys but it still wont delete.

You will also have to see if there are any registry entries for this as well, they are likely to be in the HKEY CURRENT USER keys so a search of the registry for remon.sys. Or you could try a registry cleaner.

I'm not really familliar with all this... how to search for the registry?? how to clean it?? how can I know that certain registery is for remon.sys??
Ensure that the remon.sys device has been removed from the list (uninstalled) and reinstalled. If you haven't already disabled system restore do that otherwise when you delete a file from a system folder windows saves it in a restore point and if you use system restore at a later time you could reinstate the remon.sys file. Once everything is resolved you can enable system restore again.

Boot into safe mode Press F8 during boot and select safe mode from the options. Log on as the Administrator so you have full permissions to delete remon.sys.

From the Start, Run, type regedit this will open the registry and search for remon.sys as I have mentioned above.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

bABy`ziE

  • Guest
Re: Win32:Trojano-2502 [Trj] Alert help
« Reply #53 on: September 30, 2005, 03:44:41 PM »
ok.. I did exactly just like u told me too... I did boot in safe mode and delete the file.. then I check the registry and did a registry clean..  but then, when I restart again in normal boot the file is still there...

warghh !!!

why is it like that?? does the file have the capability to restore itself?? what should I do know?? just do reformatting?? but I want to be sure the virus is not there after I do reformatting...

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89053
  • No support PMs thanks
Re: Win32:Trojano-2502 [Trj] Alert help
« Reply #54 on: September 30, 2005, 06:03:37 PM »
The problem is the nature of rootkit infections they are able to hide below system level to hide processes, which could in theory restore the file.

Did you disable system restore as I said before booting into safe mode?

Reformatting is a tool of last resort and I don't think we are there yet, I do understand that with you experience level this is more daunting than it is for me.

A Google search for remon.sys returns many hits this is just one http://www.techspot.com/vb/topic33610.html but it does go further than we have so far in looking at another tool hijackthis.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Spiritsongs

  • Guest
Re: Win32:Trojano-2502 [Trj] Alert help
« Reply #55 on: September 30, 2005, 07:46:13 PM »
 :)  Hi BABy ziE:

     You may want to seriously consider using "RootkitRevealer"
     from www.sysinternals.com/Utilities/rootkitrevealer.html
     to see if this program may solve your problem !? If not,
     I would recommend you post a request for help in the
     forums of your anti-spyware provider; if you happen to
     have Ad-Aware, go to www.landzdown.com/index.php .
     You do need an unzipping app for RootkitRevealer.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89053
  • No support PMs thanks
Re: Win32:Trojano-2502 [Trj] Alert help
« Reply #56 on: September 30, 2005, 08:36:23 PM »
Rootkit Revealer is somewhat akin to hijackthis in that it only provides information, it doesn't remove/kill them, you have to know what to do with it.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

bABy`ziE

  • Guest
Re: Win32:Trojano-2502 [Trj] Alert help
« Reply #57 on: October 01, 2005, 04:57:07 AM »
Did you disable system restore as I said before booting into safe mode?

I did disable it...

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2


ok, I did the scan with hijackthis...
and the result is this.. (I dont know what to do with it)

Logfile of HijackThis v1.99.1

Scan saved at 10:42:34, on 01/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\javapanel.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\MSI\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe


Lead me on please... I'm just counting on u guys now... :(
« Last Edit: October 01, 2005, 05:00:00 AM by bABy`ziE »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89053
  • No support PMs thanks
Re: Win32:Trojano-2502 [Trj] Alert help
« Reply #58 on: October 01, 2005, 03:13:37 PM »
Quote
ok, I did the scan with hijackthis...
and the result is this.. (I dont know what to do with it)
That is why I gave you links to two HJT tutorials and the links to on-line analysis tools. Because we are not sitting next to you if you learn to use the tools available you learn more too, not just us. I visit the same on-line analysis sites as I don't know everything that may be on your system.

1. your OS needs updating to SP2 this will patch some vulnerabilities which can and may be being exploited.
2. your browser too can be updated after the OS is up to date as with IE6 you can't get SP2 for it unless you have XP SP2 installed.
3. it doesn't appear that you are using a firewall.

This is a trojan back-door that could well be being hidden by a rootkit and needs fixed (tick the box) in HJT. A firewall should stop this phoning home but without one you could be losing confidential data, etc.
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe

There are a number of other unknown entries in your log file analysis that you will need to check (like I did for taskcntr.exe above) using Google (http://www.google.com/search?&q=taskcntr.exe) or your choice Yahoo. If you have any queries about these unknown entries after checking google/yahoo then get back to us about them.

This is a copy of the on-line analysis for your log (available 72 hrs.) - http://hijackthis.de/logfiles/3d811663523ee3996dc7f96a7da12d8a.html
« Last Edit: October 01, 2005, 03:16:30 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

bABy`ziE

  • Guest
Re: Win32:Trojano-2502 [Trj] Alert help
« Reply #59 on: October 02, 2005, 11:01:49 AM »
hye...

I did the search, turns out there're another 3 backdoor trojan on my system...  :o  :o

I was so stressed bout it...  I handed the laptop to my boyfriend, he continued with the hijackthis repairing stuff...

Finally, my laptop is now clean...  ;D I didnt get any warning from Avast! till now (which is already 19 hours since after the cleaning process )... and, the remon.sys is also deleted... this time it didnt came back. so, I assume my laptop is fine...

Thanks again guys ( specially DavidR  :-* ) for your supports and advice... I dont think me n my boyfriend can handle it without ur help...

Thanks a bunch !!!

 ;)  ;D

p/s:


1. your OS needs updating to SP2 this will patch some vulnerabilities which can and may be being exploited.
2. your browser too can be updated after the OS is up to date as with IE6 you can't get SP2 for it unless you have XP SP2 installed.
3. it doesn't appear that you are using a firewall.


I'll upgrade my system to XP pro SP2, update my browser and install a firewall... thanks a lot !!
« Last Edit: October 02, 2005, 11:08:43 AM by bABy`ziE »