Win32:Trojano-2502 [Trj] Alert help

[DavidR]

You are welcome, well done for sticking with it, a lot less painful than a format and start from scratch. Now the tasks in hand first install a firewall, this will give you a fighting chance to do the other tasks. Zone Alarm free is a relatively friendly user interface and works OK with avast, but read this first.

http://www.avast.com/eng/webshield_issues.html
If you are using ZoneAlarm Free you should click NO, because privacy features are not present in ZoneAlarm Free this will not turn off webshield transparent mode proxy.
Use a text editor and edit the avast4.ini file, the default installation location is C:\Program Files\Alwil Software\Avast4\DATA\avast4.ini (I would advise you copy avast4.ini before editing it, just in case).
Locate the line containing ZoneAlarmCompatibility= and delete that line.  Save the edited avast4.ini file.

[GinaPA]

Kerio also has a highly-rated free firewall that works well with Avast. You can download it here: http://www.kerio.com/kpf_download.html

Don't be mislead from the paragraph that begins by saying you only have it for 30 days--that is just the full version (they give you this as a trial). If you don't purchase the full version, you will lose only those premium services after 30 days--but you are still left with the free version--and the free version is sufficient. I've also had no problems running Kerio with Avast (I did with ZoneAlarm). Of course, all of our computers are different so this may or may not be the case with you. Just thought I'd throw this out as another option........Gina

[GKP]

Hi.

I have exactly the same problem with bABy`ziE. C:\WINDOWS\System32\Remon.sys is infected by win32:trojano-2365[trj].
Although I followed the instructions you gave, I didn't solve it. I uninstalled remon.sys, turned off System Restore, tried to delete the file after booting but no luck. The file was still infected. I finally ran HijackThis and after that I a ran boot-scan with Avast. I found 2 viruses which I couldn't delete/repair/move to chest. I only could move them to a folder: C:\Program Files\Alwil Software\Avast4\DATA\moved. These files are Dc2.sys and remon.sys.

One problem I have is that each time I connect to the Internet, I can't update any spyware/adaware or Avast program. Besides that, I can't access a web page at once but after a few tries (by pressing "Refresh" button). This happens with either Mozilla or Internet Explorer.

Can I avoid formatting my disk? Should I try to install ZoneAlarm Internet Security Suite 6.0? I heard it's a "top" firewall. If so, should I uninstall any antivirus or firewall program first?

Please help me
It's very urgent

[DavidR]

There was a lot more than simply deleting remon.sys and running HiJackThis (running HJT doesn't do anything on its own).

I suggest that you print out the instructions on page 4 of this thread in full and follow it step by step. Including visiting the HJT tutorials and the on-line analysis sites.

Why couldn't avast delete or move to chest?
Did you run the avast scan from safe mode when it likely things will not be in use.

We can't help when we are working with limited information. However, it sounds like you have more than just remon.sys if you can't update security software.
Post the contents of you HJT log here and we will see if there is anything else.

[GKP]

This is the logfile of HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 12:55:43 AM, on 10/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\javapanel.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\GK57E5~1.GK-\LOCALS~1\Temp\Rar$EX00.422\HijackThis.exe

O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Does it help you? Can you understand it?

[DavidR]

Well to me it seem a little short on content.
Did you run it in safe mode?
Where is avast?

You need to update your OS as it is way out of date and many vulnerabilities have been patched, not to mention additional security enhancements.

The same is true of your browser when you update your OS to XP SP2 you can get the latest version of IE6 SP2.

The following entries should be fixed in hijackthis.
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)

O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe
This is the most serious, it would appear to be a hacktool rootkit, see the link below, you will need to follow the instructions on page 4 to ensure its full removal. It also has to be fixed in HJT and the service has to be stopped, the file deleted
javapanel - possible HackTool RootKit