Need help removing remon.sys rootkit (HJT log attached)

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

You also should uninstall Spyware Stormer . It is a rogue program which is not going to help you.
Also in step 0 of the READ ME, make sure you uninstall WeatherBug

 

Please stop posting HJT logs inline. All logs must be attachments. You must run the steps in the READ & RUN ME. You have not run them. If you had, your log would show the Bitdefender and Panda online scanners being run and you would have attached their logs as request. Also the READ ME tells gives you instructions for using HJT and attaching logs.

I see no signs that Spybot and MS Antispyware have been installed and run either.

Also we do not want HJT logs from safe mode anyway so don't think about posting one.

Also note that HJT will not show remon.sys. Rootkits do not show in HJT logs. They are hidden.

You still did not uninstall what I requested that you uninstall.

 

You also have an AUTOTROJ-C TROJAN that need to be fixed. Complete the other scans including the online ones so we can make sure to pickup any other hidden problems. The scanning tools are the only way to find all these problems. As you can see from my previous message, HJT does not show the rootkit or at least it will not always show all components of it (which is the case here) and probably does not show a load of other hidden issues.

Also let's look for some possible hidden setting related to the rootkit.

Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

remon

Press 'OK'

The search will run for a while then alert you when it is finished. Press 'OK' and copy the contents of the WordPad window and post in this thread. If it is very long, an attachment would be better.


I also just notice two more Trojans evident in your log. The below two services show them:
O23 - Service: Network DDE Client (NetDDEclnt) - Unknown owner - C:\WINDOWS\system32\netddeclnt.exe (file missing)
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe

The C:\WINDOWS\nvidGUIv.exe file is part of your rootkit problem as documented in:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=136981

Once you complete ALL the steps (don't skip anything) in the READ & RUN ME and attach two logs from Bitdefender and Panda, we will be able to complete getting you fixed up.

 

Read Step 6 again completely. It explains exactly how to save a log.

ATTACH a Panda log and a new HJT log. Do not post them in line.

You just need to save the logs in safe mode. You don't need to read them. If you run into issues in safe mode, the READ ME does say, do the scans in normal boot mode. Any scan is better than no scan!

 

As indicated in the READ & RUN ME, we need HJT logs to be posted from normal boot mode. Please get a new one from normal boot mode and attach it so we can work on a fix.

Did you put the below in your Trusted Zone? Is it required?

O15 - Trusted Zone: http://*.lpl.com

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Network DDE Client (or if not found look for the short name: NetDDEclnt) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above for WinNT System Host (or short name tcpsys)

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Network DDE Client

If that does not work try entering the short name: NetDDEclnt

Now repeat the above HJT step for WinNT System Host (or short name tcpsys)

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines (the O23 lines should already be gone - I'm just double checking) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [Windows Internet Service] wininet.exe
O4 - HKLM\..\RunServices: [Windows Internet Service] wininet.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O23 - Service: Network DDE Client (NetDDEclnt) - Unknown owner - C:\WINDOWS\system32\netddeclnt.exe (file missing)
O23 - Service: WinNT System Host (tcpsys) - Unknown owner - c:\windows\help\taskgmr.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\AWS <-- the whole folder
C:\WINDOWS\system32\netddeclnt.exe
c:\windows\help\taskgmr.exe
C:\Windows\system32\wininet.exe <--- do not delete wininet.dll or anything else. Only delete wininet.exe if found.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working!

It would be a good idea to run the Registry Search Tool steps I gave you in message # 5. And then attach that log.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Your log is clean! You did not answer my question:

 

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!