remon.sys problem

Haiseen · Feb 12, 2006

I've been infected with the "remon.sys" virus.

As background, a few weeks ago I found that it my Defender Pro Anti-Virus program was getting turned off; this precipitated now using the AVG program.

I have attempted to remove the virus using the AVG Free-edition anti-virus pgm, Panda on-line virus scan, Ad-Aware SE Personal edition, and Spybot Search and Destroy. I have also used CCleaner prior to use of these other programs

Each time viruses and spyware would be detected and removed/deleted. Upon restarting the AVG Anti-virus warning screen pops up saying I have the "remon.sys" virus asking if I want to delete, etc.

I have also tried the above in "Safe Mode". I do have a copy of a HiJackThis log file ( from a normal boot) and a Panda Online virus scan report (in Safe mode) run today.

I have also attempted to run a HiJackThis and used the on-line website (http://www.hijackthis.de/) to try and correct the errors.

Still no luck. Your help and guidance would be appreciated.

I also have a "txt" document of my system I can attach.

chaslang · Feb 13, 2006

Remon.sys uses rootkit technology to hide from you. HijackThis is not going to show you all of the problems related to it (it may not even show you any of them).

Try giving the steps in this link a run: http://www.sophos.com/support/disinfection/tilebotw.html

If that does not help, follow the steps below. You must make sure you do not skip any of them. Two logs from step 6 must be attached and then a HijackThis log can be attached.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

Haiseen · Feb 19, 2006

I have ran the tutorial but I still seem to have some viruses. Within the tutorial the only option I couldn't run was the "Microsoft Windows Defender". It said my Windows verion was incorrect. I did run CounterSpy instead.

I have attached the BitDefender and Panda log files and a HiJackThis log file. I can also provide log files for SpyBot S&D, Ad-Aware and SpyHunter if you think you would like to see them.

chaslang · Feb 19, 2006

You should not install software like this:
C:\Downloads via Major Geeks\Spyhunter\sunserver.exe

First Spyhunter is the name of a crappy spyware removal program and second the proper location to install software is in the recommend installation folder when you install it. For CounterSpy (which the above is for) this should be C:\Program Files\Sunbelt Software\CounterSpy

Installing like you did can make it look like a malware program rather than the valid application.

You need to empty the CounterSpy Quarantine since it is saving part of SurfSideKick. Either empty the quarantine or delete the below files yourself:
C:\Documents and Settings\Guy.HOME-Y15JU5205T\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\70A5DA56-A0CE-4F2E-9C01-A9ACD7\922E5AAD-5886-453E-8F80-A4260C
C:\Documents and Settings\Guy.HOME-Y15JU5205T\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\70A5DA56-A0CE-4F2E-9C01-A9ACD7\D5ED8A77-02CE-4B84-8ABC-A11897
C:\Documents and Settings\Guy.HOME-Y15JU5205T\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\70A5DA56-A0CE-4F2E-9C01-A9ACD7\DABE72EF-6709-467B-B3F0-EC307C

Is your Spy Sweeper version a paid subscription version and is it up to date?

Your OS and IE versions are severely out of date and are a major security risk. You must get updated after we fix any current malware problems. This may also be why you could not install Windows Defender (either that or your Windows OS has not been validated by Microsoft to be valid. This looks like it is the case to me since I do not see the standard lines that would be in your log indicating Windows Genuine Advantage).

I see a service from Kaspersky AV running. Did you have this installed at one time and uninstall it?

Do you know what the below service is:
O23 - Service: Socks-Cap (Sc32Inch) - Unknown owner - C:\WINDOWS\Sc32Inch.exe (file missing)

This could be the worm indicated in the below link:
http://www.trendmicro.com.au/consumer/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=3&VName=WORM_SDBOT.DIN

Haiseen · Feb 25, 2006

I reinstalled Counterspy inte correct location and manually emptied the quarentine folder as directed. I removed Spyhunter, and, Spysweeper is not a paid version but a trial version. I thought I had removed it some time ago. I did a search and found a prefetch file in C:\WINDOWS. I deleted it. I used to be running Kaspersky a long time ago but uninstalled it...I thought. I have no idea what the Sc32Inch.exe is. I also used HijackThis to delete it after reading the post link.

chaslang · Feb 25, 2006

Okay! So please attach a new HJT log and also tell me what current problems you are still having with malware.

Log in or Sign up

remon.sys problem

Haiseen Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Haiseen Private E-2

Attached Files:

Activescan.txt

bdscan1.txt

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Haiseen Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member