remon.sys

i am having problem deleting the file remon.sys
avast says it’s gone an repaired but it’s still there.
what can i do? this bad file blocked local network and internet as well.
i cant sent or receive mail!!!
and the worst i am on line with dial-up connection
PLEASE HELP ME

Are you using Windows XP?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.

Access denied means, generally, that the file is in use by another process (program) and cannot be repaired/cleaned/moved/handled by avast!

A forum search for remon.sys will provid some information on this as it has been covered a few times.

UnHackMe claims to fix this rootkit:

http://www.greatis.com/unhackme/

I don’t thimk anybody has tested it. Ki, maybe you could try it and let us know if it works?

well i hane windows 2000 and avast finds the file and says that removes it but it keeps coming back… i tried allmost everything but nothing seems to work.
i download ewido and for 2 hours i thought that was gone but… i dont have local network either interent… this is a very tricky file!
the name of the infected file is remon.sys and has been infected by rootkit.agent.ab
i tried with hijackthis but i cant find out wich programms may use this file.

Hi Ki,

avast! cannot remove these rootkits. You will have to use a specialist anti-rootkit program.

Please try the anti-rootkit program UnHackMe above. You could also try BlackLight from F-Secure:

http://www.f-secure.com/blacklight/

If neither of these two work, please post a HijackThis! log.

http://www.bleepingcomputer.com/forums/tutorial42.html

i did with this with the f-secure application
i am sending the HJT file

UnHackMe claims to fix this rootkit:

http://www.greatis.com/unhackme/

Have you tried UnHackMe?

nothing happened. unhackme fids nothing.the real problem is that this file remon.sys an the rootkit.agent.ab or whatever this is called stops rooter from sharing the ip adresses right so this is why internet & local network not working properly. i suppose cause i am not expert on these things. this is the first time i try to fix something like that.
i need simple steps in order to make something with tis threat

Try this disinfector tool:

http://www.sophos.com/support/cleaners/tlbtwgui.com

Run HijackThis! again. Follow this advice from the BleepingComputer link above:

Use HijackThis to delete the service. You can click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens you should then enter the service name and press OK.

Look for and delete this service:

O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINNT\construct.exe (file missing)

The problem may be gone already but your internet connection may be broken: try using WinsockXPfix to repair your internet connection:

http://www.snapfiles.com/get/winsockxpfix.html

:slight_smile: I looked thru your HijackThis log and did NOT see any
antiSPYWARE programs listed; do you have any on this
computer ? If yes, what are their name(s) ? Also the log
indicates you have an out-of-date version of the Java
program; would be best if you went to www.java.com
and installed the latest AFTER you uninstall your current
version. However, this should be done AFTER you get the
rootkit OFF your computer.
Having a rootkit, I think it would be best if you got the
assistance of a HijackThis program Expert on one of the
many AntiSPYWARE forums and would suggest you try
www.landzdown.com . This forum is staffed by the
volunteer experts that used to advise on the now-defunct
Lavasoft Ad-Aware Support forums.

well, i had avast, spybot, ad-aware and all these i download for this thing ewido, hjt, f-secure, norton corp edition and some more.
i cant delete the file roemon.sys the network is not working and i dont have internet!
i did what you said i am sending the hjt file

Trend Micro seem to have added this pest:

http://www.trend.net.au/consumer/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=3&VName=WORM_SDBOT.COO

Remove the rootkit with their Damage Cleanup Engine:

http://www.trend.net.au/consumer/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=2&VName=TROJ_ROOTKIT.S

i cant follow the link! my pc is crazy

What about avast? ::slight_smile: ::slight_smile:
Are you using the Corporate version of Norton? ??? ::slight_smile:

yes… why?

can i talk to you on msn?

I’m going on-line now…