• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 440
  • Last Modified:

How to remove W32.Spybot.Worm

I have symantec Antivirus on my machine, and it is timely displaying a message that my system has the W32.Spybot.Worm virus, How can i remove this???
0
toocrazy007
Asked:
toocrazy007
  • 6
  • 4
  • 3
  • +4
1 Solution
 
gurutcCommented:
The best way I've found to really clean systems once they're infected is to go to www.ubcd4win.com and download and build an Ultimate Boot CD for Windows.  This CD will let you boot Windows from CD and run several included virus and trojan removal tools.

- Travis=gurutc
0
 
rpggamergirlCommented:
1. Let us look at your Hijackthis log.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.

2. Or you can also try downloading and installing the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Hello there,

I would also suggest to download spybot S&D and Adaware SE. Remember before you do any of the following scans turn off System Restore.

Spybot - http://www.download.com/3120-20_4-0.html?tg=dl-20&qt=spybot&tag=srch

Adaware - http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1

To turn off system restore do the following...

Right Click My Computer
Properties
Click system restore Tab
Put a check mark in the box that says "Turn Off System Restore"

Hope this helps
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
toocrazy007Author Commented:
I already tries all spybot, Ewido antispyware but i am able to more all the Look2Me addware and myTop virus from my system, but i am not able to remove the W32.Spybot.Worm.

Hi  rpggamergirl

i followed the procedure which you said but i am not able to understand the last step.
****Post the link to the saved list here.
i copied my log file at http://www.hijackthis.de/ 
and i click analyze and i click on save then another window is opened which has the information of all about ports etc. Now wht i have to do???

Thanks
0
 
rpggamergirlCommented:
After you clicked "Save" and the next window that opens, copy the url/address of that window and paste it here.



Or if this one is easier:
paste your Hijackthis log at this site -->  http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url of the page and post it here:
0
 
rpggamergirlCommented:
I mean post the link to the saved log here in your topic so that we can click on it to go to the saved log.
0
 
toocrazy007Author Commented:
Hi rpggamergirl,

this is the Url u asked, i am confused about the word here (you mean in the forum), anyway thanks i am posting the link.

http://www.rafb.net/paste/results/0wiiNa65.html
0
 
rpggamergirlCommented:
thanks for the link, Sorry I wasn't very clear.

the worm is not showing in your log unfortunately.

Please run hijackthis and put a check next to these entries and click "Fix Checked" button:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)


Please download this tool, this supposedly removes W32.Spybot worm and its variants.
MS malicious software removal tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
0
 
toocrazy007Author Commented:
I already have the Microsoft Antispyware removal tool, but it's not removing this,
Can you help me in another problem, i am getting notification by my symantec

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Hacktool.Rootkit
File:  C:\WINNT\system32\remon.sys
Location:  Quarantine
Computer:  COAIND13
User:  Kallakuri Venkat
Action taken:  Quarantine succeeded : Access denied
Date found: Friday, May 05, 2006  8:42:41 PM

Can you help me in removing this!!

Thanks
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
What you might want to do is Download Windows Defender and run a scan on your computer see if it detects it. Microsoft Antispyware is nolonger used the new beta is Defender. You maybe lacking updates for Antispyware.

Here is where you can download it.
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Hope this helps. keep us updated.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Also what Anti-virus are you using? If you don't have Norton 2005 I would suggest it. You can get a free 6 month trial from Google Pack Downloader.

http://pack.google.com/pack_installer_new.html?ciNum=4

When you go to this site just pick add/remove programs that you want. You can uncheck all of the google tools if you like but just leave norton 2005 and donwload and install.
0
 
uberpoopCommented:
dont forget: Turn off System Restore (Control Panel ->System->System Restore-> Turn off)...
Then clean the virus using anything- If Symantec is not cutting it, try housecall.antivirus.com
good luck.
0
 
rpggamergirlCommented:
MS Removal tool is supposed to remove SDBot which was the one that dropped that file remon.sys (it drops other files as well not just remon.sys)

Do this to disable that file(credit to r-k) the file would be hidden so you  need to show hidden files and folders first.
(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)
(1) Right click on the file "C:\WINNT\system32\remon.sys"
 in Windows Explorer or My Computer, select Properties
(2) Click on the Security tab.
(3) Click on the Advanced button.
(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"
(5) Repeat steps (1) to (4) for the other file
(6) Close all windows.
(7) Reboot.


And check for more rootkit like hidden files in your system with Blacklight or Rootkit Revealer.
Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip






0
 
alpinebizCommented:
It would be cleaner and faster to backup all of your data and do a fresh install.
0
 
toocrazy007Author Commented:
this is the data in log file:

05/22/06 16:54:24 [Info]: BlackLight Engine 1.0.36 initialized
05/22/06 16:54:24 [Info]: OS: 5.0 build 2195 (Service Pack 4)
05/22/06 16:54:24 [Note]: 7019 4
05/22/06 16:54:24 [Note]: 7005 0
05/22/06 16:54:26 [Note]: 7006 0
05/22/06 16:54:26 [Note]: 7011 1688
05/22/06 16:54:26 [Note]: 7026 0
05/22/06 16:54:26 [Note]: 7026 0
05/22/06 16:54:35 [Note]: FSRAW library version 1.7.1015
05/22/06 16:55:08 [Note]: 7007 0
0
 
rpggamergirlCommented:
Blacklight did not find anything,
Does symantec still alerts you about the Spybot worm? does it also give you the filepath and filename?
0
 
gurutcCommented:
cool with me - gurutc
0
 
CetusMODCommented:
PAQed with no points refunded (of 250)

CetusMOD
Community Support Moderator
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 4
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now