toocrazy007
asked on
How to remove W32.Spybot.Worm
I have symantec Antivirus on my machine, and it is timely displaying a message that my system has the W32.Spybot.Worm virus, How can i remove this???
1. Let us look at your Hijackthis log.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
Or copy and paste the log at;
http://www.hijackthis.de/
and click "Analyse", click "Save". Post the link to the saved list here.
2. Or you can also try downloading and installing the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
Or copy and paste the log at;
http://www.hijackthis.de/
and click "Analyse", click "Save". Post the link to the saved list here.
2. Or you can also try downloading and installing the free version of Ewido anti-malware.
http://www.ewido.net/en/download/
Update first then scan in safe mode.
Hello there,
I would also suggest to download spybot S&D and Adaware SE. Remember before you do any of the following scans turn off System Restore.
Spybot - http://www.download.com/3120-20_4-0.html?tg=dl-20&qt=spybot&tag=srch
Adaware - http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1
To turn off system restore do the following...
Right Click My Computer
Properties
Click system restore Tab
Put a check mark in the box that says "Turn Off System Restore"
Hope this helps
I would also suggest to download spybot S&D and Adaware SE. Remember before you do any of the following scans turn off System Restore.
Spybot - http://www.download.com/3120-20_4-0.html?tg=dl-20&qt=spybot&tag=srch
Adaware - http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1
To turn off system restore do the following...
Right Click My Computer
Properties
Click system restore Tab
Put a check mark in the box that says "Turn Off System Restore"
Hope this helps
ASKER
I already tries all spybot, Ewido antispyware but i am able to more all the Look2Me addware and myTop virus from my system, but i am not able to remove the W32.Spybot.Worm.
Hi rpggamergirl
i followed the procedure which you said but i am not able to understand the last step.
****Post the link to the saved list here.
i copied my log file at http://www.hijackthis.de/
and i click analyze and i click on save then another window is opened which has the information of all about ports etc. Now wht i have to do???
Thanks
Hi rpggamergirl
i followed the procedure which you said but i am not able to understand the last step.
****Post the link to the saved list here.
i copied my log file at http://www.hijackthis.de/
and i click analyze and i click on save then another window is opened which has the information of all about ports etc. Now wht i have to do???
Thanks
After you clicked "Save" and the next window that opens, copy the url/address of that window and paste it here.
Or if this one is easier:
paste your Hijackthis log at this site --> http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url of the page and post it here:
Or if this one is easier:
paste your Hijackthis log at this site --> http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url of the page and post it here:
I mean post the link to the saved log here in your topic so that we can click on it to go to the saved log.
ASKER
Hi rpggamergirl,
this is the Url u asked, i am confused about the word here (you mean in the forum), anyway thanks i am posting the link.
http://www.rafb.net/paste/results/0wiiNa65.html
this is the Url u asked, i am confused about the word here (you mean in the forum), anyway thanks i am posting the link.
http://www.rafb.net/paste/results/0wiiNa65.html
thanks for the link, Sorry I wasn't very clear.
the worm is not showing in your log unfortunately.
Please run hijackthis and put a check next to these entries and click "Fix Checked" button:
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
Please download this tool, this supposedly removes W32.Spybot worm and its variants.
MS malicious software removal tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
the worm is not showing in your log unfortunately.
Please run hijackthis and put a check next to these entries and click "Fix Checked" button:
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
Please download this tool, this supposedly removes W32.Spybot worm and its variants.
MS malicious software removal tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
ASKER
I already have the Microsoft Antispyware removal tool, but it's not removing this,
Can you help me in another problem, i am getting notification by my symantec
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Hacktool.Rootkit
File: C:\WINNT\system32\remon.sy
Location: Quarantine
Computer: COAIND13
User: Kallakuri Venkat
Action taken: Quarantine succeeded : Access denied
Date found: Friday, May 05, 2006 8:42:41 PM
Can you help me in removing this!!
Thanks
Can you help me in another problem, i am getting notification by my symantec
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Hacktool.Rootkit
File: C:\WINNT\system32\remon.sy
Location: Quarantine
Computer: COAIND13
User: Kallakuri Venkat
Action taken: Quarantine succeeded : Access denied
Date found: Friday, May 05, 2006 8:42:41 PM
Can you help me in removing this!!
Thanks
What you might want to do is Download Windows Defender and run a scan on your computer see if it detects it. Microsoft Antispyware is nolonger used the new beta is Defender. You maybe lacking updates for Antispyware.
Here is where you can download it.
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Hope this helps. keep us updated.
Here is where you can download it.
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Hope this helps. keep us updated.
Also what Anti-virus are you using? If you don't have Norton 2005 I would suggest it. You can get a free 6 month trial from Google Pack Downloader.
http://pack.google.com/pack_installer_new.html?ciNum=4
When you go to this site just pick add/remove programs that you want. You can uncheck all of the google tools if you like but just leave norton 2005 and donwload and install.
http://pack.google.com/pack_installer_new.html?ciNum=4
When you go to this site just pick add/remove programs that you want. You can uncheck all of the google tools if you like but just leave norton 2005 and donwload and install.
dont forget: Turn off System Restore (Control Panel ->System->System Restore-> Turn off)...
Then clean the virus using anything- If Symantec is not cutting it, try housecall.antivirus.com
good luck.
Then clean the virus using anything- If Symantec is not cutting it, try housecall.antivirus.com
good luck.
MS Removal tool is supposed to remove SDBot which was the one that dropped that file remon.sys (it drops other files as well not just remon.sys)
Do this to disable that file(credit to r-k) the file would be hidden so you need to show hidden files and folders first.
(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)
(1) Right click on the file "C:\WINNT\system32\remon.s
in Windows Explorer or My Computer, select Properties
(2) Click on the Security tab.
(3) Click on the Advanced button.
(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"
(5) Repeat steps (1) to (4) for the other file
(6) Close all windows.
(7) Reboot.
And check for more rootkit like hidden files in your system with Blacklight or Rootkit Revealer.
Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.
You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
Do this to disable that file(credit to r-k) the file would be hidden so you need to show hidden files and folders first.
(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)
(1) Right click on the file "C:\WINNT\system32\remon.s
in Windows Explorer or My Computer, select Properties
(2) Click on the Security tab.
(3) Click on the Advanced button.
(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"
(5) Repeat steps (1) to (4) for the other file
(6) Close all windows.
(7) Reboot.
And check for more rootkit like hidden files in your system with Blacklight or Rootkit Revealer.
Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.
You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
Rootkit Revealer:
http://www.sysinternals.com/files/rootkitrevealer.zip
It would be cleaner and faster to backup all of your data and do a fresh install.
ASKER
this is the data in log file:
05/22/06 16:54:24 [Info]: BlackLight Engine 1.0.36 initialized
05/22/06 16:54:24 [Info]: OS: 5.0 build 2195 (Service Pack 4)
05/22/06 16:54:24 [Note]: 7019 4
05/22/06 16:54:24 [Note]: 7005 0
05/22/06 16:54:26 [Note]: 7006 0
05/22/06 16:54:26 [Note]: 7011 1688
05/22/06 16:54:26 [Note]: 7026 0
05/22/06 16:54:26 [Note]: 7026 0
05/22/06 16:54:35 [Note]: FSRAW library version 1.7.1015
05/22/06 16:55:08 [Note]: 7007 0
05/22/06 16:54:24 [Info]: BlackLight Engine 1.0.36 initialized
05/22/06 16:54:24 [Info]: OS: 5.0 build 2195 (Service Pack 4)
05/22/06 16:54:24 [Note]: 7019 4
05/22/06 16:54:24 [Note]: 7005 0
05/22/06 16:54:26 [Note]: 7006 0
05/22/06 16:54:26 [Note]: 7011 1688
05/22/06 16:54:26 [Note]: 7026 0
05/22/06 16:54:26 [Note]: 7026 0
05/22/06 16:54:35 [Note]: FSRAW library version 1.7.1015
05/22/06 16:55:08 [Note]: 7007 0
Blacklight did not find anything,
Does symantec still alerts you about the Spybot worm? does it also give you the filepath and filename?
Does symantec still alerts you about the Spybot worm? does it also give you the filepath and filename?
cool with me - gurutc
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
- Travis=gurutc