• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 449
  • Last Modified:

How to remove W32.Spybot.Worm

I have symantec Antivirus on my machine, and it is timely displaying a message that my system has the W32.Spybot.Worm virus, How can i remove this???
  • 6
  • 4
  • 3
  • +4
1 Solution
The best way I've found to really clean systems once they're infected is to go to www.ubcd4win.com and download and build an Ultimate Boot CD for Windows.  This CD will let you boot Windows from CD and run several included virus and trojan removal tools.

- Travis=gurutc
1. Let us look at your Hijackthis log.
Please download HijackThis 1.99.1
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or copy and paste the log at;
and click "Analyse", click "Save".  Post the link to the saved list here.

2. Or you can also try downloading and installing the free version of Ewido anti-malware.
Update first then scan in safe mode.
Will SzymkowskiSenior Solution ArchitectCommented:
Hello there,

I would also suggest to download spybot S&D and Adaware SE. Remember before you do any of the following scans turn off System Restore.

Spybot - http://www.download.com/3120-20_4-0.html?tg=dl-20&qt=spybot&tag=srch

Adaware - http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=lst-0-1

To turn off system restore do the following...

Right Click My Computer
Click system restore Tab
Put a check mark in the box that says "Turn Off System Restore"

Hope this helps
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

toocrazy007Author Commented:
I already tries all spybot, Ewido antispyware but i am able to more all the Look2Me addware and myTop virus from my system, but i am not able to remove the W32.Spybot.Worm.

Hi  rpggamergirl

i followed the procedure which you said but i am not able to understand the last step.
****Post the link to the saved list here.
i copied my log file at http://www.hijackthis.de/ 
and i click analyze and i click on save then another window is opened which has the information of all about ports etc. Now wht i have to do???

After you clicked "Save" and the next window that opens, copy the url/address of that window and paste it here.

Or if this one is easier:
paste your Hijackthis log at this site -->  http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url of the page and post it here:
I mean post the link to the saved log here in your topic so that we can click on it to go to the saved log.
toocrazy007Author Commented:
Hi rpggamergirl,

this is the Url u asked, i am confused about the word here (you mean in the forum), anyway thanks i am posting the link.

thanks for the link, Sorry I wasn't very clear.

the worm is not showing in your log unfortunately.

Please run hijackthis and put a check next to these entries and click "Fix Checked" button:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)

Please download this tool, this supposedly removes W32.Spybot worm and its variants.
MS malicious software removal tool:
toocrazy007Author Commented:
I already have the Microsoft Antispyware removal tool, but it's not removing this,
Can you help me in another problem, i am getting notification by my symantec

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Hacktool.Rootkit
File:  C:\WINNT\system32\remon.sys
Location:  Quarantine
Computer:  COAIND13
User:  Kallakuri Venkat
Action taken:  Quarantine succeeded : Access denied
Date found: Friday, May 05, 2006  8:42:41 PM

Can you help me in removing this!!

Will SzymkowskiSenior Solution ArchitectCommented:
What you might want to do is Download Windows Defender and run a scan on your computer see if it detects it. Microsoft Antispyware is nolonger used the new beta is Defender. You maybe lacking updates for Antispyware.

Here is where you can download it.

Hope this helps. keep us updated.
Will SzymkowskiSenior Solution ArchitectCommented:
Also what Anti-virus are you using? If you don't have Norton 2005 I would suggest it. You can get a free 6 month trial from Google Pack Downloader.


When you go to this site just pick add/remove programs that you want. You can uncheck all of the google tools if you like but just leave norton 2005 and donwload and install.
dont forget: Turn off System Restore (Control Panel ->System->System Restore-> Turn off)...
Then clean the virus using anything- If Symantec is not cutting it, try housecall.antivirus.com
good luck.
MS Removal tool is supposed to remove SDBot which was the one that dropped that file remon.sys (it drops other files as well not just remon.sys)

Do this to disable that file(credit to r-k) the file would be hidden so you  need to show hidden files and folders first.
(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)
(1) Right click on the file "C:\WINNT\system32\remon.sys"
 in Windows Explorer or My Computer, select Properties
(2) Click on the Security tab.
(3) Click on the Advanced button.
(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"
(5) Repeat steps (1) to (4) for the other file
(6) Close all windows.
(7) Reboot.

And check for more rootkit like hidden files in your system with Blacklight or Rootkit Revealer.
Download and save blacklight to your desktop.
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

Rootkit Revealer:

It would be cleaner and faster to backup all of your data and do a fresh install.
toocrazy007Author Commented:
this is the data in log file:

05/22/06 16:54:24 [Info]: BlackLight Engine 1.0.36 initialized
05/22/06 16:54:24 [Info]: OS: 5.0 build 2195 (Service Pack 4)
05/22/06 16:54:24 [Note]: 7019 4
05/22/06 16:54:24 [Note]: 7005 0
05/22/06 16:54:26 [Note]: 7006 0
05/22/06 16:54:26 [Note]: 7011 1688
05/22/06 16:54:26 [Note]: 7026 0
05/22/06 16:54:26 [Note]: 7026 0
05/22/06 16:54:35 [Note]: FSRAW library version 1.7.1015
05/22/06 16:55:08 [Note]: 7007 0
Blacklight did not find anything,
Does symantec still alerts you about the Spybot worm? does it also give you the filepath and filename?
cool with me - gurutc
PAQed with no points refunded (of 250)

Community Support Moderator
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 6
  • 4
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now