|
OT: fake microsoft upgrade worm
OK, I know some of you know far more about this fake Microsoft security
update worm than I do. My neighbor didn't stop to think and installed it on her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem and asking for a bunch of email information. Her Norton Antivirus won't run, the computer locks up if I try to boot into Safe Mode, and regedit won't run. She is running win98se. I checked on several AV sites and there were some removal tools available, but I'm not sure exactly which worm this is. Is there some way of determining the name of the worm? Is there any way to boot into a safe condition so I can fix the registry? What's my best approach here? Thanks in advance. -- Jim 98 TJ SE 90 SJ GW http://www.delawareja.com/gallery/JDJeep98 -- Jim |
Re: fake microsoft upgrade worm
I think it's the w32.swen virus. If that isn't listed download the most
recent "fixer" and try that. In all seriousness, I'd format and reinstall Windows XP... I'm about to do that to my work computer. I rebuild it just about yearly to keep it running smoothly (I should just move to Linux but am too lazy). "TJim" <jim@ranlet.nospam.com> wrote in message news:3YSdnYepXo-ttuaiU-KYgA@comcast.com... > OK, I know some of you know far more about this fake Microsoft security > update worm than I do. My neighbor didn't stop to think and installed it on > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem and > asking for a bunch of email information. Her Norton Antivirus won't run, > the computer locks up if I try to boot into Safe Mode, and regedit won't > run. She is running win98se. I checked on several AV sites and there were > some removal tools available, but I'm not sure exactly which worm this is. > Is there some way of determining the name of the worm? Is there any way to > boot into a safe condition so I can fix the registry? What's my best > approach here? > Thanks in advance. > -- > Jim > 98 TJ SE > 90 SJ GW > http://www.delawareja.com/gallery/JDJeep98 > > > > -- > Jim > > |
Re: fake microsoft upgrade worm
I think it's the w32.swen virus. If that isn't listed download the most
recent "fixer" and try that. In all seriousness, I'd format and reinstall Windows XP... I'm about to do that to my work computer. I rebuild it just about yearly to keep it running smoothly (I should just move to Linux but am too lazy). "TJim" <jim@ranlet.nospam.com> wrote in message news:3YSdnYepXo-ttuaiU-KYgA@comcast.com... > OK, I know some of you know far more about this fake Microsoft security > update worm than I do. My neighbor didn't stop to think and installed it on > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem and > asking for a bunch of email information. Her Norton Antivirus won't run, > the computer locks up if I try to boot into Safe Mode, and regedit won't > run. She is running win98se. I checked on several AV sites and there were > some removal tools available, but I'm not sure exactly which worm this is. > Is there some way of determining the name of the worm? Is there any way to > boot into a safe condition so I can fix the registry? What's my best > approach here? > Thanks in advance. > -- > Jim > 98 TJ SE > 90 SJ GW > http://www.delawareja.com/gallery/JDJeep98 > > > > -- > Jim > > |
Re: fake microsoft upgrade worm
It's not my computer. I may have to reinstall 98 for her, but I want to try
one of the removal tools first. -- Jim 98 TJ SE 90 SJ GW http://www.delawareja.com/gallery/JDJeep98 "Joe" <me@privacy.net (jo_ratner@yahoo.com)> wrote in message news:blfard$bf9tc$1@ID-207166.news.uni-berlin.de... > I think it's the w32.swen virus. If that isn't listed download the most > recent "fixer" and try that. > In all seriousness, I'd format and reinstall Windows XP... > I'm about to do that to my work computer. I rebuild it just about yearly to > keep it running smoothly (I should just move to Linux but am too lazy). > > > > "TJim" <jim@ranlet.nospam.com> wrote in message > news:3YSdnYepXo-ttuaiU-KYgA@comcast.com... > > OK, I know some of you know far more about this fake Microsoft security > > update worm than I do. My neighbor didn't stop to think and installed it > on > > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem > and > > asking for a bunch of email information. Her Norton Antivirus won't run, > > the computer locks up if I try to boot into Safe Mode, and regedit won't > > run. She is running win98se. I checked on several AV sites and there > were > > some removal tools available, but I'm not sure exactly which worm this is. > > Is there some way of determining the name of the worm? Is there any way > to > > boot into a safe condition so I can fix the registry? What's my best > > approach here? > > Thanks in advance. > > -- > > Jim > > 98 TJ SE > > 90 SJ GW > > http://www.delawareja.com/gallery/JDJeep98 > > > > > > > > -- > > Jim > > > > > > |
Re: fake microsoft upgrade worm
It's not my computer. I may have to reinstall 98 for her, but I want to try
one of the removal tools first. -- Jim 98 TJ SE 90 SJ GW http://www.delawareja.com/gallery/JDJeep98 "Joe" <me@privacy.net (jo_ratner@yahoo.com)> wrote in message news:blfard$bf9tc$1@ID-207166.news.uni-berlin.de... > I think it's the w32.swen virus. If that isn't listed download the most > recent "fixer" and try that. > In all seriousness, I'd format and reinstall Windows XP... > I'm about to do that to my work computer. I rebuild it just about yearly to > keep it running smoothly (I should just move to Linux but am too lazy). > > > > "TJim" <jim@ranlet.nospam.com> wrote in message > news:3YSdnYepXo-ttuaiU-KYgA@comcast.com... > > OK, I know some of you know far more about this fake Microsoft security > > update worm than I do. My neighbor didn't stop to think and installed it > on > > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem > and > > asking for a bunch of email information. Her Norton Antivirus won't run, > > the computer locks up if I try to boot into Safe Mode, and regedit won't > > run. She is running win98se. I checked on several AV sites and there > were > > some removal tools available, but I'm not sure exactly which worm this is. > > Is there some way of determining the name of the worm? Is there any way > to > > boot into a safe condition so I can fix the registry? What's my best > > approach here? > > Thanks in advance. > > -- > > Jim > > 98 TJ SE > > 90 SJ GW > > http://www.delawareja.com/gallery/JDJeep98 > > > > > > > > -- > > Jim > > > > > > |
Re: OT: fake microsoft upgrade worm
Approximately 10/1/03 12:29, TJim uttered for posterity:
> OK, I know some of you know far more about this fake Microsoft security > update worm than I do. My neighbor didn't stop to think and installed it on > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem and > asking for a bunch of email information. Her Norton Antivirus won't run, > the computer locks up if I try to boot into Safe Mode, and regedit won't > run. She is running win98se. I checked on several AV sites and there were > some removal tools available, but I'm not sure exactly which worm this is. > Is there some way of determining the name of the worm? Is there any way to > boot into a safe condition so I can fix the registry? What's my best > approach here? > Thanks in advance. Sounds like W32.swen variant all right. It disables regedit and antiviral software. One of the quickest detects is to use Regedit to check this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\explorer\ In that key all of the normal subkeys [which should look like directories] have human readable names. If this was W32.swen, it has probably put a random string subkey in the "explorer" key with several contents. [use find key] "Begbie" shouldn't be anywhere in your registry. Of course you can't run regedit until you fix the registry key that disables regedit. You can replace your current registry with da0 [at which point all your software is de-installed effectively, but you can then load the current registry and edit the key that stops regedit....and then load *that* registry... but this worm has pretty much trashed several registry keys... Symantec has a claimed removal tool, worth a shot. Since there are two new ones as of yesterday, w32.swen is no longer front page at www.symantec.com. You can search for it with w32.swen and find the removal tool and the details of why the tool may not be 100% effective.... Or try these: <http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html> tiny version: http://tinyurl.com/nu11 <http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html> tiny version: http://tinyurl.com/o0u3 |
Re: OT: fake microsoft upgrade worm
Approximately 10/1/03 12:29, TJim uttered for posterity:
> OK, I know some of you know far more about this fake Microsoft security > update worm than I do. My neighbor didn't stop to think and installed it on > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem and > asking for a bunch of email information. Her Norton Antivirus won't run, > the computer locks up if I try to boot into Safe Mode, and regedit won't > run. She is running win98se. I checked on several AV sites and there were > some removal tools available, but I'm not sure exactly which worm this is. > Is there some way of determining the name of the worm? Is there any way to > boot into a safe condition so I can fix the registry? What's my best > approach here? > Thanks in advance. Sounds like W32.swen variant all right. It disables regedit and antiviral software. One of the quickest detects is to use Regedit to check this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\explorer\ In that key all of the normal subkeys [which should look like directories] have human readable names. If this was W32.swen, it has probably put a random string subkey in the "explorer" key with several contents. [use find key] "Begbie" shouldn't be anywhere in your registry. Of course you can't run regedit until you fix the registry key that disables regedit. You can replace your current registry with da0 [at which point all your software is de-installed effectively, but you can then load the current registry and edit the key that stops regedit....and then load *that* registry... but this worm has pretty much trashed several registry keys... Symantec has a claimed removal tool, worth a shot. Since there are two new ones as of yesterday, w32.swen is no longer front page at www.symantec.com. You can search for it with w32.swen and find the removal tool and the details of why the tool may not be 100% effective.... Or try these: <http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html> tiny version: http://tinyurl.com/nu11 <http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html> tiny version: http://tinyurl.com/o0u3 |
Re: OT: fake microsoft upgrade worm
If you can get it online, you can have Symantec (Norton AV) do a scan
for you using explorer and active x to ID the trouble. They are at http://www.symantec.com/avcenter/index.html Otherwise a boot disk is you friend or a bootable CD to just fire it up and cancel whatever the CD is to get into windoze or DOS mode maybe. With a boot disk or CD, the virus won't load into memory. Norton can be run from a command line if you know the path. You will need to know the virus definitions path too and add it with a switch or make an autoexec.bat file for it's location with a path like C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat first, then the navw32.exe under it's own path. My Norton AV also came with a boot disk for this, but the bat file with the definitions path has to be in there or it uses the old set on the disk. Hope this helps, Mike 86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00 88 Cherokee 235 BFG AT's TJim wrote: > > OK, I know some of you know far more about this fake Microsoft security > update worm than I do. My neighbor didn't stop to think and installed it on > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem and > asking for a bunch of email information. Her Norton Antivirus won't run, > the computer locks up if I try to boot into Safe Mode, and regedit won't > run. She is running win98se. I checked on several AV sites and there were > some removal tools available, but I'm not sure exactly which worm this is. > Is there some way of determining the name of the worm? Is there any way to > boot into a safe condition so I can fix the registry? What's my best > approach here? > Thanks in advance. > -- > Jim > 98 TJ SE > 90 SJ GW > http://www.delawareja.com/gallery/JDJeep98 > > -- > Jim |
Re: OT: fake microsoft upgrade worm
If you can get it online, you can have Symantec (Norton AV) do a scan
for you using explorer and active x to ID the trouble. They are at http://www.symantec.com/avcenter/index.html Otherwise a boot disk is you friend or a bootable CD to just fire it up and cancel whatever the CD is to get into windoze or DOS mode maybe. With a boot disk or CD, the virus won't load into memory. Norton can be run from a command line if you know the path. You will need to know the virus definitions path too and add it with a switch or make an autoexec.bat file for it's location with a path like C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat first, then the navw32.exe under it's own path. My Norton AV also came with a boot disk for this, but the bat file with the definitions path has to be in there or it uses the old set on the disk. Hope this helps, Mike 86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00 88 Cherokee 235 BFG AT's TJim wrote: > > OK, I know some of you know far more about this fake Microsoft security > update worm than I do. My neighbor didn't stop to think and installed it on > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem and > asking for a bunch of email information. Her Norton Antivirus won't run, > the computer locks up if I try to boot into Safe Mode, and regedit won't > run. She is running win98se. I checked on several AV sites and there were > some removal tools available, but I'm not sure exactly which worm this is. > Is there some way of determining the name of the worm? Is there any way to > boot into a safe condition so I can fix the registry? What's my best > approach here? > Thanks in advance. > -- > Jim > 98 TJ SE > 90 SJ GW > http://www.delawareja.com/gallery/JDJeep98 > > -- > Jim |
Re: OT: fake microsoft upgrade worm
Thanks, guys. I knew I could count on you. I got Sven removal instructions
and the tool from Symantec and I plan to try that route. I printed your instructions, too, Lon. Thanks again. -- Jim 98 TJ SE 90 SJ GW http://www.delawareja.com/gallery/JDJeep98 "Lon Stowell" <LonDot.Stowell@ComcastPeriod.Net> wrote in message news:nwGeb.649673$Ho3.135101@sccrnsc03... > Approximately 10/1/03 12:29, TJim uttered for posterity: > > > OK, I know some of you know far more about this fake Microsoft security > > update worm than I do. My neighbor didn't stop to think and installed it on > > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem and > > asking for a bunch of email information. Her Norton Antivirus won't run, > > the computer locks up if I try to boot into Safe Mode, and regedit won't > > run. She is running win98se. I checked on several AV sites and there were > > some removal tools available, but I'm not sure exactly which worm this is. > > Is there some way of determining the name of the worm? Is there any way to > > boot into a safe condition so I can fix the registry? What's my best > > approach here? > > Thanks in advance. > > Sounds like W32.swen variant all right. It disables regedit and > antiviral software. > > One of the quickest detects is to use Regedit to check this key: > > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\explorer\ > > In that key all of the normal subkeys [which should look like > directories] have human readable names. If this was W32.swen, > it has probably put a random string subkey in the "explorer" key > with several contents. [use find key] > > "Begbie" shouldn't be anywhere in your registry. > > Of course you can't run regedit until you fix the registry key > that disables regedit. You can replace your current registry > with da0 [at which point all your software is de-installed > effectively, but you can then load the current registry and > edit the key that stops regedit....and then load *that* > registry... but this worm has pretty much trashed several > registry keys... > > Symantec has a claimed removal tool, worth a shot. > > Since there are two new ones as of yesterday, w32.swen is > no longer front page at www.symantec.com. You can search > for it with w32.swen and find the removal tool and the > details of why the tool may not be 100% effective.... > > Or try these: > > <http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html> > tiny version: http://tinyurl.com/nu11 > > <http://securityresponse.symantec.com...wen.a@mm.remov al.tool.html> > tiny version: http://tinyurl.com/o0u3 > |
| All times are GMT -4. The time now is 07:34 AM. |
© 2024 MH Sub I, LLC dba Internet Brands