|
Re: OT: fake microsoft upgrade worm
Thanks, guys. I knew I could count on you. I got Sven removal instructions
and the tool from Symantec and I plan to try that route. I printed your instructions, too, Lon. Thanks again. -- Jim 98 TJ SE 90 SJ GW http://www.delawareja.com/gallery/JDJeep98 "Lon Stowell" <LonDot.Stowell@ComcastPeriod.Net> wrote in message news:nwGeb.649673$Ho3.135101@sccrnsc03... > Approximately 10/1/03 12:29, TJim uttered for posterity: > > > OK, I know some of you know far more about this fake Microsoft security > > update worm than I do. My neighbor didn't stop to think and installed it on > > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem and > > asking for a bunch of email information. Her Norton Antivirus won't run, > > the computer locks up if I try to boot into Safe Mode, and regedit won't > > run. She is running win98se. I checked on several AV sites and there were > > some removal tools available, but I'm not sure exactly which worm this is. > > Is there some way of determining the name of the worm? Is there any way to > > boot into a safe condition so I can fix the registry? What's my best > > approach here? > > Thanks in advance. > > Sounds like W32.swen variant all right. It disables regedit and > antiviral software. > > One of the quickest detects is to use Regedit to check this key: > > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\explorer\ > > In that key all of the normal subkeys [which should look like > directories] have human readable names. If this was W32.swen, > it has probably put a random string subkey in the "explorer" key > with several contents. [use find key] > > "Begbie" shouldn't be anywhere in your registry. > > Of course you can't run regedit until you fix the registry key > that disables regedit. You can replace your current registry > with da0 [at which point all your software is de-installed > effectively, but you can then load the current registry and > edit the key that stops regedit....and then load *that* > registry... but this worm has pretty much trashed several > registry keys... > > Symantec has a claimed removal tool, worth a shot. > > Since there are two new ones as of yesterday, w32.swen is > no longer front page at www.symantec.com. You can search > for it with w32.swen and find the removal tool and the > details of why the tool may not be 100% effective.... > > Or try these: > > <http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html> > tiny version: http://tinyurl.com/nu11 > > <http://securityresponse.symantec.com...wen.a@mm.remov al.tool.html> > tiny version: http://tinyurl.com/o0u3 > |
Re: OT: fake microsoft upgrade worm
http://www.grisoft.com/us/us_index.php
try this - it is supposed to be as good ( I have been told that it is better) than Symantec...........& it's free -- Carlo F. Serusa, Jr. RPh carlo.jr at comcast.net '98 Sahara TJ - '89 YJ - '79 Scout II O|||||||O '92 Explorer '65 Mustang "Mike Romain" <romainm@sympatico.ca> wrote in message news:3F7B36A5.6DF3B394@sympatico.ca... > If you can get it online, you can have Symantec (Norton AV) do a scan > for you using explorer and active x to ID the trouble. > > They are at http://www.symantec.com/avcenter/index.html > > Otherwise a boot disk is you friend or a bootable CD to just fire it up > and cancel whatever the CD is to get into windoze or DOS mode maybe. > > With a boot disk or CD, the virus won't load into memory. > > Norton can be run from a command line if you know the path. You will > need to know the virus definitions path too and add it with a switch or > make an autoexec.bat file for it's location with a path like > C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat > first, then the navw32.exe under it's own path. > > My Norton AV also came with a boot disk for this, but the bat file with > the definitions path has to be in there or it uses the old set on the > disk. > > Hope this helps, > > Mike > 86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00 > 88 Cherokee 235 BFG AT's > > TJim wrote: > > > > OK, I know some of you know far more about this fake Microsoft security > > update worm than I do. My neighbor didn't stop to think and installed it on > > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem and > > asking for a bunch of email information. Her Norton Antivirus won't run, > > the computer locks up if I try to boot into Safe Mode, and regedit won't > > run. She is running win98se. I checked on several AV sites and there were > > some removal tools available, but I'm not sure exactly which worm this is. > > Is there some way of determining the name of the worm? Is there any way to > > boot into a safe condition so I can fix the registry? What's my best > > approach here? > > Thanks in advance. > > -- > > Jim > > 98 TJ SE > > 90 SJ GW > > http://www.delawareja.com/gallery/JDJeep98 > > > > -- > > Jim |
Re: OT: fake microsoft upgrade worm
http://www.grisoft.com/us/us_index.php
try this - it is supposed to be as good ( I have been told that it is better) than Symantec...........& it's free -- Carlo F. Serusa, Jr. RPh carlo.jr at comcast.net '98 Sahara TJ - '89 YJ - '79 Scout II O|||||||O '92 Explorer '65 Mustang "Mike Romain" <romainm@sympatico.ca> wrote in message news:3F7B36A5.6DF3B394@sympatico.ca... > If you can get it online, you can have Symantec (Norton AV) do a scan > for you using explorer and active x to ID the trouble. > > They are at http://www.symantec.com/avcenter/index.html > > Otherwise a boot disk is you friend or a bootable CD to just fire it up > and cancel whatever the CD is to get into windoze or DOS mode maybe. > > With a boot disk or CD, the virus won't load into memory. > > Norton can be run from a command line if you know the path. You will > need to know the virus definitions path too and add it with a switch or > make an autoexec.bat file for it's location with a path like > C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat > first, then the navw32.exe under it's own path. > > My Norton AV also came with a boot disk for this, but the bat file with > the definitions path has to be in there or it uses the old set on the > disk. > > Hope this helps, > > Mike > 86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00 > 88 Cherokee 235 BFG AT's > > TJim wrote: > > > > OK, I know some of you know far more about this fake Microsoft security > > update worm than I do. My neighbor didn't stop to think and installed it on > > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem and > > asking for a bunch of email information. Her Norton Antivirus won't run, > > the computer locks up if I try to boot into Safe Mode, and regedit won't > > run. She is running win98se. I checked on several AV sites and there were > > some removal tools available, but I'm not sure exactly which worm this is. > > Is there some way of determining the name of the worm? Is there any way to > > boot into a safe condition so I can fix the registry? What's my best > > approach here? > > Thanks in advance. > > -- > > Jim > > 98 TJ SE > > 90 SJ GW > > http://www.delawareja.com/gallery/JDJeep98 > > > > -- > > Jim |
Re: OT: fake microsoft upgrade worm
Oh, so that's what the icon is in my tray. Thanks for the reminder.
God Bless America, ßill O|||||||O mailto:-------------------- http://www.----------.com/ "Carlo Jr." wrote: > > http://www.grisoft.com/us/us_index.php > > try this - it is supposed to be as good ( I have been told that it is > better) than Symantec...........& it's free > > -- > Carlo F. Serusa, Jr. RPh > carlo.jr at comcast.net > '98 Sahara TJ - '89 YJ - '79 Scout II > O|||||||O > '92 Explorer '65 Mustang |
Re: OT: fake microsoft upgrade worm
Oh, so that's what the icon is in my tray. Thanks for the reminder.
God Bless America, ßill O|||||||O mailto:-------------------- http://www.----------.com/ "Carlo Jr." wrote: > > http://www.grisoft.com/us/us_index.php > > try this - it is supposed to be as good ( I have been told that it is > better) than Symantec...........& it's free > > -- > Carlo F. Serusa, Jr. RPh > carlo.jr at comcast.net > '98 Sahara TJ - '89 YJ - '79 Scout II > O|||||||O > '92 Explorer '65 Mustang |
Re: OT: fake microsoft upgrade worm
Thanks, everyone, for all your input. I have absolutely identified the worm
as Swen. I downloaded both AVG's and Symantec's Swen removal tools and write-ups and will be treating the patient today. I knew it was one of the new worms, it was the identification I was having trouble with. There seem to be so many recently, sometimes it's hard to keep track. ;-) -- Jim 98 TJ SE 90 SJ GW http://www.delawareja.com/gallery/JDJeep98 "Carlo Jr." <carlo.jr@comcast.net> wrote in message news:jUNeb.650678$YN5.502546@sccrnsc01... > http://www.grisoft.com/us/us_index.php > > try this - it is supposed to be as good ( I have been told that it is > better) than Symantec...........& it's free > > -- > Carlo F. Serusa, Jr. RPh > carlo.jr at comcast.net > '98 Sahara TJ - '89 YJ - '79 Scout II > O|||||||O > '92 Explorer '65 Mustang > > > "Mike Romain" <romainm@sympatico.ca> wrote in message > news:3F7B36A5.6DF3B394@sympatico.ca... > > If you can get it online, you can have Symantec (Norton AV) do a scan > > for you using explorer and active x to ID the trouble. > > > > They are at http://www.symantec.com/avcenter/index.html > > > > Otherwise a boot disk is you friend or a bootable CD to just fire it up > > and cancel whatever the CD is to get into windoze or DOS mode maybe. > > > > With a boot disk or CD, the virus won't load into memory. > > > > Norton can be run from a command line if you know the path. You will > > need to know the virus definitions path too and add it with a switch or > > make an autoexec.bat file for it's location with a path like > > C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat > > first, then the navw32.exe under it's own path. > > > > My Norton AV also came with a boot disk for this, but the bat file with > > the definitions path has to be in there or it uses the old set on the > > disk. > > > > Hope this helps, > > > > Mike > > 86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00 > > 88 Cherokee 235 BFG AT's > > > > TJim wrote: > > > > > > OK, I know some of you know far more about this fake Microsoft security > > > update worm than I do. My neighbor didn't stop to think and installed > it on > > > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem > and > > > asking for a bunch of email information. Her Norton Antivirus won't > run, > > > the computer locks up if I try to boot into Safe Mode, and regedit won't > > > run. She is running win98se. I checked on several AV sites and there > were > > > some removal tools available, but I'm not sure exactly which worm this > is. > > > Is there some way of determining the name of the worm? Is there any way > to > > > boot into a safe condition so I can fix the registry? What's my best > > > approach here? > > > Thanks in advance. > > > -- > > > Jim > > > 98 TJ SE > > > 90 SJ GW > > > http://www.delawareja.com/gallery/JDJeep98 > > > > > > -- > > > Jim > > |
Re: OT: fake microsoft upgrade worm
Thanks, everyone, for all your input. I have absolutely identified the worm
as Swen. I downloaded both AVG's and Symantec's Swen removal tools and write-ups and will be treating the patient today. I knew it was one of the new worms, it was the identification I was having trouble with. There seem to be so many recently, sometimes it's hard to keep track. ;-) -- Jim 98 TJ SE 90 SJ GW http://www.delawareja.com/gallery/JDJeep98 "Carlo Jr." <carlo.jr@comcast.net> wrote in message news:jUNeb.650678$YN5.502546@sccrnsc01... > http://www.grisoft.com/us/us_index.php > > try this - it is supposed to be as good ( I have been told that it is > better) than Symantec...........& it's free > > -- > Carlo F. Serusa, Jr. RPh > carlo.jr at comcast.net > '98 Sahara TJ - '89 YJ - '79 Scout II > O|||||||O > '92 Explorer '65 Mustang > > > "Mike Romain" <romainm@sympatico.ca> wrote in message > news:3F7B36A5.6DF3B394@sympatico.ca... > > If you can get it online, you can have Symantec (Norton AV) do a scan > > for you using explorer and active x to ID the trouble. > > > > They are at http://www.symantec.com/avcenter/index.html > > > > Otherwise a boot disk is you friend or a bootable CD to just fire it up > > and cancel whatever the CD is to get into windoze or DOS mode maybe. > > > > With a boot disk or CD, the virus won't load into memory. > > > > Norton can be run from a command line if you know the path. You will > > need to know the virus definitions path too and add it with a switch or > > make an autoexec.bat file for it's location with a path like > > C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat > > first, then the navw32.exe under it's own path. > > > > My Norton AV also came with a boot disk for this, but the bat file with > > the definitions path has to be in there or it uses the old set on the > > disk. > > > > Hope this helps, > > > > Mike > > 86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00 > > 88 Cherokee 235 BFG AT's > > > > TJim wrote: > > > > > > OK, I know some of you know far more about this fake Microsoft security > > > update worm than I do. My neighbor didn't stop to think and installed > it on > > > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem > and > > > asking for a bunch of email information. Her Norton Antivirus won't > run, > > > the computer locks up if I try to boot into Safe Mode, and regedit won't > > > run. She is running win98se. I checked on several AV sites and there > were > > > some removal tools available, but I'm not sure exactly which worm this > is. > > > Is there some way of determining the name of the worm? Is there any way > to > > > boot into a safe condition so I can fix the registry? What's my best > > > approach here? > > > Thanks in advance. > > > -- > > > Jim > > > 98 TJ SE > > > 90 SJ GW > > > http://www.delawareja.com/gallery/JDJeep98 > > > > > > -- > > > Jim > > |
Re: OT: fake microsoft upgrade worm
speaking of which................I see some posts/email with the little
message at the bottom that it has been scanned by grisoft & safe. Does that only come after you pay for it? -- Carlo F. Serusa, Jr. RPh carlo.jr at comcast.net '98 Sahara TJ - '89 YJ - '79 Scout II O|||||||O '92 Explorer '65 Mustang "L.W. (ßill) ------ III" <----------@cox.net> wrote in message news:3F7BBF65.9530DB20@cox.net... > Oh, so that's what the icon is in my tray. Thanks for the reminder. > God Bless America, ßill O|||||||O > mailto:-------------------- http://www.----------.com/ > > "Carlo Jr." wrote: > > > > http://www.grisoft.com/us/us_index.php > > > > try this - it is supposed to be as good ( I have been told that it is > > better) than Symantec...........& it's free > > > > -- > > Carlo F. Serusa, Jr. RPh > > carlo.jr at comcast.net > > '98 Sahara TJ - '89 YJ - '79 Scout II > > O|||||||O > > '92 Explorer '65 Mustang |
Re: OT: fake microsoft upgrade worm
speaking of which................I see some posts/email with the little
message at the bottom that it has been scanned by grisoft & safe. Does that only come after you pay for it? -- Carlo F. Serusa, Jr. RPh carlo.jr at comcast.net '98 Sahara TJ - '89 YJ - '79 Scout II O|||||||O '92 Explorer '65 Mustang "L.W. (ßill) ------ III" <----------@cox.net> wrote in message news:3F7BBF65.9530DB20@cox.net... > Oh, so that's what the icon is in my tray. Thanks for the reminder. > God Bless America, ßill O|||||||O > mailto:-------------------- http://www.----------.com/ > > "Carlo Jr." wrote: > > > > http://www.grisoft.com/us/us_index.php > > > > try this - it is supposed to be as good ( I have been told that it is > > better) than Symantec...........& it's free > > > > -- > > Carlo F. Serusa, Jr. RPh > > carlo.jr at comcast.net > > '98 Sahara TJ - '89 YJ - '79 Scout II > > O|||||||O > > '92 Explorer '65 Mustang |
Re: OT: fake microsoft upgrade worm
speaking of which................I see some posts/email with the little
message at the bottom that it has been scanned by grisoft & safe. Does that only come after you pay for it? -- Carlo F. Serusa, Jr. RPh carlo.jr at comcast.net '98 Sahara TJ - '89 YJ - '79 Scout II O|||||||O '92 Explorer '65 Mustang "L.W. (ßill) ------ III" <----------@cox.net> wrote in message news:3F7BBF65.9530DB20@cox.net... > Oh, so that's what the icon is in my tray. Thanks for the reminder. > God Bless America, ßill O|||||||O > mailto:-------------------- http://www.----------.com/ > > "Carlo Jr." wrote: > > > > http://www.grisoft.com/us/us_index.php > > > > try this - it is supposed to be as good ( I have been told that it is > > better) than Symantec...........& it's free > > > > -- > > Carlo F. Serusa, Jr. RPh > > carlo.jr at comcast.net > > '98 Sahara TJ - '89 YJ - '79 Scout II > > O|||||||O > > '92 Explorer '65 Mustang |
| All times are GMT -4. The time now is 02:07 PM. |
© 2024 MH Sub I, LLC dba Internet Brands