OT: fake microsoft upgrade worm
10-01-2003, 04:26 PM
#11
Guest
Posts: n/a
Re: OT: fake microsoft upgrade worm
Thanks, guys. I knew I could count on you. I got Sven removal instructions
and the tool from Symantec and I plan to try that route. I printed your
instructions, too, Lon. Thanks again.
--
Jim
98 TJ SE
90 SJ GW
http://www.delawareja.com/gallery/JDJeep98
"Lon Stowell" <LonDot.Stowell@ComcastPeriod.Net> wrote in message
news:nwGeb.649673$Ho3.135101@sccrnsc03...
> Approximately 10/1/03 12:29, TJim uttered for posterity:
>
> > OK, I know some of you know far more about this fake Microsoft security
> > update worm than I do. My neighbor didn't stop to think and installed
it on
> > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem
and
> > asking for a bunch of email information. Her Norton Antivirus won't
run,
> > the computer locks up if I try to boot into Safe Mode, and regedit won't
> > run. She is running win98se. I checked on several AV sites and there
were
> > some removal tools available, but I'm not sure exactly which worm this
is.
> > Is there some way of determining the name of the worm? Is there any way
to
> > boot into a safe condition so I can fix the registry? What's my best
> > approach here?
> > Thanks in advance.
>
> Sounds like W32.swen variant all right. It disables regedit and
> antiviral software.
>
> One of the quickest detects is to use Regedit to check this key:
>
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\explorer\
>
> In that key all of the normal subkeys [which should look like
> directories] have human readable names. If this was W32.swen,
> it has probably put a random string subkey in the "explorer" key
> with several contents. [use find key]
>
> "Begbie" shouldn't be anywhere in your registry.
>
> Of course you can't run regedit until you fix the registry key
> that disables regedit. You can replace your current registry
> with da0 [at which point all your software is de-installed
> effectively, but you can then load the current registry and
> edit the key that stops regedit....and then load *that*
> registry... but this worm has pretty much trashed several
> registry keys...
>
> Symantec has a claimed removal tool, worth a shot.
>
> Since there are two new ones as of yesterday, w32.swen is
> no longer front page at www.symantec.com. You can search
> for it with w32.swen and find the removal tool and the
> details of why the tool may not be 100% effective....
>
> Or try these:
>
>
<http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html>
> tiny version: http://tinyurl.com/nu11
>
>
<http://securityresponse.symantec.com...wen.a@mm.remov
al.tool.html>
> tiny version: http://tinyurl.com/o0u3
>
and the tool from Symantec and I plan to try that route. I printed your
instructions, too, Lon. Thanks again.
--
Jim
98 TJ SE
90 SJ GW
http://www.delawareja.com/gallery/JDJeep98
"Lon Stowell" <LonDot.Stowell@ComcastPeriod.Net> wrote in message
news:nwGeb.649673$Ho3.135101@sccrnsc03...
> Approximately 10/1/03 12:29, TJim uttered for posterity:
>
> > OK, I know some of you know far more about this fake Microsoft security
> > update worm than I do. My neighbor didn't stop to think and installed
it on
> > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem
and
> > asking for a bunch of email information. Her Norton Antivirus won't
run,
> > the computer locks up if I try to boot into Safe Mode, and regedit won't
> > run. She is running win98se. I checked on several AV sites and there
were
> > some removal tools available, but I'm not sure exactly which worm this
is.
> > Is there some way of determining the name of the worm? Is there any way
to
> > boot into a safe condition so I can fix the registry? What's my best
> > approach here?
> > Thanks in advance.
>
> Sounds like W32.swen variant all right. It disables regedit and
> antiviral software.
>
> One of the quickest detects is to use Regedit to check this key:
>
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\explorer\
>
> In that key all of the normal subkeys [which should look like
> directories] have human readable names. If this was W32.swen,
> it has probably put a random string subkey in the "explorer" key
> with several contents. [use find key]
>
> "Begbie" shouldn't be anywhere in your registry.
>
> Of course you can't run regedit until you fix the registry key
> that disables regedit. You can replace your current registry
> with da0 [at which point all your software is de-installed
> effectively, but you can then load the current registry and
> edit the key that stops regedit....and then load *that*
> registry... but this worm has pretty much trashed several
> registry keys...
>
> Symantec has a claimed removal tool, worth a shot.
>
> Since there are two new ones as of yesterday, w32.swen is
> no longer front page at www.symantec.com. You can search
> for it with w32.swen and find the removal tool and the
> details of why the tool may not be 100% effective....
>
> Or try these:
>
>
<http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html>
> tiny version: http://tinyurl.com/nu11
>
>
<http://securityresponse.symantec.com...wen.a@mm.remov
al.tool.html>
> tiny version: http://tinyurl.com/o0u3
>
10-02-2003, 12:33 AM
#12
Guest
Posts: n/a
Re: OT: fake microsoft upgrade worm
http://www.grisoft.com/us/us_index.php
try this - it is supposed to be as good ( I have been told that it is
better) than Symantec...........& it's free
--
Carlo F. Serusa, Jr. RPh
carlo.jr at comcast.net
'98 Sahara TJ - '89 YJ - '79 Scout II
O|||||||O
'92 Explorer '65 Mustang
"Mike Romain" <romainm@sympatico.ca> wrote in message
news:3F7B36A5.6DF3B394@sympatico.ca...
> If you can get it online, you can have Symantec (Norton AV) do a scan
> for you using explorer and active x to ID the trouble.
>
> They are at http://www.symantec.com/avcenter/index.html
>
> Otherwise a boot disk is you friend or a bootable CD to just fire it up
> and cancel whatever the CD is to get into windoze or DOS mode maybe.
>
> With a boot disk or CD, the virus won't load into memory.
>
> Norton can be run from a command line if you know the path. You will
> need to know the virus definitions path too and add it with a switch or
> make an autoexec.bat file for it's location with a path like
> C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat
> first, then the navw32.exe under it's own path.
>
> My Norton AV also came with a boot disk for this, but the bat file with
> the definitions path has to be in there or it uses the old set on the
> disk.
>
> Hope this helps,
>
> Mike
> 86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00
> 88 Cherokee 235 BFG AT's
>
> TJim wrote:
> >
> > OK, I know some of you know far more about this fake Microsoft security
> > update worm than I do. My neighbor didn't stop to think and installed
it on
> > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem
and
> > asking for a bunch of email information. Her Norton Antivirus won't
run,
> > the computer locks up if I try to boot into Safe Mode, and regedit won't
> > run. She is running win98se. I checked on several AV sites and there
were
> > some removal tools available, but I'm not sure exactly which worm this
is.
> > Is there some way of determining the name of the worm? Is there any way
to
> > boot into a safe condition so I can fix the registry? What's my best
> > approach here?
> > Thanks in advance.
> > --
> > Jim
> > 98 TJ SE
> > 90 SJ GW
> > http://www.delawareja.com/gallery/JDJeep98
> >
> > --
> > Jim
try this - it is supposed to be as good ( I have been told that it is
better) than Symantec...........& it's free
--
Carlo F. Serusa, Jr. RPh
carlo.jr at comcast.net
'98 Sahara TJ - '89 YJ - '79 Scout II
O|||||||O
'92 Explorer '65 Mustang
"Mike Romain" <romainm@sympatico.ca> wrote in message
news:3F7B36A5.6DF3B394@sympatico.ca...
> If you can get it online, you can have Symantec (Norton AV) do a scan
> for you using explorer and active x to ID the trouble.
>
> They are at http://www.symantec.com/avcenter/index.html
>
> Otherwise a boot disk is you friend or a bootable CD to just fire it up
> and cancel whatever the CD is to get into windoze or DOS mode maybe.
>
> With a boot disk or CD, the virus won't load into memory.
>
> Norton can be run from a command line if you know the path. You will
> need to know the virus definitions path too and add it with a switch or
> make an autoexec.bat file for it's location with a path like
> C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat
> first, then the navw32.exe under it's own path.
>
> My Norton AV also came with a boot disk for this, but the bat file with
> the definitions path has to be in there or it uses the old set on the
> disk.
>
> Hope this helps,
>
> Mike
> 86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00
> 88 Cherokee 235 BFG AT's
>
> TJim wrote:
> >
> > OK, I know some of you know far more about this fake Microsoft security
> > update worm than I do. My neighbor didn't stop to think and installed
it on
> > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem
and
> > asking for a bunch of email information. Her Norton Antivirus won't
run,
> > the computer locks up if I try to boot into Safe Mode, and regedit won't
> > run. She is running win98se. I checked on several AV sites and there
were
> > some removal tools available, but I'm not sure exactly which worm this
is.
> > Is there some way of determining the name of the worm? Is there any way
to
> > boot into a safe condition so I can fix the registry? What's my best
> > approach here?
> > Thanks in advance.
> > --
> > Jim
> > 98 TJ SE
> > 90 SJ GW
> > http://www.delawareja.com/gallery/JDJeep98
> >
> > --
> > Jim
10-02-2003, 12:33 AM
#13
Guest
Posts: n/a
Re: OT: fake microsoft upgrade worm
http://www.grisoft.com/us/us_index.php
try this - it is supposed to be as good ( I have been told that it is
better) than Symantec...........& it's free
--
Carlo F. Serusa, Jr. RPh
carlo.jr at comcast.net
'98 Sahara TJ - '89 YJ - '79 Scout II
O|||||||O
'92 Explorer '65 Mustang
"Mike Romain" <romainm@sympatico.ca> wrote in message
news:3F7B36A5.6DF3B394@sympatico.ca...
> If you can get it online, you can have Symantec (Norton AV) do a scan
> for you using explorer and active x to ID the trouble.
>
> They are at http://www.symantec.com/avcenter/index.html
>
> Otherwise a boot disk is you friend or a bootable CD to just fire it up
> and cancel whatever the CD is to get into windoze or DOS mode maybe.
>
> With a boot disk or CD, the virus won't load into memory.
>
> Norton can be run from a command line if you know the path. You will
> need to know the virus definitions path too and add it with a switch or
> make an autoexec.bat file for it's location with a path like
> C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat
> first, then the navw32.exe under it's own path.
>
> My Norton AV also came with a boot disk for this, but the bat file with
> the definitions path has to be in there or it uses the old set on the
> disk.
>
> Hope this helps,
>
> Mike
> 86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00
> 88 Cherokee 235 BFG AT's
>
> TJim wrote:
> >
> > OK, I know some of you know far more about this fake Microsoft security
> > update worm than I do. My neighbor didn't stop to think and installed
it on
> > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem
and
> > asking for a bunch of email information. Her Norton Antivirus won't
run,
> > the computer locks up if I try to boot into Safe Mode, and regedit won't
> > run. She is running win98se. I checked on several AV sites and there
were
> > some removal tools available, but I'm not sure exactly which worm this
is.
> > Is there some way of determining the name of the worm? Is there any way
to
> > boot into a safe condition so I can fix the registry? What's my best
> > approach here?
> > Thanks in advance.
> > --
> > Jim
> > 98 TJ SE
> > 90 SJ GW
> > http://www.delawareja.com/gallery/JDJeep98
> >
> > --
> > Jim
try this - it is supposed to be as good ( I have been told that it is
better) than Symantec...........& it's free
--
Carlo F. Serusa, Jr. RPh
carlo.jr at comcast.net
'98 Sahara TJ - '89 YJ - '79 Scout II
O|||||||O
'92 Explorer '65 Mustang
"Mike Romain" <romainm@sympatico.ca> wrote in message
news:3F7B36A5.6DF3B394@sympatico.ca...
> If you can get it online, you can have Symantec (Norton AV) do a scan
> for you using explorer and active x to ID the trouble.
>
> They are at http://www.symantec.com/avcenter/index.html
>
> Otherwise a boot disk is you friend or a bootable CD to just fire it up
> and cancel whatever the CD is to get into windoze or DOS mode maybe.
>
> With a boot disk or CD, the virus won't load into memory.
>
> Norton can be run from a command line if you know the path. You will
> need to know the virus definitions path too and add it with a switch or
> make an autoexec.bat file for it's location with a path like
> C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat
> first, then the navw32.exe under it's own path.
>
> My Norton AV also came with a boot disk for this, but the bat file with
> the definitions path has to be in there or it uses the old set on the
> disk.
>
> Hope this helps,
>
> Mike
> 86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00
> 88 Cherokee 235 BFG AT's
>
> TJim wrote:
> >
> > OK, I know some of you know far more about this fake Microsoft security
> > update worm than I do. My neighbor didn't stop to think and installed
it on
> > her computer. She keeps getting a pop-up declaring a MAPI32.DLL problem
and
> > asking for a bunch of email information. Her Norton Antivirus won't
run,
> > the computer locks up if I try to boot into Safe Mode, and regedit won't
> > run. She is running win98se. I checked on several AV sites and there
were
> > some removal tools available, but I'm not sure exactly which worm this
is.
> > Is there some way of determining the name of the worm? Is there any way
to
> > boot into a safe condition so I can fix the registry? What's my best
> > approach here?
> > Thanks in advance.
> > --
> > Jim
> > 98 TJ SE
> > 90 SJ GW
> > http://www.delawareja.com/gallery/JDJeep98
> >
> > --
> > Jim
10-02-2003, 02:05 AM
#14
Guest
Posts: n/a
Re: OT: fake microsoft upgrade worm
Oh, so that's what the icon is in my tray. Thanks for the reminder.
God Bless America, ßill O|||||||O
mailto:-------------------- http://www.----------.com/
"Carlo Jr." wrote:
>
> http://www.grisoft.com/us/us_index.php
>
> try this - it is supposed to be as good ( I have been told that it is
> better) than Symantec...........& it's free
>
> --
> Carlo F. Serusa, Jr. RPh
> carlo.jr at comcast.net
> '98 Sahara TJ - '89 YJ - '79 Scout II
> O|||||||O
> '92 Explorer '65 Mustang
God Bless America, ßill O|||||||O
mailto:-------------------- http://www.----------.com/
"Carlo Jr." wrote:
>
> http://www.grisoft.com/us/us_index.php
>
> try this - it is supposed to be as good ( I have been told that it is
> better) than Symantec...........& it's free
>
> --
> Carlo F. Serusa, Jr. RPh
> carlo.jr at comcast.net
> '98 Sahara TJ - '89 YJ - '79 Scout II
> O|||||||O
> '92 Explorer '65 Mustang
10-02-2003, 02:05 AM
#15
Guest
Posts: n/a
Re: OT: fake microsoft upgrade worm
Oh, so that's what the icon is in my tray. Thanks for the reminder.
God Bless America, ßill O|||||||O
mailto:-------------------- http://www.----------.com/
"Carlo Jr." wrote:
>
> http://www.grisoft.com/us/us_index.php
>
> try this - it is supposed to be as good ( I have been told that it is
> better) than Symantec...........& it's free
>
> --
> Carlo F. Serusa, Jr. RPh
> carlo.jr at comcast.net
> '98 Sahara TJ - '89 YJ - '79 Scout II
> O|||||||O
> '92 Explorer '65 Mustang
God Bless America, ßill O|||||||O
mailto:-------------------- http://www.----------.com/
"Carlo Jr." wrote:
>
> http://www.grisoft.com/us/us_index.php
>
> try this - it is supposed to be as good ( I have been told that it is
> better) than Symantec...........& it's free
>
> --
> Carlo F. Serusa, Jr. RPh
> carlo.jr at comcast.net
> '98 Sahara TJ - '89 YJ - '79 Scout II
> O|||||||O
> '92 Explorer '65 Mustang
10-02-2003, 08:42 AM
#16
Guest
Posts: n/a
Re: OT: fake microsoft upgrade worm
Thanks, everyone, for all your input. I have absolutely identified the worm
as Swen. I downloaded both AVG's and Symantec's Swen removal tools and
write-ups and will be treating the patient today. I knew it was one of the
new worms, it was the identification I was having trouble with. There seem
to be so many recently, sometimes it's hard to keep track. ;-)
--
Jim
98 TJ SE
90 SJ GW
http://www.delawareja.com/gallery/JDJeep98
"Carlo Jr." <carlo.jr@comcast.net> wrote in message
news:jUNeb.650678$YN5.502546@sccrnsc01...
> http://www.grisoft.com/us/us_index.php
>
> try this - it is supposed to be as good ( I have been told that it is
> better) than Symantec...........& it's free
>
> --
> Carlo F. Serusa, Jr. RPh
> carlo.jr at comcast.net
> '98 Sahara TJ - '89 YJ - '79 Scout II
> O|||||||O
> '92 Explorer '65 Mustang
>
>
> "Mike Romain" <romainm@sympatico.ca> wrote in message
> news:3F7B36A5.6DF3B394@sympatico.ca...
> > If you can get it online, you can have Symantec (Norton AV) do a scan
> > for you using explorer and active x to ID the trouble.
> >
> > They are at http://www.symantec.com/avcenter/index.html
> >
> > Otherwise a boot disk is you friend or a bootable CD to just fire it up
> > and cancel whatever the CD is to get into windoze or DOS mode maybe.
> >
> > With a boot disk or CD, the virus won't load into memory.
> >
> > Norton can be run from a command line if you know the path. You will
> > need to know the virus definitions path too and add it with a switch or
> > make an autoexec.bat file for it's location with a path like
> > C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat
> > first, then the navw32.exe under it's own path.
> >
> > My Norton AV also came with a boot disk for this, but the bat file with
> > the definitions path has to be in there or it uses the old set on the
> > disk.
> >
> > Hope this helps,
> >
> > Mike
> > 86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00
> > 88 Cherokee 235 BFG AT's
> >
> > TJim wrote:
> > >
> > > OK, I know some of you know far more about this fake Microsoft
security
> > > update worm than I do. My neighbor didn't stop to think and installed
> it on
> > > her computer. She keeps getting a pop-up declaring a MAPI32.DLL
problem
> and
> > > asking for a bunch of email information. Her Norton Antivirus won't
> run,
> > > the computer locks up if I try to boot into Safe Mode, and regedit
won't
> > > run. She is running win98se. I checked on several AV sites and there
> were
> > > some removal tools available, but I'm not sure exactly which worm this
> is.
> > > Is there some way of determining the name of the worm? Is there any
way
> to
> > > boot into a safe condition so I can fix the registry? What's my best
> > > approach here?
> > > Thanks in advance.
> > > --
> > > Jim
> > > 98 TJ SE
> > > 90 SJ GW
> > > http://www.delawareja.com/gallery/JDJeep98
> > >
> > > --
> > > Jim
>
>
as Swen. I downloaded both AVG's and Symantec's Swen removal tools and
write-ups and will be treating the patient today. I knew it was one of the
new worms, it was the identification I was having trouble with. There seem
to be so many recently, sometimes it's hard to keep track. ;-)
--
Jim
98 TJ SE
90 SJ GW
http://www.delawareja.com/gallery/JDJeep98
"Carlo Jr." <carlo.jr@comcast.net> wrote in message
news:jUNeb.650678$YN5.502546@sccrnsc01...
> http://www.grisoft.com/us/us_index.php
>
> try this - it is supposed to be as good ( I have been told that it is
> better) than Symantec...........& it's free
>
> --
> Carlo F. Serusa, Jr. RPh
> carlo.jr at comcast.net
> '98 Sahara TJ - '89 YJ - '79 Scout II
> O|||||||O
> '92 Explorer '65 Mustang
>
>
> "Mike Romain" <romainm@sympatico.ca> wrote in message
> news:3F7B36A5.6DF3B394@sympatico.ca...
> > If you can get it online, you can have Symantec (Norton AV) do a scan
> > for you using explorer and active x to ID the trouble.
> >
> > They are at http://www.symantec.com/avcenter/index.html
> >
> > Otherwise a boot disk is you friend or a bootable CD to just fire it up
> > and cancel whatever the CD is to get into windoze or DOS mode maybe.
> >
> > With a boot disk or CD, the virus won't load into memory.
> >
> > Norton can be run from a command line if you know the path. You will
> > need to know the virus definitions path too and add it with a switch or
> > make an autoexec.bat file for it's location with a path like
> > C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat
> > first, then the navw32.exe under it's own path.
> >
> > My Norton AV also came with a boot disk for this, but the bat file with
> > the definitions path has to be in there or it uses the old set on the
> > disk.
> >
> > Hope this helps,
> >
> > Mike
> > 86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00
> > 88 Cherokee 235 BFG AT's
> >
> > TJim wrote:
> > >
> > > OK, I know some of you know far more about this fake Microsoft
security
> > > update worm than I do. My neighbor didn't stop to think and installed
> it on
> > > her computer. She keeps getting a pop-up declaring a MAPI32.DLL
problem
> and
> > > asking for a bunch of email information. Her Norton Antivirus won't
> run,
> > > the computer locks up if I try to boot into Safe Mode, and regedit
won't
> > > run. She is running win98se. I checked on several AV sites and there
> were
> > > some removal tools available, but I'm not sure exactly which worm this
> is.
> > > Is there some way of determining the name of the worm? Is there any
way
> to
> > > boot into a safe condition so I can fix the registry? What's my best
> > > approach here?
> > > Thanks in advance.
> > > --
> > > Jim
> > > 98 TJ SE
> > > 90 SJ GW
> > > http://www.delawareja.com/gallery/JDJeep98
> > >
> > > --
> > > Jim
>
>
10-02-2003, 08:42 AM
#17
Guest
Posts: n/a
Re: OT: fake microsoft upgrade worm
Thanks, everyone, for all your input. I have absolutely identified the worm
as Swen. I downloaded both AVG's and Symantec's Swen removal tools and
write-ups and will be treating the patient today. I knew it was one of the
new worms, it was the identification I was having trouble with. There seem
to be so many recently, sometimes it's hard to keep track. ;-)
--
Jim
98 TJ SE
90 SJ GW
http://www.delawareja.com/gallery/JDJeep98
"Carlo Jr." <carlo.jr@comcast.net> wrote in message
news:jUNeb.650678$YN5.502546@sccrnsc01...
> http://www.grisoft.com/us/us_index.php
>
> try this - it is supposed to be as good ( I have been told that it is
> better) than Symantec...........& it's free
>
> --
> Carlo F. Serusa, Jr. RPh
> carlo.jr at comcast.net
> '98 Sahara TJ - '89 YJ - '79 Scout II
> O|||||||O
> '92 Explorer '65 Mustang
>
>
> "Mike Romain" <romainm@sympatico.ca> wrote in message
> news:3F7B36A5.6DF3B394@sympatico.ca...
> > If you can get it online, you can have Symantec (Norton AV) do a scan
> > for you using explorer and active x to ID the trouble.
> >
> > They are at http://www.symantec.com/avcenter/index.html
> >
> > Otherwise a boot disk is you friend or a bootable CD to just fire it up
> > and cancel whatever the CD is to get into windoze or DOS mode maybe.
> >
> > With a boot disk or CD, the virus won't load into memory.
> >
> > Norton can be run from a command line if you know the path. You will
> > need to know the virus definitions path too and add it with a switch or
> > make an autoexec.bat file for it's location with a path like
> > C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat
> > first, then the navw32.exe under it's own path.
> >
> > My Norton AV also came with a boot disk for this, but the bat file with
> > the definitions path has to be in there or it uses the old set on the
> > disk.
> >
> > Hope this helps,
> >
> > Mike
> > 86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00
> > 88 Cherokee 235 BFG AT's
> >
> > TJim wrote:
> > >
> > > OK, I know some of you know far more about this fake Microsoft
security
> > > update worm than I do. My neighbor didn't stop to think and installed
> it on
> > > her computer. She keeps getting a pop-up declaring a MAPI32.DLL
problem
> and
> > > asking for a bunch of email information. Her Norton Antivirus won't
> run,
> > > the computer locks up if I try to boot into Safe Mode, and regedit
won't
> > > run. She is running win98se. I checked on several AV sites and there
> were
> > > some removal tools available, but I'm not sure exactly which worm this
> is.
> > > Is there some way of determining the name of the worm? Is there any
way
> to
> > > boot into a safe condition so I can fix the registry? What's my best
> > > approach here?
> > > Thanks in advance.
> > > --
> > > Jim
> > > 98 TJ SE
> > > 90 SJ GW
> > > http://www.delawareja.com/gallery/JDJeep98
> > >
> > > --
> > > Jim
>
>
as Swen. I downloaded both AVG's and Symantec's Swen removal tools and
write-ups and will be treating the patient today. I knew it was one of the
new worms, it was the identification I was having trouble with. There seem
to be so many recently, sometimes it's hard to keep track. ;-)
--
Jim
98 TJ SE
90 SJ GW
http://www.delawareja.com/gallery/JDJeep98
"Carlo Jr." <carlo.jr@comcast.net> wrote in message
news:jUNeb.650678$YN5.502546@sccrnsc01...
> http://www.grisoft.com/us/us_index.php
>
> try this - it is supposed to be as good ( I have been told that it is
> better) than Symantec...........& it's free
>
> --
> Carlo F. Serusa, Jr. RPh
> carlo.jr at comcast.net
> '98 Sahara TJ - '89 YJ - '79 Scout II
> O|||||||O
> '92 Explorer '65 Mustang
>
>
> "Mike Romain" <romainm@sympatico.ca> wrote in message
> news:3F7B36A5.6DF3B394@sympatico.ca...
> > If you can get it online, you can have Symantec (Norton AV) do a scan
> > for you using explorer and active x to ID the trouble.
> >
> > They are at http://www.symantec.com/avcenter/index.html
> >
> > Otherwise a boot disk is you friend or a bootable CD to just fire it up
> > and cancel whatever the CD is to get into windoze or DOS mode maybe.
> >
> > With a boot disk or CD, the virus won't load into memory.
> >
> > Norton can be run from a command line if you know the path. You will
> > need to know the virus definitions path too and add it with a switch or
> > make an autoexec.bat file for it's location with a path like
> > C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat
> > first, then the navw32.exe under it's own path.
> >
> > My Norton AV also came with a boot disk for this, but the bat file with
> > the definitions path has to be in there or it uses the old set on the
> > disk.
> >
> > Hope this helps,
> >
> > Mike
> > 86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00
> > 88 Cherokee 235 BFG AT's
> >
> > TJim wrote:
> > >
> > > OK, I know some of you know far more about this fake Microsoft
security
> > > update worm than I do. My neighbor didn't stop to think and installed
> it on
> > > her computer. She keeps getting a pop-up declaring a MAPI32.DLL
problem
> and
> > > asking for a bunch of email information. Her Norton Antivirus won't
> run,
> > > the computer locks up if I try to boot into Safe Mode, and regedit
won't
> > > run. She is running win98se. I checked on several AV sites and there
> were
> > > some removal tools available, but I'm not sure exactly which worm this
> is.
> > > Is there some way of determining the name of the worm? Is there any
way
> to
> > > boot into a safe condition so I can fix the registry? What's my best
> > > approach here?
> > > Thanks in advance.
> > > --
> > > Jim
> > > 98 TJ SE
> > > 90 SJ GW
> > > http://www.delawareja.com/gallery/JDJeep98
> > >
> > > --
> > > Jim
>
>
10-03-2003, 02:27 PM
#18
Guest
Posts: n/a
Re: OT: fake microsoft upgrade worm
speaking of which................I see some posts/email with the little
message at the bottom that it has been scanned by grisoft & safe. Does that
only come after you pay for it?
--
Carlo F. Serusa, Jr. RPh
carlo.jr at comcast.net
'98 Sahara TJ - '89 YJ - '79 Scout II
O|||||||O
'92 Explorer '65 Mustang
"L.W. (ßill) ------ III" <----------@***.net> wrote in message
news:3F7BBF65.9530DB20@***.net...
> Oh, so that's what the icon is in my tray. Thanks for the reminder.
> God Bless America, ßill O|||||||O
> mailto:-------------------- http://www.----------.com/
>
> "Carlo Jr." wrote:
> >
> > http://www.grisoft.com/us/us_index.php
> >
> > try this - it is supposed to be as good ( I have been told that it is
> > better) than Symantec...........& it's free
> >
> > --
> > Carlo F. Serusa, Jr. RPh
> > carlo.jr at comcast.net
> > '98 Sahara TJ - '89 YJ - '79 Scout II
> > O|||||||O
> > '92 Explorer '65 Mustang
message at the bottom that it has been scanned by grisoft & safe. Does that
only come after you pay for it?
--
Carlo F. Serusa, Jr. RPh
carlo.jr at comcast.net
'98 Sahara TJ - '89 YJ - '79 Scout II
O|||||||O
'92 Explorer '65 Mustang
"L.W. (ßill) ------ III" <----------@***.net> wrote in message
news:3F7BBF65.9530DB20@***.net...
> Oh, so that's what the icon is in my tray. Thanks for the reminder.
> God Bless America, ßill O|||||||O
> mailto:-------------------- http://www.----------.com/
>
> "Carlo Jr." wrote:
> >
> > http://www.grisoft.com/us/us_index.php
> >
> > try this - it is supposed to be as good ( I have been told that it is
> > better) than Symantec...........& it's free
> >
> > --
> > Carlo F. Serusa, Jr. RPh
> > carlo.jr at comcast.net
> > '98 Sahara TJ - '89 YJ - '79 Scout II
> > O|||||||O
> > '92 Explorer '65 Mustang
10-03-2003, 02:27 PM
#19
Guest
Posts: n/a
Re: OT: fake microsoft upgrade worm
speaking of which................I see some posts/email with the little
message at the bottom that it has been scanned by grisoft & safe. Does that
only come after you pay for it?
--
Carlo F. Serusa, Jr. RPh
carlo.jr at comcast.net
'98 Sahara TJ - '89 YJ - '79 Scout II
O|||||||O
'92 Explorer '65 Mustang
"L.W. (ßill) ------ III" <----------@***.net> wrote in message
news:3F7BBF65.9530DB20@***.net...
> Oh, so that's what the icon is in my tray. Thanks for the reminder.
> God Bless America, ßill O|||||||O
> mailto:-------------------- http://www.----------.com/
>
> "Carlo Jr." wrote:
> >
> > http://www.grisoft.com/us/us_index.php
> >
> > try this - it is supposed to be as good ( I have been told that it is
> > better) than Symantec...........& it's free
> >
> > --
> > Carlo F. Serusa, Jr. RPh
> > carlo.jr at comcast.net
> > '98 Sahara TJ - '89 YJ - '79 Scout II
> > O|||||||O
> > '92 Explorer '65 Mustang
message at the bottom that it has been scanned by grisoft & safe. Does that
only come after you pay for it?
--
Carlo F. Serusa, Jr. RPh
carlo.jr at comcast.net
'98 Sahara TJ - '89 YJ - '79 Scout II
O|||||||O
'92 Explorer '65 Mustang
"L.W. (ßill) ------ III" <----------@***.net> wrote in message
news:3F7BBF65.9530DB20@***.net...
> Oh, so that's what the icon is in my tray. Thanks for the reminder.
> God Bless America, ßill O|||||||O
> mailto:-------------------- http://www.----------.com/
>
> "Carlo Jr." wrote:
> >
> > http://www.grisoft.com/us/us_index.php
> >
> > try this - it is supposed to be as good ( I have been told that it is
> > better) than Symantec...........& it's free
> >
> > --
> > Carlo F. Serusa, Jr. RPh
> > carlo.jr at comcast.net
> > '98 Sahara TJ - '89 YJ - '79 Scout II
> > O|||||||O
> > '92 Explorer '65 Mustang
10-03-2003, 02:27 PM
#20
Guest
Posts: n/a
Re: OT: fake microsoft upgrade worm
speaking of which................I see some posts/email with the little
message at the bottom that it has been scanned by grisoft & safe. Does that
only come after you pay for it?
--
Carlo F. Serusa, Jr. RPh
carlo.jr at comcast.net
'98 Sahara TJ - '89 YJ - '79 Scout II
O|||||||O
'92 Explorer '65 Mustang
"L.W. (ßill) ------ III" <----------@***.net> wrote in message
news:3F7BBF65.9530DB20@***.net...
> Oh, so that's what the icon is in my tray. Thanks for the reminder.
> God Bless America, ßill O|||||||O
> mailto:-------------------- http://www.----------.com/
>
> "Carlo Jr." wrote:
> >
> > http://www.grisoft.com/us/us_index.php
> >
> > try this - it is supposed to be as good ( I have been told that it is
> > better) than Symantec...........& it's free
> >
> > --
> > Carlo F. Serusa, Jr. RPh
> > carlo.jr at comcast.net
> > '98 Sahara TJ - '89 YJ - '79 Scout II
> > O|||||||O
> > '92 Explorer '65 Mustang
message at the bottom that it has been scanned by grisoft & safe. Does that
only come after you pay for it?
--
Carlo F. Serusa, Jr. RPh
carlo.jr at comcast.net
'98 Sahara TJ - '89 YJ - '79 Scout II
O|||||||O
'92 Explorer '65 Mustang
"L.W. (ßill) ------ III" <----------@***.net> wrote in message
news:3F7BBF65.9530DB20@***.net...
> Oh, so that's what the icon is in my tray. Thanks for the reminder.
> God Bless America, ßill O|||||||O
> mailto:-------------------- http://www.----------.com/
>
> "Carlo Jr." wrote:
> >
> > http://www.grisoft.com/us/us_index.php
> >
> > try this - it is supposed to be as good ( I have been told that it is
> > better) than Symantec...........& it's free
> >
> > --
> > Carlo F. Serusa, Jr. RPh
> > carlo.jr at comcast.net
> > '98 Sahara TJ - '89 YJ - '79 Scout II
> > O|||||||O
> > '92 Explorer '65 Mustang