Google Answers Logo
View Question
 
Q: removing swen virus ( Answered,   1 Comment )
Question  
Subject: removing swen virus
Category: Computers > Security
Asked by: norco1-ga
List Price: $5.00
Posted: 27 Nov 2003 07:49 PST
Expires: 27 Dec 2003 07:49 PST
Question ID: 281132
unable to remove swen virus. scans don not detect virus for removal.
removal tools ineffective with dos command prompt. please advise

Request for Question Clarification by endo-ga on 27 Nov 2003 08:02 PST
Hi,

Have you tried the following tool and carefully followed the instructions?

W32.Swen.A@mm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html

Thanks.
endo

Request for Question Clarification by hummer-ga on 27 Nov 2003 08:44 PST
Hi norco,

Try HouseCall, a free web-based virus scan - it really is very thorough. 

http://housecall.trendmicro.com/

Good luck,
hummer
Answer  
Subject: Re: removing swen virus
Answered By: legolas-ga on 27 Nov 2003 09:04 PST
 
Hi norco1-ga,

It is possible that the virus executable has been deleted. That would
normally cause the Symantec removal tool to fail. However, there is
still hope.

"W32.Swen.A@mm has already been quarantined or deleted"
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html
"If your Symantec antivirus product has already detected and then
quarantined or deleted W32.Swen.A@mm, you will not be able to run the
.exe, .com, and other executable files. Follow the instructions for
your operating system.

For Windows 95/98 
Restart the computer. 
Do one of the following: 
Windows 95: When "Starting Windows 95..." appears on the screen, press
F8. The Windows 95 Startup Menu appears.
Windows 98: As the computer restarts, press and hold down the Ctrl key
until the Windows 98 Startup Menu appears.


--------------------------------------------------------------------------------
Note: On some computers, a keyboard or other error may appear during
restart as you hold down the Ctrl key. If this happens, then follow
the prompts to press a key to continue (for example, the message may
prompt you to press the Esc key), then immediately press the Ctrl key
again.
--------------------------------------------------------------------------------


Select "Command Prompt only." 


Type the following and press Enter after typing each line:

cd\
cd windows
edit repair.reg

The DOS text editor opens.


Type the following lines into the DOS text editor exactly as shown here:

REGEDIT4

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \%1\"


Press Alt and F at the same time to access the File menu, and then
press X to exit the DOS text editor. When prompted, press Enter to
confirm that you want to save the file. This returns you to the
command prompt.


Type the following and press Enter after typing each line. You must
type them exactly as shown here:

regedit /e backup.reg  hkey_classes_root\exefile
regedit /d hkey_classes_root\exefile\shell\open\command
regedit /d hkey_classes_root\regfile\shell\open\command
regedit repair.reg


Restart the computer.


Download and run the W32.Swen.A@mm Removal Tool. Complete instructions
are in the W32.Swen.A@mm Removal Tool document.


After the tool has run, update the virus definitions. Symantec
Security Response fully tests all the virus definitions for quality
assurance before they are posted to our servers. There are two ways to
obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus
definitions: These virus definitions are posted to the LiveUpdate
servers once each week (usually on Wednesdays), unless there is a
major virus outbreak. To determine whether definitions for this threat
are available by LiveUpdate, refer to the Virus Definitions
(LiveUpdate).
Downloading the definitions using the Intelligent Updater: The
Intelligent Updater virus definitions are posted on U.S. business days
(Monday through Friday). You should download the definitions from the
Symantec Security Response Web site and manually install them. To
determine whether definitions for this threat are available by the
Intelligent Updater, refer to the Virus Definitions (Intelligent
Updater).

The Intelligent Updater virus definitions are available: Read "How to
update virus definition files using the Intelligent Updater" for
detailed instructions.


Run a full system scan. 
Start your Symantec antivirus program and make sure that it is
configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to
configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to
verify that a Symantec Corporate antivirus product is set to scan all
files."
Run a full system scan. 
If any files are detected as infected with W32.Swen.A@mm, click Delete.


For Windows Me
To perform this procedure on Windows Me, you must have a Windows Me
boot disk. If you cannot locate the Me boot disk that came with your
computer, you may be able to obtain one from the PC vender or a local
computer store.

Insert the Windows Me boot disk in the floppy disk drive and restart
the computer. The computer opens to a MS-DOS prompt.


Type the following and then press Enter after typing each line:

c:
cd\
cd windows
edit repair.reg

The DOS text editor opens.


Type the following lines into the DOS text editor exactly as shown here:

REGEDIT4

[Hkey_classes_root\exefile\shell\open\command]
@="\"%1\" %*"

[Hkey_classes_root\regfile\shell\open\command]
@="regedit.exe \%1\"


Press Alt and F at the same time to access the File menu, and then
press X to exit the DOS text editor. When prompted, press Enter to
confirm that you want to save the file. This returns you to the
command prompt.


Type the following and then press Enter after typing each line. You
must type them exactly as shown here:

regedit /e backup.reg  hkey_classes_root\exefile
regedit /d hkey_classes_root\exefile\shell\open\command
regedit /d hkey_classes_root\regfile\shell\open\command
regedit repair.reg


Restart the computer.


Download and run the W32.Swen.A@mm Removal Tool. Complete instructions
are in the W32.Swen.A@mm Removal Tool document.


After the tool has run, update the virus definitions. Symantec
Security Response fully tests all the virus definitions for quality
assurance before they are posted to our servers. There are two ways to
obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus
definitions: These virus definitions are posted to the LiveUpdate
servers once each week (usually on Wednesdays), unless there is a
major virus outbreak. To determine whether definitions for this threat
are available by LiveUpdate, refer to the Virus Definitions
(LiveUpdate).
Downloading the definitions using the Intelligent Updater: The
Intelligent Updater virus definitions are posted on U.S. business days
(Monday through Friday). You should download the definitions from the
Symantec Security Response Web site and manually install them. To
determine whether definitions for this threat are available by the
Intelligent Updater, refer to the Virus Definitions (Intelligent
Updater).

The Intelligent Updater virus definitions are available: Read "How to
update virus definition files using the Intelligent Updater" for
detailed instructions.


Run a full system scan. 
Start your Symantec antivirus program and make sure that it is
configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to
configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to
verify that a Symantec Corporate antivirus product is set to scan all
files."
Run a full system scan. 
If any files are detected as infected with W32.Swen.A@mm, click Delete.


For Windows NT/2000/XP 
Download the W32.Swen.A@mm Removal Tool and begin to follow the
instructions in the W32.Swen.A@mm Removal Tool document. However, when
you get to step 5, which instructs you to "Double-click the
FixSwen.exe file," stop. Do not double-click the file. Instead:
Right-click the downloaded FixSwen.exe file, and then click Rename. 
Rename the file to:

FixSwen.cmd


When you are asked whether you want to change the file extension, click Yes. 
Double-click the FixSwen.cmd file and continue with the steps in the
Removal Tool document.


After the tool has run, update the virus definitions. Symantec
Security Response fully tests all the virus definitions for quality
assurance before they are posted to our servers. There are two ways to
obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus
definitions: These virus definitions are posted to the LiveUpdate
servers once each week (usually on Wednesdays), unless there is a
major virus outbreak. To determine whether definitions for this threat
are available by LiveUpdate, refer to the Virus Definitions
(LiveUpdate).
Downloading the definitions using the Intelligent Updater: The
Intelligent Updater virus definitions are posted on U.S. business days
(Monday through Friday). You should download the definitions from the
Symantec Security Response Web site and manually install them. To
determine whether definitions for this threat are available by the
Intelligent Updater, refer to the Virus Definitions (Intelligent
Updater).

The Intelligent Updater virus definitions are available: Read "How to
update virus definition files using the Intelligent Updater" for
detailed instructions.


Run a full system scan. 
Start your Symantec antivirus program and make sure that it is
configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to
configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to
verify that a Symantec Corporate antivirus product is set to scan all
files."
Run a full system scan. 
If any files are detected as infected with W32.Swen.A@mm, click Delete.
"

***

You may also be interested in a FREE Virus Scanner (that is quite good
too!). It's called AVG Anti-Virus and you can find it here:
http://www.grisoft.com/us/us_index.php

To directly download the product, see this link:
"Get Your AVG for free!"
http://www.grisoft.com/us/us_dwnl_free.php

I hope this helps you remove the virus. If any part is unclear, then
please don't hesitate to post a request for clarification prior to
rating and closing this question.

Legolas-ga

Search used (Google):
free virus scanner

on SARC.com:
swen

Request for Answer Clarification by norco1-ga on 27 Nov 2003 18:11 PST
the dos file (fixSwen.cmd)  opens in a blur and cuts out. please advise

Clarification of Answer by legolas-ga on 27 Nov 2003 19:46 PST
I really need more information for me to help you out given you still
have an error message. I need you to provide me with the Operating
System version you are using, and the EXACT TEXT of any error
messages. Do NOT abreviate or simplify in ANY WAY the error message.

Thanks,

Legolas-ga

Request for Answer Clarification by norco1-ga on 28 Nov 2003 06:50 PST
os is xp. dos command message for entered data: 'not recognized as
internal or external command, operable program or batch file'.

Clarification of Answer by legolas-ga on 28 Nov 2003 11:10 PST
Go ahead and re-download the swen removal tool. Then, follow the
instructions to rename the file, etc.. More than likely, when you
first ran it as an 'exe' file, the virus corrupted the executable
file. Also, ensure that your System Restore is TURNED OFF.

** Instructions (from
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html
Windows NT/2000/XP: Download the tool as described in the following
steps. However, rename the tool to use the .cmd extension as described
in the Note in step 5, below.

Note: You must have administrative rights to run this tool on Windows
NT 4.0, Windows 2000, or Windows XP.

   1. Download the FixSwen.exe file from:
http://www.symantec.com/avcenter/FixSwen.exe.
   2. Save the file to a convenient location, such as your downloads
folder or the Windows desktop (or removable media known to be
uninfected).
   3. To check the authenticity of the digital signature, refer to the
"Digital signature" section later in this writeup.
   4. If you are running Windows Me or XP, then disable System
Restore. Refer to the "System Restore option in Windows Me/XP" section
later in this writeup for further details.

      Note: This is done as a precaution to prevent the worm from
accidentally being restored at a later date or from being detected by
a scan. However, due to the changes that the worm makes to the
registry, you may not be able to do this at this time. If you cannot,
skip this for now. We recommend, however, that you do so after you
have restored access to your system; doing so, will empty the System
Restore folder and prevent possible future problems.
   5. Double-click the FixSwen.exe file to start the removal tool.

      Note: If the worm has already executed, and you have deleted or
quarantined the worm's files using your Symantec antivirus product,
the tool will not run due to the changes made to the registry. (On
Windows 95/98/Me systems, you may see a message that Windows cannot
find a <randomly-named> file.)

      -- If this happens on Windows 95/98/Me, stop here and follow the
instructions of the "W32.Swen.A@mm has already been quarantined or
deleted" section in the Removal section of the W32.A.Swen@mm writeup.

      -- If this happens on a Windows NT/2000/XP system, follow these
additional steps and then continue with step 6.

      a. Start Windows Explorer.
      b. Click View > Options (Windows NT) or Tools > Folder Options
(Windows 2000/XP).
      c. Click the View tab.
      d. Uncheck "Hide file extensions for known file types." Click
Yes if you see a warning dialog box.
      e. Click Apply, and then click OK.
      f. Right-click the FixSwen.exe file, and then click Rename.
Rename it to FixSwen.cmd. Confirm the renaming, if prompted.
      g. Double-click the FixSwen.cmd file, and then continue with the steps.

   6. Click Start to begin the process, and then allow the tool to run.
   7. Restart the computer.
   8. Run the removal tool again to ensure that the system is clean.
   9. If you are running Windows Me/XP, then re-enable System Restore.
  10. Run LiveUpdate to make sure that you are using the most current
virus definitions.


Note: The removal procedure may not be successful if Windows Me/XP
System Restore is not disabled as previously directed, because Windows
prevents outside programs from modifying System Restore.

When the tool has finished running, you will see a message indicating
whether W32.Swen.A@mm infected the computer. In the case of a worm
removal, the program displays the following results:

    * Total number of the scanned files
    * Number of deleted files
    * Number of terminated viral processes
    * Number of fixed registry entries

Hope this helps

Legolas-ga

Request for Answer Clarification by norco1-ga on 29 Nov 2003 17:57 PST
legolas:  step g:  can't open fixSwen.cmd file. file opens momentarily, then closes.

Clarification of Answer by legolas-ga on 29 Nov 2003 19:20 PST
Please right click on the icon for the fixswen.cmd file and go to
"Properties". Tell me what the "Type of File" is.

Thanks,

Legolas-ga

Request for Answer Clarification by norco1-ga on 30 Nov 2003 07:39 PST
Windows NT Command Script

Clarification of Answer by legolas-ga on 30 Nov 2003 08:21 PST
How do you know that you have swen vs. another virus? If you try
running the removal tool with an .exe extension, does it then work?

Legolas-ga

Request for Answer Clarification by norco1-ga on 30 Nov 2003 13:12 PST
i know its swen because a)  my scan names the virus  b)  my e-mail
problem is exactly the way swen works. tried exe w/o success.

Clarification of Answer by legolas-ga on 30 Nov 2003 14:23 PST
Don't know if it'll work, but, it's worth a shot:

Open a command prompt by going to "Start" then "Run" and typing 'cmd'
then hit enter.

Copy the fixswen.cmd file from wherever it is on your computer to the
ROOT directory of your harddrive. What I mean is, double click on 'My
Computer' then on 'C:\' and drag and drop the fixswen.cmd file to that
window.

Once done, go to the command prompt window, type:

cd c:\
cd \
fixswen.cmd

(each line should be typed seperately, and an 'enter' should be after
each command is typed.)

Let me know if that works.

Legolas-ga

Request for Answer Clarification by norco1-ga on 01 Dec 2003 11:17 PST
thanks legolas. dropped file into c: root and able to open fixswen.
enter commands read files not recognized or cannot find path
specified. making progress but where do i go from here?

Clarification of Answer by legolas-ga on 01 Dec 2003 19:25 PST
I have an idea of what could be holding us up... Try double clicking
on the fixswen.cmd file on the C:\ (root) directory.. You might even
want to re-download the file and rename it again and put it in the C:\
directory (root). Then double click the icon.. That *should* work...
(we hope :) )

Legolas

Request for Answer Clarification by norco1-ga on 02 Dec 2003 07:24 PST
sorry legolas, file not recognized. what's next or is there a next?

Clarification of Answer by legolas-ga on 02 Dec 2003 08:38 PST
I'd bet there's another virus that modified where the .cmd files go to
execute (the same way swen modified the registry to change where .exe
files go...) There doesn't seem to be a solution without physically
laying hands on the system to manually edit the registry--and even
then, the solution would probably be to install a parallel copy of XP
to be able to open the registry. Such work is entirely outside the
scope of this question and has the VERY real possibility of VERY
undesirable effects.

My only good choice at this point is to advise you to backup, format
and restore your computer from the original CD's.

If you are not satisified with this answer, I can ask for it to be
removed. In which case you will only be charged the 50cents listing
fee--and I will receive no compensation for this question--or, you can
simply leave it as is and repost another question if you desire to ask
about parallel XP installs and/or reformatting if you are unsure of
how to do such work.

Legolas-ga

Request for Answer Clarification by norco1-ga on 03 Dec 2003 11:37 PST
legolas: we gave it a good try but swen is mucho malicious. yes,
please provide info on reinstall etc.. what files would you recommend
for backup?

Clarification of Answer by legolas-ga on 03 Dec 2003 13:23 PST
As I stated, providing a howto on re-format and re-install is outside
the scope of this question. Since you seem satisfied that I have done
all that I can do to provide you with an answer on this question,
perhaps it would be more appropriate to ask a second question on 'how
to reformat and reinstall XP'. Quite frankly, this question is already
more involved than a typical $5 question (which is typically just a
link (or two) and some background information).

Thanks,

Legolas-ga
Comments  
Subject: Re: removing swen virus
From: hummer-ga on 04 Dec 2003 05:13 PST
 
Hi norco1,

Have a look at this, perhaps it will help, it's worth a try.

HouseCall instructions for removal:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A

Good luck,
hummer

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy