[email protected] Worm Removal instructions + New Removal Tool

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

NiteHawk

Thread Starter
Joined
Mar 9, 2003
Messages
4,699
The latest: Removal Tool from Symantec:

http://www.symantec.com/avcenter/venc/data/[email protected]


EDIT:
PLEASE NOTE: Since Symantec did a major change on how to handle this worm from their first instructions, (and my first post) I have totally modified this post, as of 0326 EDT Sept 20, 2003, to reflect those changes. This should avoid the problem that Alison had and was most likely the reason for Symantec's change.

You have been bitten by the latest worm, [email protected], and want to know what to do and how to get rid of it.

We here at TSG want to make that process easier for you.

The following is a short(er) version of what can be found at Symantec?s site.
http://www.symantec.ca/avcenter/venc/data/[email protected]

Please go to the above link and read and understand about the Swen worm first, then return and follow the short version.

Removal Instructions

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).

How to disable or enable System Restore in Windows ME

How to disable or enable System Restore in Windows XP

2. Modify the association for Registration Entries ( .reg files).
3. Create a repair.reg file on Desktop, double-click on repair.reg file to fix association settings for other file types.
4. Update the virus definitions.

5. Do one of the following:
a. Windows 95/98/Me: Restart the computer in Safe mode.
b. Windows NT/2000/XP: End the Trojan process.
6. Run a full system scan and delete all the files detected as [email protected]
7. Remove the remaining values that refer to worm file in the registry.

For specific details on each of these steps, read the following instructions.

2. Modify the association for Registration Entries ( .reg files)
Double-Click "My Computer" on the desktop. Then, do one of the following,

Windows 95/98/Me: Choose View\Folder Options\File Types\Registration Entries\Edit\Merge (in Actions part)\Edit, modify "Application used to perform action" to following,

Regedit.exe "%1"

Here are the step-by-step instruction,

Click on MY Computer > View > Folder Options

From the Folder Options window click on the FILE Types Tab scroll down to and highlight Registration Entries. Then click on Edit

In the Edit File Type window, highlight MERGE and click Edit again

In Application Used to Perform Action line edit the line to read Regedit.exe "%1"

Back out by clicking OK > Close > Close and Exit from My computer.

Windows NT/2000/XP: Choose Tools\Folder Options\File Types\REG Registration Entries\Change, click at the "Registry Editor" in "Open With" windows.
Click on MY Computer > View > Folder Options

NOTE: If Registry Editor is not in the list, click on the button "Other", then choose regedit.exe to open.

3. Create a repair.reg file on Desktop, double-click on repair.reg file to remove values from the registry key.

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

*************************************************
NOTE: I have done this next step for you. Download the attached file at the end that is named repair.txt and rename it repair.reg and save it to the root directory. (C:\ in most cases)
Once you have it renamed, do steps d and c.
*************************************************

Right click the mouse on Desktop the mouse, choose New/Text Document. A "New Text Document.txt" file is creates on Desktop.

Double-click on this file, an edit window appears. By default, Notepad.exe is used to open a .txt file.
Type, or copy and paste, the following text into the file:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command]
@="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command]
@="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command]
@="\"%1\" %*"

[HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command]
@="\"%1\" %*"

Note:
@="\"%1\" %*" is a list of the following characters:
at-equal-quote-backslash-quote-percent-one-backslash-quote-space-percent-asterisk-quote

a. Save the file on the Desktop as:

repair.reg
b. Exit the editor.
c. Double-click on the repair.reg.
d. A Registry Editor windows presents "Are you sure you want to add the information in <Desktop>repair to the registry, click "Yes".

4. Updating the virus definitions

5. Restarting the computer in Safe mode or ending the Trojan process
Windows 95/98/Me
Restart the computer in Safe mode. How to start the computer in Safe Mode

Windows NT/2000/XP
To end the Trojan process:
a. Press Ctrl+Alt+Delete once.
b. Click Task Manager.
c. Click the Processes tab.
d. Double-click the Image Name column header to alphabetically sort the processes.
e. Scroll through the list and look for the randomly named value that the worm created.
f. If you find the file, click it, and then click End Process.
g. Exit the Task Manager.
6. Scanning for and deleting the infected files
a. Run a full system scan.
b. If any files are detected as infected with [email protected], click Delete.
7. Deleting the remaining values from the registry

NOTE: IF you don?t know how to do REGEDIT or are not comfortable doing it, get one of the experienced members here to help you.

a. Click Start, and then click Run. (The Run dialog box appears.)
b. Type regedit

Then click OK. (The Registry Editor opens.)
c. Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
d. In the right pane, delete the randomly named value that the worm created.
e. Exit the Registry Editor.
 

Attachments

Joined
Dec 9, 2000
Messages
45,855
Try double clicking the repair.reg file; if you get a restriction message, use HijackThis and first check and fix the "DisableRegedit=1" entry.
 
Joined
Dec 9, 2000
Messages
45,855
Since this thread was first posted Symantec has changed its repair methods somewhat. Evidently the problem alison encountered is the reason. Their current method requires that the file association for the .reg entries be changed through Folder Options > File types. Until that is done, regedit cannot merge the repair.reg file.

An alternative is to download the regfile.inf and exefix08.inf files at the bottom of this Reticulated Toys link. Once downloaded, right click on each and select "merge".

http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html

This worked for alison. The repair.reg file must still be run after that.

Frankly, once exe files are made to work again, I would recommend doing a scanreg /restore to a recent date prior to the infection (if you have Win98 or WinME, or doing a System Restore if you have XP.
 

NiteHawk

Thread Starter
Joined
Mar 9, 2003
Messages
4,699
Alison, sorry for your problems. It seems that since my first post, Symantec did a MAJOR change on how to handle this worm.
Your problem, that was experienced by many others, was the reason for their change.

To any others that come along after this point, the above post has been totally modified to reflect Symantec's changes. You should have no problems.
 
Joined
Sep 20, 2003
Messages
21
I'm stupid about computers and need help with this. How do I restart my machine in Safemode. I'm trying to follow the instructions but am confused ...... I have Win98, do I start at that point? or download the XP, ME links in #1 and continue to the win98 part?
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Tap the F 8 key right after the first happy beep, you should get a menu to be able to choose safe mode from.
 

NiteHawk

Thread Starter
Joined
Mar 9, 2003
Messages
4,699
Thanks for the info tpb. The link for Symantec's removal has been posted to the top of my original post.

Short history:

The first day the Swen worm was discovered Syamnted posted a removal prodedure on their site. I condensed their removal procedure and posted the key steps, plus added some links on how to get into Safe Mode and how to disable and enable System restore.

Second day. Due to some people having problems with the way they used the regedit program, Symantec revised their procedure and also cut down the number of registry keys to be edited from 13 to 6. I did a total re-write on my procedure and changed the attached file with the registry keys.

Third day. (Or possibly late the second day) Symantec came out with a removal tool. The link to that tool was added to the top of the post. The rest of the post remained, but now with the removal tool, it is more informational than anything else.

Unfortunately posts can no longer be edited after 24 hours, so it will remain as is.
 
Joined
Jan 5, 1999
Messages
265
Originally posted by tpb:
Doing this also works..

1. Download FixSwen.exe from Symantec to your desktop.
http://www.symantec.com/avcenter/venc/data/pf/[email protected]

2. Shutdown the computer and restart in Safe mode (Press
F8 while booting before you get to the Windows screen and choose safe mode).

3. Rename FixSwen.exe to FixSwen.cmd. Double click on it to run.
I was recently infected with the [email protected] virus. My email inbox was inundated with (1) what appeared to be returned emails allegedly sent out by me (with attached txt files) and (2) emails from what appeared to be Microsoft containing some sort of upgrade (exe files which I am sure contained viruses). I downloaded and ran FixSwen.exe and it found the virus and supposedly removed it. I did not use steps 2 and 3 of tpb's instructions quoted above. Should I have? Do I need to now?

Currently, everything seems to be working well. I am testing clear with both FixSwen.exe and a Norton Antivirus scan. However, I am still getting several emails (I received around 40 over about a 10 hour period today, which is way down from what it was prior to running FixSwen.exe). I also found 2 instances of [email protected] in my registry at the following locations:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Doc Find Spec MRU\i

and

HKEY_USERS\.Default\Software\Microsoft\Windows\Current Version\Explorer\Doc Find Spec MRU\i

Am I still infected? If not, how do I stop these emails? I am running Win98 SE, Outlook Express 5.5 (am considering upgrading to OE 6.0 to block emails w/attachments that are potential viruses), and Norton AntiVirus 2000 with updated definitions. Any thoughts or ideas? Any help will be appreciated.
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
The incoming emails don't necessarily mean you are still infected. I get them daily too. Just keep deleting them.
 
Joined
Jan 5, 1999
Messages
265
Since removing the virus ([email protected]), I am averaging about 50 emails per day containing potentially viral file attachments. I am deleting them, but growing rather tired of the volume. Short of a complete change of my email address (which I'm not sure I can do without going through my isp), is there any way to stop these emails? I know I could probably block them (with message rules), but I would then potentially block a valid email. Will the emails slow down and eventually stop over time? Would it help to temporarily abandon the email address and then revive it later? I do have a router, if that might help.

I'm looking for some help, please? Thanks.
 
Joined
Oct 11, 2003
Messages
1
Uhh ok Hello I`m Zonky, new to this forum.
I came about looking all thru the net for help trying to get rid of this Backdoor.Beasty virus, since the Norton Anti Virus won`t get rid of it even with the live update.

looked for the removal help at its site, It saying to delete a registration key, which wasnt even there x.x

anyway heres the log
(I know its in german though but it says pretty much the same stuff x.x Virus couldnt be repaired or isolated either..)

Datum: 11.10.2003, Uhrzeit: 00:27:14, SYSTEM am NAME-H8HGKX3Y8P
Datei
C:\WINDOWS\System32\sortmsys.nls
ist mit dem Virus Backdoor.Beasty infiziert.
Der Zugriff auf die Datei wurde verwehrt.


Datum: 11.10.2003, Uhrzeit: 00:27:14, SYSTEM am NAME-H8HGKX3Y8P
Datei
C:\WINDOWS\System32\sortmsys.nls
ist mit dem Virus Backdoor.Beasty infiziert.
Die Datei konnte nicht repariert werden.

x.x close to despair really.

It infested my sortmysys.nls file
x.x hoping the new live updates will be able to get rid of this virus.
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Originally posted by rdkapp:
Since removing the virus ([email protected]), I am averaging about 50 emails per day containing potentially viral file attachments. I am deleting them, but growing rather tired of the volume. Short of a complete change of my email address (which I'm not sure I can do without going through my isp), is there any way to stop these emails? I know I could probably block them (with message rules), but I would then potentially block a valid email. Will the emails slow down and eventually stop over time? Would it help to temporarily abandon the email address and then revive it later? I do have a router, if that might help.

I'm looking for some help, please? Thanks.
Mine have slowed down to about 1 or 2 a day, if that. I think as the people with the viruses on their systems get them cleaned up....eventually they will stop......
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top