1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[email protected] Worm Removal instructions + New Removal Tool

Discussion in 'Virus & Other Malware Removal' started by NiteHawk, Sep 19, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. NiteHawk

    NiteHawk Thread Starter

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    The latest: Removal Tool from Symantec:

    http://www.symantec.com/avcenter/venc/data/[email protected]


    EDIT:
    PLEASE NOTE: Since Symantec did a major change on how to handle this worm from their first instructions, (and my first post) I have totally modified this post, as of 0326 EDT Sept 20, 2003, to reflect those changes. This should avoid the problem that Alison had and was most likely the reason for Symantec's change.

    You have been bitten by the latest worm, [email protected], and want to know what to do and how to get rid of it.

    We here at TSG want to make that process easier for you.

    The following is a short(er) version of what can be found at Symantec?s site.
    http://www.symantec.ca/avcenter/venc/data/[email protected]

    Please go to the above link and read and understand about the Swen worm first, then return and follow the short version.

    Removal Instructions

    The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec and Norton AntiVirus product lines.

    1. Disable System Restore (Windows Me/XP).

    How to disable or enable System Restore in Windows ME

    How to disable or enable System Restore in Windows XP

    2. Modify the association for Registration Entries ( .reg files).
    3. Create a repair.reg file on Desktop, double-click on repair.reg file to fix association settings for other file types.
    4. Update the virus definitions.

    5. Do one of the following:
    a. Windows 95/98/Me: Restart the computer in Safe mode.
    b. Windows NT/2000/XP: End the Trojan process.
    6. Run a full system scan and delete all the files detected as [email protected]
    7. Remove the remaining values that refer to worm file in the registry.

    For specific details on each of these steps, read the following instructions.

    2. Modify the association for Registration Entries ( .reg files)
    Double-Click "My Computer" on the desktop. Then, do one of the following,

    Windows 95/98/Me: Choose View\Folder Options\File Types\Registration Entries\Edit\Merge (in Actions part)\Edit, modify "Application used to perform action" to following,

    Regedit.exe "%1"

    Here are the step-by-step instruction,

    Click on MY Computer > View > Folder Options

    From the Folder Options window click on the FILE Types Tab scroll down to and highlight Registration Entries. Then click on Edit

    In the Edit File Type window, highlight MERGE and click Edit again

    In Application Used to Perform Action line edit the line to read Regedit.exe "%1"

    Back out by clicking OK > Close > Close and Exit from My computer.

    Windows NT/2000/XP: Choose Tools\Folder Options\File Types\REG Registration Entries\Change, click at the "Registry Editor" in "Open With" windows.
    Click on MY Computer > View > Folder Options

    NOTE: If Registry Editor is not in the list, click on the button "Other", then choose regedit.exe to open.

    3. Create a repair.reg file on Desktop, double-click on repair.reg file to remove values from the registry key.

    WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

    *************************************************
    NOTE: I have done this next step for you. Download the attached file at the end that is named repair.txt and rename it repair.reg and save it to the root directory. (C:\ in most cases)
    Once you have it renamed, do steps d and c.
    *************************************************

    Right click the mouse on Desktop the mouse, choose New/Text Document. A "New Text Document.txt" file is creates on Desktop.

    Double-click on this file, an edit window appears. By default, Notepad.exe is used to open a .txt file.
    Type, or copy and paste, the following text into the file:

    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableRegistryTools"=dword:00000000

    [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
    @="\"%1\" %*"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command]
    @="\"%1\" %*"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command]
    @="\"%1\" %*"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command]
    @="\"%1\" %*"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command]
    @="\"%1\" %*"

    Note:
    @="\"%1\" %*" is a list of the following characters:
    at-equal-quote-backslash-quote-percent-one-backslash-quote-space-percent-asterisk-quote

    a. Save the file on the Desktop as:

    repair.reg
    b. Exit the editor.
    c. Double-click on the repair.reg.
    d. A Registry Editor windows presents "Are you sure you want to add the information in <Desktop>repair to the registry, click "Yes".

    4. Updating the virus definitions

    5. Restarting the computer in Safe mode or ending the Trojan process
    Windows 95/98/Me
    Restart the computer in Safe mode. How to start the computer in Safe Mode

    Windows NT/2000/XP
    To end the Trojan process:
    a. Press Ctrl+Alt+Delete once.
    b. Click Task Manager.
    c. Click the Processes tab.
    d. Double-click the Image Name column header to alphabetically sort the processes.
    e. Scroll through the list and look for the randomly named value that the worm created.
    f. If you find the file, click it, and then click End Process.
    g. Exit the Task Manager.
    6. Scanning for and deleting the infected files
    a. Run a full system scan.
    b. If any files are detected as infected with [email protected], click Delete.
    7. Deleting the remaining values from the registry

    NOTE: IF you don?t know how to do REGEDIT or are not comfortable doing it, get one of the experienced members here to help you.

    a. Click Start, and then click Run. (The Run dialog box appears.)
    b. Type regedit

    Then click OK. (The Registry Editor opens.)
    c. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    d. In the right pane, delete the randomly named value that the worm created.
    e. Exit the Registry Editor.
     

    Attached Files:

  2. alison

    alison

    Joined:
    Jul 17, 2003
    Messages:
    67
    I can't execute regedit with run!
     
  3. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Try double clicking the repair.reg file; if you get a restriction message, use HijackThis and first check and fix the "DisableRegedit=1" entry.
     
  4. alison

    alison

    Joined:
    Jul 17, 2003
    Messages:
    67
    It still doesn't work.. yikes
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Since this thread was first posted Symantec has changed its repair methods somewhat. Evidently the problem alison encountered is the reason. Their current method requires that the file association for the .reg entries be changed through Folder Options > File types. Until that is done, regedit cannot merge the repair.reg file.

    An alternative is to download the regfile.inf and exefix08.inf files at the bottom of this Reticulated Toys link. Once downloaded, right click on each and select "merge".

    http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html

    This worked for alison. The repair.reg file must still be run after that.

    Frankly, once exe files are made to work again, I would recommend doing a scanreg /restore to a recent date prior to the infection (if you have Win98 or WinME, or doing a System Restore if you have XP.
     
  6. NiteHawk

    NiteHawk Thread Starter

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Alison, sorry for your problems. It seems that since my first post, Symantec did a MAJOR change on how to handle this worm.
    Your problem, that was experienced by many others, was the reason for their change.

    To any others that come along after this point, the above post has been totally modified to reflect Symantec's changes. You should have no problems.
     
  7. evenstarjm

    evenstarjm

    Joined:
    Sep 20, 2003
    Messages:
    21
    I'm stupid about computers and need help with this. How do I restart my machine in Safemode. I'm trying to follow the instructions but am confused ...... I have Win98, do I start at that point? or download the XP, ME links in #1 and continue to the win98 part?
     
  8. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Tap the F 8 key right after the first happy beep, you should get a menu to be able to choose safe mode from.
     
  9. tpb

    tpb

    Joined:
    Feb 27, 2001
    Messages:
    573
    Doing this also works..

    1. Download FixSwen.exe from Symantec to your desktop.
    http://www.symantec.com/avcenter/venc/data/pf/[email protected]

    2. Shutdown the computer and restart in Safe mode (Press
    F8 while booting before you get to the Windows screen and choose safe mode).

    3. Rename FixSwen.exe to FixSwen.cmd. Double click on it to run.
     
  10. NiteHawk

    NiteHawk Thread Starter

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Thanks for the info tpb. The link for Symantec's removal has been posted to the top of my original post.

    Short history:

    The first day the Swen worm was discovered Syamnted posted a removal prodedure on their site. I condensed their removal procedure and posted the key steps, plus added some links on how to get into Safe Mode and how to disable and enable System restore.

    Second day. Due to some people having problems with the way they used the regedit program, Symantec revised their procedure and also cut down the number of registry keys to be edited from 13 to 6. I did a total re-write on my procedure and changed the attached file with the registry keys.

    Third day. (Or possibly late the second day) Symantec came out with a removal tool. The link to that tool was added to the top of the post. The rest of the post remained, but now with the removal tool, it is more informational than anything else.

    Unfortunately posts can no longer be edited after 24 hours, so it will remain as is.
     
  11. rdkapp

    rdkapp

    Joined:
    Jan 5, 1999
    Messages:
    197
    I was recently infected with the [email protected] virus. My email inbox was inundated with (1) what appeared to be returned emails allegedly sent out by me (with attached txt files) and (2) emails from what appeared to be Microsoft containing some sort of upgrade (exe files which I am sure contained viruses). I downloaded and ran FixSwen.exe and it found the virus and supposedly removed it. I did not use steps 2 and 3 of tpb's instructions quoted above. Should I have? Do I need to now?

    Currently, everything seems to be working well. I am testing clear with both FixSwen.exe and a Norton Antivirus scan. However, I am still getting several emails (I received around 40 over about a 10 hour period today, which is way down from what it was prior to running FixSwen.exe). I also found 2 instances of [email protected] in my registry at the following locations:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Doc Find Spec MRU\i

    and

    HKEY_USERS\.Default\Software\Microsoft\Windows\Current Version\Explorer\Doc Find Spec MRU\i

    Am I still infected? If not, how do I stop these emails? I am running Win98 SE, Outlook Express 5.5 (am considering upgrading to OE 6.0 to block emails w/attachments that are potential viruses), and Norton AntiVirus 2000 with updated definitions. Any thoughts or ideas? Any help will be appreciated.
     
  12. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    The incoming emails don't necessarily mean you are still infected. I get them daily too. Just keep deleting them.
     
  13. rdkapp

    rdkapp

    Joined:
    Jan 5, 1999
    Messages:
    197
    Since removing the virus ([email protected]), I am averaging about 50 emails per day containing potentially viral file attachments. I am deleting them, but growing rather tired of the volume. Short of a complete change of my email address (which I'm not sure I can do without going through my isp), is there any way to stop these emails? I know I could probably block them (with message rules), but I would then potentially block a valid email. Will the emails slow down and eventually stop over time? Would it help to temporarily abandon the email address and then revive it later? I do have a router, if that might help.

    I'm looking for some help, please? Thanks.
     
  14. Zonky

    Zonky

    Joined:
    Oct 11, 2003
    Messages:
    1
    Uhh ok Hello I`m Zonky, new to this forum.
    I came about looking all thru the net for help trying to get rid of this Backdoor.Beasty virus, since the Norton Anti Virus won`t get rid of it even with the live update.

    looked for the removal help at its site, It saying to delete a registration key, which wasnt even there x.x

    anyway heres the log
    (I know its in german though but it says pretty much the same stuff x.x Virus couldnt be repaired or isolated either..)

    Datum: 11.10.2003, Uhrzeit: 00:27:14, SYSTEM am NAME-H8HGKX3Y8P
    Datei
    C:\WINDOWS\System32\sortmsys.nls
    ist mit dem Virus Backdoor.Beasty infiziert.
    Der Zugriff auf die Datei wurde verwehrt.


    Datum: 11.10.2003, Uhrzeit: 00:27:14, SYSTEM am NAME-H8HGKX3Y8P
    Datei
    C:\WINDOWS\System32\sortmsys.nls
    ist mit dem Virus Backdoor.Beasty infiziert.
    Die Datei konnte nicht repariert werden.

    x.x close to despair really.

    It infested my sortmysys.nls file
    x.x hoping the new live updates will be able to get rid of this virus.
     
  15. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Mine have slowed down to about 1 or 2 a day, if that. I think as the people with the viruses on their systems get them cleaned up....eventually they will stop......
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165882

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice