Unable to download and install HIJACKTHIS....

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

webzter

Thread Starter
Joined
May 4, 2003
Messages
777
was attempting to download HijackThis so I could produce the scan I needed in order to return here and figure out where the error message was coming from that stops apps like HIJACKTHIS
from being completed- when the error message appeared again and totally stopped HIJACKTHIS from "opening and installing itself-

tried to reboot and complete app's opening, but now the pc doesnt do any more than finish-up on a desktop that's basically no more than a green screen- nothing else- i can access safemode but the error message intefers and leaves the safemode blank like the desktop- and equally useless-

the error message that causing the stoppage, and now has created a useless safemode plus a go no where desktop is as follows..... "memory error has occurred in module of Kernel 32"-

i dont know if this is the result of a virus or what- it began within the first half hour i started using the pc when i was gathering-up security apps so i could stop stuff like this from happening!!!

(FYI....i'm using W98 business on a new compaq ipaq)

thanks in advance for your help- hard to believe it took less than 1/2 hour for this thing to get hit- but then again with all the junk out there- i shouldnt be surprised i guess!
regards
 

dai

Joined
Mar 6, 2003
Messages
11,198
start button/programs/system/tools
and run the system file checker
i haven't used 98 for a while i am not sure the first line is exact but you will find your way in to the sys f/ checker
 
Joined
Dec 9, 2000
Messages
45,855
It sounds like the Swen worm all right. Symantec has a removal tool, but you will have to get it downloaded.



http://www.symantec.ca/avcenter/venc/data/[email protected]

First try this, boot to a command prompt: press and hold the ctrl key immediately on startup. Choose the command prompt option from the Boot Menu. At the c:> prompt enter:

scanreg /restore

use your arrow key to select a Started registry dated just prior to these events happening. Do NOT select the oldest, or 5th registry, that will usually fail.

If the registry restores successfully it will have removed the registry entries responsible for running the worm. You should then be able to boot normally and run the symantec tool. The worm files themselves will still need to be deleted.
 

webzter

Thread Starter
Joined
May 4, 2003
Messages
777
ROLLIN' ROG- you nailed it alright! that's EXACTLY what i've got- and you say this is a worm virus- man, am i easy! i was only online for 20 minutes gathering the apps to install to keep this garbage off- and it seems to beat me to it! thanks very much- what would you reccomend I use to prevent it from reoccurring? zone alarm ok? thanks againf or your help- i really appreciate it! I'm going to remove it now- hopefully! (dai, thank you as well)
 
Joined
Dec 9, 2000
Messages
45,855
Yes a firewall is a must these days; ZoneAlarm should be able to block the open ports these new worms are exploiting.

Good luck, I'm especially keen to know if the registry restore works for you on this.
 

webzter

Thread Starter
Joined
May 4, 2003
Messages
777
ROLLN' ROG (et all)....

Third try's a charm....thought i was going to run out of date options... this is a new pc so didnt have a whole lot of date
options!

first two failed- third one brought the pc back to life!

I thank you for the outstanding suggestion! thought this thing had me dead to rites! should i assueme this thing is aperminent
part of the registry and follow symantecs fix- looks pretty hairy- is that the best way to go prior to installing the firewall or is there another process or fix for this nasty thing?

my appreciation again-thanks!
webz
 

webzter

Thread Starter
Joined
May 4, 2003
Messages
777
I want to remove whatever swem remenants there are left on my affected pc, and caught NiteHawk's version of Symantec's fix and was wondering that if you made no use of the company's swem removal processes as of yet, do you still follow NiteHawks fix because it sorta reads as if its to be applied only to a previously "SYMANTEC-TREATED" pc-

If you'd made no use of the Symantec fix (es), does one still follow NiteHawk's procedure or just parts of it or something entirely different- this will be my first attempt at removal having used no other fix prior to now, so i'm a bit confused which fix, if it makes any difference at this point for me since ive made no attempts yet to use ANY removal method-

hope the question makes sense- thanks in advance for t he clarification-
 
Joined
Dec 9, 2000
Messages
45,855
By all rights the registry restore ...

(you never see more than 5 dates there unless you use a third party manager, such as: http://www.pcnineoneone.com/howto/regback3.html?),

... *should* have made it unnecessary to make any of the registry edits indicated by Symantec.

However the viral file itself will remain. Try just running the "removal" tool and see what it finds.

When you have finished with that, give us a post of a HijackThis Scanlog AND a Startuplist both.

http://www.tomcoyote.org/hjt/

To create the Startuplist, click Config > Misc Tools, put a check in "list minor sections" and click Generate Startuplist. This will show if any of the registry entries altered by the worm are not the normal defaults.
 

webzter

Thread Starter
Joined
May 4, 2003
Messages
777
Rollin' Rog;

I'm real familiar with HIJACK, but this "Swem" fix has me totally turned around for some reason-

Below, I copied what I thought was the tool you're referring to from NiteHawk's fix- is this it below.....?
thanks
______________

Windows 95/98/Me: Choose View\Folder Options\File Types\Registration Entries\Edit\Merge (in Actions part)\Edit, modify "Application used to perform action" to following,

Regedit.exe "%1"

Here are the step-by-step instruction,

Click on MY Computer > View > Folder Options

From the Folder Options window click on the FILE Types Tab scroll down to and highlight Registration Entries. Then click on Edit

In the Edit File Type window, highlight MERGE and click Edit again

In Application Used to Perform Action line edit the line to read Regedit.exe "%1"

Back out by clicking OK > Close > Close and Exit from My computer
 
Joined
Dec 9, 2000
Messages
45,855
You should not need to do that after the registry restore.

If you check Folder Options does it not already contain that data?

This is the page for the Swen removal/repair tool ( FixSwen.exe):

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

PS: I'm not sure the removal tool will be able to detect the file since it will not be in memory and all the registry entries associated with it will have been removed.

The file name will simply be some random set of letters, usually about 5 characters long, as I recall, in the Windows directory.

Don't worry if you can't find and delete it as it is harmless as long as the registry entries running it have been removed.
 

webzter

Thread Starter
Joined
May 4, 2003
Messages
777
Rollin' Rog;
(Sorry for the confusion- i had pasted-in NiteHawk's fix not Symantec's)

would performing a scan be the best way for me to confirm that i had the worm? let me tell you why i'm dancing around the issue-

If you'll recall, when i first asked about this virus when i was trying to download HIJACK and could not-

one of the other things i had tried right before HIJACK,(due to compatabiliy messages i was receing everytime i opened the browser, was that the browser was too old and incompatable),
in an attempt to get HIJACK to download at the time, was performing an upgrade from IE EXPLORER 5.0 to 6.0-

But Swem of course stopped the unpacking after 90% of the way being completed and while you were able to help me recover and get back on line, I STILL SEEM TO HAVE parts of both 5 and 6 BROWSERS IN CONFLICT with one another-

my point is before i can do much with SWEM like Scan or get MS UPDATES and some other security apps that require things like ActiveX, i need to streighten out the browser upgrade issue SWEM never allowed to complete-- ie, i get referred to the following link to show the conflict-

Microsoft Knowledge Base Article - 319585

whats the best way to sort-out the two browers without getting back invoved with the virus again- or should i not worry about it reaffecting any more apps like before where there wasnt anything that didnt get affected?

thanks
 
Joined
Mar 9, 2003
Messages
4,699
Symantec's removal tool at the top supersedes the rest of my original post. However, the rest or the post remains for informational purposes.

Sorry if it was a point of confusion
 

webzter

Thread Starter
Joined
May 4, 2003
Messages
777
Not at all NiteHawk- your version is a lot easier to follow- i appreciate the effort you put into it- certainly makes it easier for us- thanks!
webz
 

webzter

Thread Starter
Joined
May 4, 2003
Messages
777
VirtualMe....thank you!

but as it appears, having thought i made a recovery from Swem virus resorting to scanreg/restore to do it, the only
available restore date must have been affected as well BECAUSE THE SYSTEM IS STILL INFECTED, so i suspect i need to go back to square one and perform a complete clean-up-

is it possible that the virus stopped me from getting a virus-free version from scanreg/restore and FORCED ME INTO ACCEPTING A BAD RECOVERY? ( I THNK SO-LOOKS THAT WAY)

So now I'm really turned-around. I've read these swem fixes so many times, i dont know whar version or specific tool i qualify for- now i know why i still couldnt sort-out the two browsers-
___________
Can I get a hand please on selecting the right tool/start-point
for the swem fix- i'd sure appreciate it- many thanks!
___________
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top