1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Unable to download and install HIJACKTHIS....

Discussion in 'Virus & Other Malware Removal' started by webzter, Sep 28, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. webzter

    webzter Thread Starter

    Joined:
    May 4, 2003
    Messages:
    777
    was attempting to download HijackThis so I could produce the scan I needed in order to return here and figure out where the error message was coming from that stops apps like HIJACKTHIS
    from being completed- when the error message appeared again and totally stopped HIJACKTHIS from "opening and installing itself-

    tried to reboot and complete app's opening, but now the pc doesnt do any more than finish-up on a desktop that's basically no more than a green screen- nothing else- i can access safemode but the error message intefers and leaves the safemode blank like the desktop- and equally useless-

    the error message that causing the stoppage, and now has created a useless safemode plus a go no where desktop is as follows..... "memory error has occurred in module of Kernel 32"-

    i dont know if this is the result of a virus or what- it began within the first half hour i started using the pc when i was gathering-up security apps so i could stop stuff like this from happening!!!

    (FYI....i'm using W98 business on a new compaq ipaq)

    thanks in advance for your help- hard to believe it took less than 1/2 hour for this thing to get hit- but then again with all the junk out there- i shouldnt be surprised i guess!
    regards
     
  2. dai

    dai

    Joined:
    Mar 6, 2003
    Messages:
    11,198
    start button/programs/system/tools
    and run the system file checker
    i haven't used 98 for a while i am not sure the first line is exact but you will find your way in to the sys f/ checker
     
  3. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It sounds like the Swen worm all right. Symantec has a removal tool, but you will have to get it downloaded.

    [​IMG]

    http://www.symantec.ca/avcenter/venc/data/[email protected]

    First try this, boot to a command prompt: press and hold the ctrl key immediately on startup. Choose the command prompt option from the Boot Menu. At the c:> prompt enter:

    scanreg /restore

    use your arrow key to select a Started registry dated just prior to these events happening. Do NOT select the oldest, or 5th registry, that will usually fail.

    If the registry restores successfully it will have removed the registry entries responsible for running the worm. You should then be able to boot normally and run the symantec tool. The worm files themselves will still need to be deleted.
     
  4. webzter

    webzter Thread Starter

    Joined:
    May 4, 2003
    Messages:
    777
    ROLLIN' ROG- you nailed it alright! that's EXACTLY what i've got- and you say this is a worm virus- man, am i easy! i was only online for 20 minutes gathering the apps to install to keep this garbage off- and it seems to beat me to it! thanks very much- what would you reccomend I use to prevent it from reoccurring? zone alarm ok? thanks againf or your help- i really appreciate it! I'm going to remove it now- hopefully! (dai, thank you as well)
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Yes a firewall is a must these days; ZoneAlarm should be able to block the open ports these new worms are exploiting.

    Good luck, I'm especially keen to know if the registry restore works for you on this.
     
  6. webzter

    webzter Thread Starter

    Joined:
    May 4, 2003
    Messages:
    777
    ROLLN' ROG (et all)....

    Third try's a charm....thought i was going to run out of date options... this is a new pc so didnt have a whole lot of date
    options!

    first two failed- third one brought the pc back to life!

    I thank you for the outstanding suggestion! thought this thing had me dead to rites! should i assueme this thing is aperminent
    part of the registry and follow symantecs fix- looks pretty hairy- is that the best way to go prior to installing the firewall or is there another process or fix for this nasty thing?

    my appreciation again-thanks!
    webz
     
  7. webzter

    webzter Thread Starter

    Joined:
    May 4, 2003
    Messages:
    777
    I want to remove whatever swem remenants there are left on my affected pc, and caught NiteHawk's version of Symantec's fix and was wondering that if you made no use of the company's swem removal processes as of yet, do you still follow NiteHawks fix because it sorta reads as if its to be applied only to a previously "SYMANTEC-TREATED" pc-

    If you'd made no use of the Symantec fix (es), does one still follow NiteHawk's procedure or just parts of it or something entirely different- this will be my first attempt at removal having used no other fix prior to now, so i'm a bit confused which fix, if it makes any difference at this point for me since ive made no attempts yet to use ANY removal method-

    hope the question makes sense- thanks in advance for t he clarification-
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    By all rights the registry restore ...

    (you never see more than 5 dates there unless you use a third party manager, such as: http://www.pcnineoneone.com/howto/regback3.html?),

    ... *should* have made it unnecessary to make any of the registry edits indicated by Symantec.

    However the viral file itself will remain. Try just running the "removal" tool and see what it finds.

    When you have finished with that, give us a post of a HijackThis Scanlog AND a Startuplist both.

    http://www.tomcoyote.org/hjt/

    To create the Startuplist, click Config > Misc Tools, put a check in "list minor sections" and click Generate Startuplist. This will show if any of the registry entries altered by the worm are not the normal defaults.
     
  9. webzter

    webzter Thread Starter

    Joined:
    May 4, 2003
    Messages:
    777
    Rollin' Rog;

    I'm real familiar with HIJACK, but this "Swem" fix has me totally turned around for some reason-

    Below, I copied what I thought was the tool you're referring to from NiteHawk's fix- is this it below.....?
    thanks
    ______________

    Windows 95/98/Me: Choose View\Folder Options\File Types\Registration Entries\Edit\Merge (in Actions part)\Edit, modify "Application used to perform action" to following,

    Regedit.exe "%1"

    Here are the step-by-step instruction,

    Click on MY Computer > View > Folder Options

    From the Folder Options window click on the FILE Types Tab scroll down to and highlight Registration Entries. Then click on Edit

    In the Edit File Type window, highlight MERGE and click Edit again

    In Application Used to Perform Action line edit the line to read Regedit.exe "%1"

    Back out by clicking OK > Close > Close and Exit from My computer
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You should not need to do that after the registry restore.

    If you check Folder Options does it not already contain that data?

    This is the page for the Swen removal/repair tool ( FixSwen.exe):

    http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

    PS: I'm not sure the removal tool will be able to detect the file since it will not be in memory and all the registry entries associated with it will have been removed.

    The file name will simply be some random set of letters, usually about 5 characters long, as I recall, in the Windows directory.

    Don't worry if you can't find and delete it as it is harmless as long as the registry entries running it have been removed.
     
  11. webzter

    webzter Thread Starter

    Joined:
    May 4, 2003
    Messages:
    777
    Rollin' Rog;
    (Sorry for the confusion- i had pasted-in NiteHawk's fix not Symantec's)

    would performing a scan be the best way for me to confirm that i had the worm? let me tell you why i'm dancing around the issue-

    If you'll recall, when i first asked about this virus when i was trying to download HIJACK and could not-

    one of the other things i had tried right before HIJACK,(due to compatabiliy messages i was receing everytime i opened the browser, was that the browser was too old and incompatable),
    in an attempt to get HIJACK to download at the time, was performing an upgrade from IE EXPLORER 5.0 to 6.0-

    But Swem of course stopped the unpacking after 90% of the way being completed and while you were able to help me recover and get back on line, I STILL SEEM TO HAVE parts of both 5 and 6 BROWSERS IN CONFLICT with one another-

    my point is before i can do much with SWEM like Scan or get MS UPDATES and some other security apps that require things like ActiveX, i need to streighten out the browser upgrade issue SWEM never allowed to complete-- ie, i get referred to the following link to show the conflict-

    Microsoft Knowledge Base Article - 319585

    whats the best way to sort-out the two browers without getting back invoved with the virus again- or should i not worry about it reaffecting any more apps like before where there wasnt anything that didnt get affected?

    thanks
     
  12. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Symantec's removal tool at the top supersedes the rest of my original post. However, the rest or the post remains for informational purposes.

    Sorry if it was a point of confusion
     
  13. webzter

    webzter Thread Starter

    Joined:
    May 4, 2003
    Messages:
    777
    Not at all NiteHawk- your version is a lot easier to follow- i appreciate the effort you put into it- certainly makes it easier for us- thanks!
    webz
     
  14. VirtualMe

    VirtualMe

    Joined:
    Sep 27, 2002
    Messages:
    867

    You chould try to repair IE5 or to restore a previous configuration. http://www.netmag.co.uk/ie5/default.htm


    Hopefully it will work.
     
  15. webzter

    webzter Thread Starter

    Joined:
    May 4, 2003
    Messages:
    777
    VirtualMe....thank you!

    but as it appears, having thought i made a recovery from Swem virus resorting to scanreg/restore to do it, the only
    available restore date must have been affected as well BECAUSE THE SYSTEM IS STILL INFECTED, so i suspect i need to go back to square one and perform a complete clean-up-

    is it possible that the virus stopped me from getting a virus-free version from scanreg/restore and FORCED ME INTO ACCEPTING A BAD RECOVERY? ( I THNK SO-LOOKS THAT WAY)

    So now I'm really turned-around. I've read these swem fixes so many times, i dont know whar version or specific tool i qualify for- now i know why i still couldnt sort-out the two browsers-
    ___________
    Can I get a hand please on selecting the right tool/start-point
    for the swem fix- i'd sure appreciate it- many thanks!
    ___________
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168065

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice