son of swen?

  • Thread starter Thread starter Babs
  • Start date Start date
B

Babs

Any help would be really appreciated.
Yes I've read every post, every site and every swen related article but I
can't find anything that seems to fit my symptoms. The symptoms are -
Msconfig etc.close down immediately after opening, but no error message, and
the machine connects to the internet every 3 or 4 seconds. I'm not getting
huge amounts of E Mails from MS. No other apparent symptoms. I've updated
both my AV software (and Ad Aware) but each scan shows nothing.
Anybody got a clue

Thanks
James.
 
Babs said:
Any help would be really appreciated.
Yes I've read every post, every site and every swen related article but I
can't find anything that seems to fit my symptoms. The symptoms are -
Msconfig etc.close down immediately after opening, but no error message, and
the machine connects to the internet every 3 or 4 seconds. I'm not getting
huge amounts of E Mails from MS. No other apparent symptoms. I've updated
both my AV software (and Ad Aware) but each scan shows nothing.
Anybody got a clue

Thanks
James.
Click to expand...

Probably Spyware:
Dl,install,update and run:

AdAware
http://www.lavasoftusa.com/

Spybot Search & Destroy
http://security.kolla.de/

Spyware Blaster
http://www.wilderssecurity.net/spywareblaster.html

Maybe even:
Read the latest about this constantly changing hijacker:

http://www.spywareinfo.com/newsletter/archives/0903/3.php
http://www.spywareinfo.com/~merijn/cwschronicles.html

A Removal Tool: CWS Shredder
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
(unzip and follow the prompts)

NB: CWS Shredder is constantly updated to reflect new variants. Get the
updated tool before each use.

So it doesn't come back, you must run HijackThis which will identify the
RunOnce entry which can then be deleted.

e.g.: O4 - HKCU\..\RunOnce: [win32] c:\program files\winsrv32.exe

Using HijackThis: http://snurl.com/1vf8

Buffalo
 
Babs said:
Any help would be really appreciated.
Yes I've read every post, every site and every swen related article but I
can't find anything that seems to fit my symptoms. The symptoms are -
Msconfig etc.close down immediately after opening, but no error message,
Click to expand...

Many malwares have a process killing feature.
...but this could be swen. Does attempting to
run regedit give the error box?
and
the machine connects to the internet every 3 or 4 seconds.
Click to expand...

Could be swen (or not)
I'm not getting huge amounts of E Mails from MS
Click to expand...

Getting those would be an indication of *other* peoples
computer being infested ~ not of yours.
No other apparent symptoms. I've updated
both my AV software (and Ad Aware) but each scan shows nothing.
Anybody got a clue
Click to expand...

Use an updated DOS mode scanner if possible, and try "Spybot
Search and Destroy" and "Ad-Aware" scans too.
 
On that special day, Babs, ([email protected]) said...
The symptoms are -
Msconfig etc.close down immediately after opening, but no error message, and
the machine connects to the internet every 3 or 4 seconds.
Click to expand...

Look here
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SWEN.A&VSect=T
http://www.symantec.com/avcenter/venc/data/[email protected]
Click to expand...

where there are lists of processes meant to be stopped by the worm.
msconfig is one of them. Which means your machine IS infected. Get the
Stinger from Symantec, if possible.


Gabriele Neukam

(e-mail address removed)
 
Dear Buffalo, FromTheRafters, Gabriele,
First of all, thanks you guys for taking the time to reply - it can get
fairly frustrating, infuriating and downright lonely trying to resolve these
bloody things. Your advice is much appreciated.
I have ran all of the progs you mentioned without success - I have also ran
symantec and stinger removal tools without them detecting anything.
In answer to Fromtherafters query, regedit closes down immediately its
opened, but no error message follows.
all of these have been run in normal mode, I can't seem to access safe mode.
Trend ( linked in Gabriele's post) does give some clues about manual removal
and I will try that - hopefully before the telephone Company sues my ass.
 
James said:
p.s. sorry about the name change - Babs is the wife.
Click to expand...

Oh, so it wasn't a sex change!?

Buffalo's suggestion of HijackThis should create a log file
which experts can use to help you to find whatever autostart
method is being used. Once the executable the autostart
method points to is determined you can submit it to more
scrutiny care of your favorite AV vendor.

Something (perhaps new) is doing this.
 
It sounds as if you need to get the 'fix' to reassociate the .reg and .exe
extensions. You'll have to search for this as I forgot where I saw it. I
believe it is on the Symantec site:
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
The instructions are just under this header:
"W32.Swen.A@mm has already been quarantined or deleted
If your Symantec antivirus product has already detected and then quarantined
or deleted W32.Swen.A@mm, you will not be able to run the .exe, .com, and
other executable files. Follow the instructions for your operating system."
 
Just to say thanks for your help guys.
It's sorted - the post above about the winlodr.scr gave me the clue.
Apparently its a spybot virus. Got an update from AVG and it totally cured
it.

Thanks again...if you ever want a good CV writing.....

James.
 
Back
Top