swen virus recovery

[Ned Heller]

I am trying to recover from the swen virus. One of the things it does is
disable editing of the registry. The Norton recovery steps include
executing a file called repair.reg. When I click the file to execute it, I
get the message that the administrator has removed the ability to edit the
registry.

How do I recover from this?

Also, I have installed a new installation of XP in a Windows2 folder. Can I
edit the registry in the original XP installation using this second install?
If so, how?

 

[Bruce Chambers]

Greetings --

W32.Swen.A_mm Removal Tool
http://www.symantec.com/avcenter/venc/data/[email protected]

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[moca.lee]

I actually ran system restore because I couldn't disable
system restore--then it was possible to do all the tasks
involved in cleaning up the virus--probably created more
infection, but had to access the system.

moca.lee

 

[Ned Heller]

Success - in a way. I was finally able to recover by running the Symantec
fixswen.exe program from the infected system. This cleaned the registry on
the infected system of infection so on restart, everything was back to
normal. The problem I was having prior to running fixswen.exe is that I
could not start any applications, including fixswen.exe, from the failed
system simply by double-clicking on them. Just as a lark, I tried the "run
as" from the right click menu. This worked. (I also unclicked a radio
button that had to do with virus scanners.) Fixswen.exe began to execute
and cleaned my system.

However, I was immediately re-infected when I ran my Outlook Express e-mail.
As expected, I had numbers of Swen e-mails waiting. Norton Antivirus
detected and quarantined all but one of the e-mail attachments. One,
though, was not detected. As soon as I got to it, I was re-infected. It's
attachment was still there. However, I did not double-click it. Even so,
it somehow re-infected my system.

So I am now again running fixswen.exe as I type this. It takes more than an
hour to complete on my machine.

Obviously, this is a very robust virus.

Ned

 

[Danny Mingledorff]

If you were reinfected in the manner you describe, it sounds like there are
IE security fixes which still need to be applied to your PC. Go to Windows
Update, after cleaning your machine and before going back into OE and make
sure you're current with patches.

Good luck.

 

[Stan Nelson]

I'm finding the Panda antivirus Titanium software to be effective in dealing
with the Swen.exe virus or worm on my computer -- and I had a bad case --
about 400 bogus e-mails in three days.

Stan Nelson
WinXP Pro SP1

 

[Ned Heller]

I think you are right. I had my system completely up-to-date, but after
Swen got me, the OS downloaded a lot of IE updates I know I had previously
installed. One of the things Swen apparently does is remove these security
updates.

My God, but recovery from this virus is difficult!

(Just a point for anyone trying to run the Symantec or McAfree tools to
eliminate the virus, you may have to right click and pick "run as" to
actually execute the tool as one of the things the virus does is disable
starting any application by double-clicking it.