PL
December 17th 03, 10:26 PM
Yesterday many folks were complaining that when they
tried to remove the W32.Swen.A@mm virus they encountered
2 complications:
1) can't disable system restore
2) can't edit registry
Here are step-by-step instructions to get rid of the
W32.Swen.A@mm virus, this worked for me. I hope it helps
you.
There are 3 parts to this document.
PART 1 - FIXING YOUR REGISTRY
PART 2 - RUN THE STINGER
PART 3 - DOING THE REST
-----------------------------------
PART 1 - FIXING YOUR REGISTRY
-----------------------------------
++ PART 1 - SECTION 1 - CREATE REPAIR.REG
1.1.A)
Go to webpage
http://securityresponse.symantec.com/avcenter/venc/data/w3
1.1.B)
Scroll down to the section titled "removal instructions"
and see instruction #3a,b,c,d,e. Don't bother doing f and
g! This describes how to create the file repair.reg and
save it on your desktop.
++ PART 1 - SECTION 2 - MODIFY THE ASSOCIATION FOR REG
FILES
1.2.A)
Return to webpage
http://securityresponse.symantec.com/avcenter/venc/data/w3
1.2.B)
Scroll down to the section titled "removal instruction"
and see instruction #2. This describes how to configure
your computer to properly handle REG type files. It
seems like the virus changed this and you have to change
it back.
++ PART 1 - SECTION 3 - LOG IN AS ADMINISTRATOR
1.3.A)
If you double-click the repair.reg file now you will
likely get the message "Registry editing has been
disabled by your admin" so you need to login as the
administrator to run the repair.reg file
1.3.B)
Reboot your computer. (Start -> Turn Off Your Computer -
> Restart)
1.3.C)
Your computer will shutdown momentarily then restart, as
soon as it begins to restart, press the F8 key repeatedly
until a black screen appears titled "Windows Advanced
Options Menu"
1.3.D)
On this black screen, highlight "Safe Mode" and press
enter
1.3.E)
Another black screen should appear saying "Please Select
the OS to start:" select "Microsoft Windows XP Home
Edition"
1.3.F)
Eventually the computer will go into Safe Mode and you
will see a pretty blue login screen that says "To begin,
click your username", select ADMINISTRATOR!
1.3.G)
A little dialog box may appear asking you to click yes if
you wish to proceed in Safe Mode (click yes)
1.3.H)
Congrats, now you are logged in as Administrator and in
Safe Mode (by the way: the look and feel of your desktop
may look different, don't panic, this is normal)
++ PART 1 - SECTION 4 - MODIFY FILE ASSOCATION UNDER
ADMINSTRATOR USER
1.4.A)
You'll need to Repeat the steps listed in (PART 1 -
Section 2) because you are logged in as a different user
++PART 1 - SECTION 5 - RUN REPAIR.REG WHILE YOU ARE STILL
ADMINISTRATOR
(Helpful Hint: If you can't start Windows Explorer when
you perform step 1.5.A try right-clicking your desktop,
click new -> folder, name the folder whatever you want
(ie: temp), then right-click the new folder and click
Explore, Windows Explorer should appear. It worked for
me, hopefully it'll work for you too.)
1.5.A)
Using Windows Explorer, locate where you saved repair.reg
1.5.B)
Double-click the repair.reg, a message will pop up asking
are you sure you wanna do this, click yes. When completed
a message will appear telling you so. You should no
longer have problems running programs or clicking
shortcuts now!!
++ PART 1 - SECTION 6 - RESTART THE COMPUTER
1.6.A)
Click Start -> Turn Off Your Computer -> Restart
1.6.B)
let the computer reboot normally (no need to press F8
this time)
PART 1 IS NOW COMPLETE!
-----------------------------------
PART 2 - RUN THE STINGER
-----------------------------------
++ PART 2 - SECTION 1 - DOWNLOAD THE STINGER PROGRAM FROM
THE WEB
2.1.A)
Go to http://vil.nai.com/vil/stinger/
2.1.B)
Click the link "Download Stinger.exe"
2.1.C)
When prompted, choose to save the file to a convenient
location on your hard disk (such as your Desktop)
++ PART 2 - SECTION 2 - DISABLE SYSTEM RESTORE
2.2.A)
Return to webpage
http://securityresponse.symantec.com/avcenter/venc/data/w3
1.2.B)
Scroll down to the section titled "removal instruction"
and do instruction #1.
++ PART 2 - SECTION 3 - RUN THE STINGER PROGRAM
2.3.A)
Run the stinger program by double-clicking it on your
desktop
2.3.B)
Click the "Scan Now" button (to learn more about how to
use stinger.exe read http://vil.nai.com/vil/stinger/)
Depending on the size of your harddrive. It took about 1
hour for me. When stinger finds the virus a message is
printed to the screen. On my computer, stinger found 8
infected files.
PART 2 IS NOW COMPLETE!
-----------------------------------
PART 3 - DOING THE REST
-----------------------------------
Go to
http://securityresponse.symantec.com/avcenter/venc/data/w3
Scroll to the "Removal Instructions" section and perform
steps 4, 5, 6, 7
When you're done don't forget to re-Enable System Restore
on XP
tried to remove the W32.Swen.A@mm virus they encountered
2 complications:
1) can't disable system restore
2) can't edit registry
Here are step-by-step instructions to get rid of the
W32.Swen.A@mm virus, this worked for me. I hope it helps
you.
There are 3 parts to this document.
PART 1 - FIXING YOUR REGISTRY
PART 2 - RUN THE STINGER
PART 3 - DOING THE REST
-----------------------------------
PART 1 - FIXING YOUR REGISTRY
-----------------------------------
++ PART 1 - SECTION 1 - CREATE REPAIR.REG
1.1.A)
Go to webpage
http://securityresponse.symantec.com/avcenter/venc/data/w3
1.1.B)
Scroll down to the section titled "removal instructions"
and see instruction #3a,b,c,d,e. Don't bother doing f and
g! This describes how to create the file repair.reg and
save it on your desktop.
++ PART 1 - SECTION 2 - MODIFY THE ASSOCIATION FOR REG
FILES
1.2.A)
Return to webpage
http://securityresponse.symantec.com/avcenter/venc/data/w3
1.2.B)
Scroll down to the section titled "removal instruction"
and see instruction #2. This describes how to configure
your computer to properly handle REG type files. It
seems like the virus changed this and you have to change
it back.
++ PART 1 - SECTION 3 - LOG IN AS ADMINISTRATOR
1.3.A)
If you double-click the repair.reg file now you will
likely get the message "Registry editing has been
disabled by your admin" so you need to login as the
administrator to run the repair.reg file
1.3.B)
Reboot your computer. (Start -> Turn Off Your Computer -
> Restart)
1.3.C)
Your computer will shutdown momentarily then restart, as
soon as it begins to restart, press the F8 key repeatedly
until a black screen appears titled "Windows Advanced
Options Menu"
1.3.D)
On this black screen, highlight "Safe Mode" and press
enter
1.3.E)
Another black screen should appear saying "Please Select
the OS to start:" select "Microsoft Windows XP Home
Edition"
1.3.F)
Eventually the computer will go into Safe Mode and you
will see a pretty blue login screen that says "To begin,
click your username", select ADMINISTRATOR!
1.3.G)
A little dialog box may appear asking you to click yes if
you wish to proceed in Safe Mode (click yes)
1.3.H)
Congrats, now you are logged in as Administrator and in
Safe Mode (by the way: the look and feel of your desktop
may look different, don't panic, this is normal)
++ PART 1 - SECTION 4 - MODIFY FILE ASSOCATION UNDER
ADMINSTRATOR USER
1.4.A)
You'll need to Repeat the steps listed in (PART 1 -
Section 2) because you are logged in as a different user
++PART 1 - SECTION 5 - RUN REPAIR.REG WHILE YOU ARE STILL
ADMINISTRATOR
(Helpful Hint: If you can't start Windows Explorer when
you perform step 1.5.A try right-clicking your desktop,
click new -> folder, name the folder whatever you want
(ie: temp), then right-click the new folder and click
Explore, Windows Explorer should appear. It worked for
me, hopefully it'll work for you too.)
1.5.A)
Using Windows Explorer, locate where you saved repair.reg
1.5.B)
Double-click the repair.reg, a message will pop up asking
are you sure you wanna do this, click yes. When completed
a message will appear telling you so. You should no
longer have problems running programs or clicking
shortcuts now!!
++ PART 1 - SECTION 6 - RESTART THE COMPUTER
1.6.A)
Click Start -> Turn Off Your Computer -> Restart
1.6.B)
let the computer reboot normally (no need to press F8
this time)
PART 1 IS NOW COMPLETE!
-----------------------------------
PART 2 - RUN THE STINGER
-----------------------------------
++ PART 2 - SECTION 1 - DOWNLOAD THE STINGER PROGRAM FROM
THE WEB
2.1.A)
Go to http://vil.nai.com/vil/stinger/
2.1.B)
Click the link "Download Stinger.exe"
2.1.C)
When prompted, choose to save the file to a convenient
location on your hard disk (such as your Desktop)
++ PART 2 - SECTION 2 - DISABLE SYSTEM RESTORE
2.2.A)
Return to webpage
http://securityresponse.symantec.com/avcenter/venc/data/w3
1.2.B)
Scroll down to the section titled "removal instruction"
and do instruction #1.
++ PART 2 - SECTION 3 - RUN THE STINGER PROGRAM
2.3.A)
Run the stinger program by double-clicking it on your
desktop
2.3.B)
Click the "Scan Now" button (to learn more about how to
use stinger.exe read http://vil.nai.com/vil/stinger/)
Depending on the size of your harddrive. It took about 1
hour for me. When stinger finds the virus a message is
printed to the screen. On my computer, stinger found 8
infected files.
PART 2 IS NOW COMPLETE!
-----------------------------------
PART 3 - DOING THE REST
-----------------------------------
Go to
http://securityresponse.symantec.com/avcenter/venc/data/w3
Scroll to the "Removal Instructions" section and perform
steps 4, 5, 6, 7
When you're done don't forget to re-Enable System Restore
on XP