Need your help

[boxig]

Brian,

Yes, I know about the inf that's why I did not touch them. It is now working fine and it seems I removed all malicious files.

When you say "Swen" you don't mean "System32\swenum.sys" ???

Now I have working on start:

Norton

AVG

Sygate

and will run every day:

Ad-Aware

XoftSpy

And will run on-line check once every few days at "Panda".

I hope this will be enough.

Thank you for your help and to all members who gave me ideas.

Granot

[Conflow]

Hi Granot,

Just to sign off - I did not know that you were using a "Firewall" you may not know that they

are Bi-Directional.

1) Coming into the "Firewall" they will 'bounce back' anything thats not Plain Text - I got a

bounce from your site yesterday when I was using HTML. O.K no problems.

2) They will also 'Bounce-back' anything within the PC that they dont like, for example:-

when you dropped the "Firewall" to download a Presentation you probably downloaded

a 'Cuckoo' or a 'Cookie'.

3) When you put the "Firewall" up again it will bounce anything it doesn't like within the PC.

so you keep on "reinfecting yourself" each time you attempt to go on line.

Finally, yes, your definition of the Swen Virus is correct. Again I will repeat install a good

DiskCleaner like CM Software its invaluable.

Best Wishes from Dublin.

Brian Kelly.Conflow.

conflow@iol.ie

[boxig]

yes, your definition of the Swen Virus is correct.

Brian

Sorry, I gave wrong path, it is "System32\Drivers\swenum.sys" .

I think it is ok. What do you think ???

BTW: another good protecting utility (no installation) is "BHODemon" with good Help file which explains about BHO (Browser Help Objects)

Thanks

Granot

[Conflow]

Hi Granot,

I know it as the "Swen Virus" - on your XP it may have a different definition -

Symantecs Title for it, is:- W32.Swen.A@mm (It goes in versions from A - D)

I don't know the exact path for an XP - very few people would ?? all I can say:-

It attacks the System32 Drivers particularily the Webcheck Dll's and Shells etc.

It 'steals' any convenient piece of document from the PC or plain text from

an EMail and inserts a hidden code -'a cuckoo'- into the text.

It then generates a 'dummy or alias Attachment' (which does nothing).

Once you read/open the text file it automatically sends variations of itself

(A-D) to everyone in your Address Book - furthermore it parks another copy

of itself onto your PC. When you go on line again it now doubles its output

and so on and on. YOU DO NOT NEED TO OPEN THE ATTACHMENT FOR IT TO WORK.

"Firewalls" will not protect you against this as it comes in 'plain text'. The attachment

is a simple decoy which the Firewall will reject, but not the plain text - unless its told

to reject that 'script' format. Make sure Norton is up to date, better off to "sweep"

and make sure all 3 of them are not there, see below -

If you open "Google" and simply type in -Swen 32- it tells you all, and will direct

you to a Emergency Server operated by Symantec. You can download the "Fix Tools"

from there. The "Fix Tools" for Swen, Beagle, Novarg, vary in size from 140 -185 kB.

Its well worth "sweeping for these swines" because they destroy PC's

Regards.

Brian Kelly.Conflow

conflow@iol.ie

[boxig]

Brian,

Ok, I found the tool at:

http://www.symantec.com/avcenter/venc/data...moval.tool.html

My question is, if the tool belongs to Symantec and Norton didn't find this worm, how can it be ? How can I check if I have it or "System32\Drivers\swenum.sys" is the worm ?

I found a tool name "swentool.com" which say: "The SwenTool is the utility created by Kaspersky Labs to eliminate Swen (or also known as Gibe.E) worm infection and to restore System Registry entries modified by the worm."

- I just run it (Dos window).

Sould I run Symantec tool too ?

And... do you know this one: "System32\ntoskrnl.exe" ?

I'm really embarrassed but have no one elase to ask. By checking other forums I see many users have similar problems and conclusions are not clear. I see all these malicious files are going to be a neverending story. I hope members who read this topic will hurry to protect themselves by using some of the utilities talked about.

I will wait for your guideness before continue.

Thanks again

Granot

[Ken Cox]

you can always send the file to Norton/Symantec

ken

[Conflow]

Hi Granot - Hi Ken,

Granot, as I said these 3 Worms are "multiplier worms" they take time to become evident on a PC.

Swen hit the Executive Markets last September (done terrible damage). Novarg came in January and Beagle came in February.

All 3 really started to impact the Domestic Market in March-April-May. They peaked in April.

We were lucky because one part of our Business is Microsoft OEM.Computer Manufacturers.

As I said all 3 have variants versions A to D. The earlier ones were variant A & B and its quite

possible you you may have picked up C or D. YOU MIGHT NOT HAVE THEM AT ALL but just check.

YOU MUST RUN YOUR SYMANTEC 'FIX TOOLS' nothing else, except those Norton Tools - there

are reasons for this which would take too long to explain here.

Again I say, because you are behind a "Firewall" you may be and again I say you may be infecting yourself ??? - just run the damn tools and have peace of mind, please !

The problems with "Anti-Virus Prog" behind a "Firewall" is that it never gets a chance to be

updated with "New Virus Definitions" and they are issued every week or so and I suspect

thats whats might have happened here.

ntoskrnl.exe is not on our PC's - I would not touch it - because ifs its genuine and not a "spoof" its pointing to the System Kernel - god thats dangerous territory.

Granot, please, please, please, run the Tools - let the Symantec experts do the job for you and when you finish the job I'm going for a pint of Beer, maybe 2 or 3.

Good Luck, let me know.

Brian Kelly.Conflow.

[boxig]

Bian,

Finally I run the tool (disabling restore points first) and it did not found nothing.

From what I read I'm not sure if this means I'm clean or its effects still maybe there somewhere.

"System32\Drivers\swenum.sys" is not there.

but there is a similar file called:

"System32\Drivers\serenum.sys"

What the hell is this ???!!!

As for "ntoskrnl.exe" - I will not touch it as you suggested but I blocked it with "Sygate Firewall" (?).

As for "System32\DRIVERS\ndisuio.sys" - Blocked also.

Thank you very much for your great help. I wonder where you got all this knowledge about bad files. All members should know that their pc is 99% infected or just carrying files which should not be there. My friend who had a very quite life (since he was using Norton) decided to make some of the checks mentioned on this topic and run some of the tools. He found 5 viruses and over 400 (mostly cookies) which he cleaned, and now he says his pc works better.

Hope for clean PC to all members and thanks again to all.

Granot

[boxig]

I give up !

In the last week I was trying to clean my computer, but it seems now that I'm getting more infected using all those programs which are supposed to protect me. I'm sure they are those who infect me. Because I didn't download anything, didn't visit any site, just security sites.

I have a lot of problems now but my main problems are "Swish" which don't work as it should (fonts are mess in the swf file) and my computer is very very slow. More and more files are trying to get in and out my computer and I really don't enjoy all this.

It seems reinstalling windows is the only way.

I'll be glad to listen to any advice or suggestion.

Thank you all

Granot

[LumenLux]

Granot, I can appreciate the nightmare you are experiencing. But I am not smart enough to sort it out. It seems there has been some very good information from several members. But as the "victim" it is very difficult to determine what (of all the good info) applies in your own individual case.

The last and I hope only time I encountered a similar mess, I did the following. I bought Partition Magic program and used it to set up a new drive in the minimal open space on my hard drive. I installed Windows XP in the new partition. ( The infected drive was using Win98 SE). I immediately installed anti-virus software on the new drive (partition.) Then a proceded to re-install my most needed software & data from the infected drive or program disks. It was my understanding that the anti-virus software would not allow me any of the infected stuff to my new partition. This mess was at a critical time ("busy season") so I moved only the most needed information. After the time crunch eased a bit, I erased more un-needed stuff from the infected partition, then increased the size of the new partition. Finally, when I had worked this far enough, I wiped clean the original mess and began using the space again.

I did not know exactly what I was doing and had many questions along the way, but so far things have been ok - 3 or 4 months now. Maybe such approach could be modified to at least salvage most of your accumulated work.

[Conflow]

Granot,

First you are OK and now you have trouble again - By your 'post' you did have the Swen Worm

and the 'Fix Tool' has corrected that.

You are looking at my 'post' but you are not reading it properly, you keep going into System32 -

I told you that was dangerous.

PLEASE STOP MESSING AROUND IN SYSTEM 32 and DO EXACTLY AS FOLLOWS

Print this first

A) WHY ARE YOU BLOCKING "SYSTEM FILES" - PLEASE STOP THIS !

PLEASE UN-BLOCK THESE FILES - SWITCH OFF- NOW RESTART.

C) DISCONNECT YOUR MODEM

D) DROP THE "FIREWALL" and SWITCH IT OFF.

E) RUN ALL 3 "FIX TOOLS"

F) FINALLY RUN "SCANDISK" and let the PC Fix itself - and it will do that IF it is not damaged !

JUST DO A, B, C, D, E, F, and stop messing around in System 32.

LEAVE THE MODEM DISCONNECTED and TEST your PC for a few Hours.

NOW 'ACTIVATE' NORTON FOR ALL EMAILS and LEAVE IT ON

KEEP THE "FIREWALL" OFF

Now,Connect the Modem and come back to me on: conflow@iol.ie Our Norton is always ON.

We know about these problems because our Family Business fixes over 100 PCs per Year.

Brian Kelly.Conflow.

[boxig]

I did not know exactly what I was doing

That's what I'm afraid to do what I don't know. Anyway, I will keep this advice for last resource. Thank you for your concern.

Brian,

I just printed your instructions and will follow tomorrow morning on fresh.

AVG found 34 exe infected files and moved them to Vault, all from "Windows" (not system32). Then I found by "Properties" on "Temporary Internet Files" that I have about 750 MB files there, even it's configured to keep up to 1 MB only and to delete files when browser exit (?). Although my windows shows hidden files I could not see them. So I made a small program and delete all those which has extension but there were still 12,000 files with no extension. Finally I run a program named "X-Cleaner" which did what I could not make in all regular ways - delete my Temporary Internet Files.

The "Symantec Removal Tool" is called "FixSwen.exe" and when I run it yesterday it say in its log file:

"The default value of the registry key

"SOFTWARE\Classes\scrfile\shell\config\command"

is set to ""%1" %*".

The folder "C:\System Volume Information" was not scanned.

W32.Swen.A@mm has not been found on your computer."

From your say I understand I'll have to run it again following your steps.

And what you mean by saying: "RUN ALL 3 "FIX TOOLS" ? which 3 tools ?

Sorry for being so ignorant and thank you again for your help.

Granot

[Conflow]

Back to you again Granot,

Don't be apologetic about this ! - I also had to learn, like you, the hard way.

But you are an awful man deleting those Files - restore them and leave them alone.

Now read this carefully:-

System 32 contains the Computers "internal drivers" - these 'drivers' make it possible

for the PC to talk to its internal IDE Buss System (its Data Highway) - these Drivers talk

to the Video Card, the Sound Card, the Internet, - in fact they 'drive' virtually everything

in the PC. including Windows and Interactive Programs such as Adobe, IE.6 and Macromedia.

So you see how dangerous it is mucking around in System 32.

HOW TO RUN NORTON

I have given you the Instruction how to "set-up your PC" to run Norton properly.

You must do exactly as I said - nothing more - nothing less.

WHAT HANGS NORTON

Norton can not do its job properly if you have other Programs Open and Running.

You must "Close ALL Programs" and CLOSE YOUR FIREWALL for it to work properly.

Disconnect your Modem for safety reasons.

THE DANGEROUS WORMS

They are: "Swen", "FX Beagle", "Novarg". Fix Tools are available for all 3 thro' Google.

In your case you must use Norton "Fix Tools" only.

These Worms attack the System 32 and 'modify' some of the drivers and use them to

infect you internally and others thro' the WEB and EMails (Simple explaination).

Granot, you are driving yourself mad with all these "Scans" - Forget them, Forget Windows, etc;etc.

and get on with Norton -

BUT FIRST, RESTORE ALL SYSTEM 32 FILES you have removed - I mean ALL THE FILES infected or good - otherwise we are going nowhere.

Brian Kelly.Conflow.

[boxig]

Brian,

I really appreciate all your help and hope to have no more such big problems. As for system32, I only run the anti programs and let them do their job. So if infected file was found, I hope they new what to do. As you will see, I think no file was removed unless it was not supposed to be there.

I followed your insrtuctions and here is what I did:

Disconnect modem, disable Firewall, restart, run "Fix Tool" and got:

"The folder "C:\System Volume Information" was not scanned.

W32.Swen.A@mm has not been found on your computer."

On XP there is no "ScanDisk" as in win98 but on C , Properties, Tools Tab, Error Checking (this option will check volume for errors). Everything was fine. I never new about this XP tool and found it only when looking for the ScanDisk.

Two things were not clear when you say: "NOW 'ACTIVATE' NORTON FOR ALL EMAILS and LEAVE IT ON" and "KEEP THE "FIREWALL" OFF" - I assume you mean during the few hours check when modem is not connected, or I misunderstood you ?

After 3 hours I activated Sygate Firewall, norton and AVG and connect the modem. "Swish" is ok now and it looks like the rest too. My hesitations are only concerning those files trying to send info outside (for example: to crl.verisign.com). I'm warned by Sygate and unless I know the file I don't allow it. I hope I do things right.

Brian, I'm a bit confused about the Norton. What do you mean by "Norton can not do its job properly if you have other Programs Open and Running" ??? I guess I'm a bit stupid but I can't understand what you mean.

Also you say: "Fix Tools are available for all 3 thro' Google. In your case you must use Norton "Fix Tools" only." - so if I'm infected with 2 or 3 worms should i use the 3 tools ? Why "in my case" one tool is enough ?

Brian, you are reminding me all the time about system files to restore and put them back but if you take a system file out, xp will let you know there is a file missing, isn't it ? I also think that when I run the "Check for errors" (scanDisk) and I got ok result, that means no file is missing.

Now after I successfully confused myself, can or can't I use Norton and AVG and Sygate Firewall at same time ?

Thank you again for all your great help and guideness and your patience with me.

Granot

[Conflow]

Granot,

Will you go 'outside the Forum' and contact me directly on conflow@iol.ie or on conflow@eircom.net

I have tried unsuccessfully to contact you on boxiq@zahav.net.il both in Plain Text and HTML

and I get the return daemon message 'No Address Exists'

Have you got another EMail address I can contact you with, so I can help you thro' this the

problems. I have two "Special XP-Help Sites" which will tell you everything you need to know.

As I said, shut down the "Firewall" and leave it shut down until we do all the tests -

XP-Error Checking is a new name for '98 Scandisk, thats why the PC found it !

Granot there are 67,000 different Virus and Worms identified in the Norton Libraries.

We are looking at the 3 most recent dangerous ones each is different, so each has its own Fix Tool

which you must use.

Norton cant do its job properly when a 'Program is Open, or a 'Firewall' is active........because

the way Norton Works.

It starts at File No: 00001 and goes thro' each file in turn until it gets to the end of the stack,

example: File No: 36178. yes, there are that number of Files on an XP.

Now lets pretend it got to File No: 18540 and the "Firewall" is still active - that "Firewall" can

bounce a virus back into the 'cleaned Files'. An infected 'Open Program' can also bounce a virus

back into the 'cleaned Files'.

Any "Firewall" is bloody stupid, because they take a long time to "learn" what is a 'good File'

compared to a 'bad File' - in fact we dumped them all, because they are like "Spyware" they

have to learn and they cause more problems than they are worth.

When you contact me OUTSIDE THE FORUM we can Communicate properly, and I can

Test for you - your EMails and your WEB on my PCs'. Then you will know for certain that all

things will be OK because I will test with Norton and CMDiskcleaner on this end.

conflow@iol.ie and also conflow@eircom.net use both of them.

Brian Kelly.Conflow.

[boxig]

Brian,

I found the list of Norton tools here:

http://service1.symantec.com/SUPPORT/nav.n...src=bar_sch_nam

I found "FxBeagle.exe" but can't find the tools for "Novarg".

My email is: boxig@zahav.net.il

Where are those two "Special XP-Help Sites" ?

I have sent you email.

Thank you

Granot