OT: fake microsoft upgrade worm

I think it's the w32.swen virus. If that isn't listed download the most recent "fixer" and try that. In all seriousness, I'd format and reinstall Windows XP... I'm about to do that to my work computer. I rebuild it just about yearly to keep it running smoothly (I should just move to Linux but am too lazy).

It's not my computer. I may have to reinstall 98 for her, but I want to try one of the removal tools first.

Approximately 10/1/03 12:29, TJim uttered for posterity:

Sounds like W32.swen variant all right. It disables regedit and antiviral software.

One of the quickest detects is to use Regedit to check this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\

In that key all of the normal subkeys [which should look like directories] have human readable names. If this was W32.swen, it has probably put a random string subkey in the "explorer" key with several contents. [use find key]

"Begbie" shouldn't be anywhere in your registry.

Of course you can't run regedit until you fix the registry key that disables regedit. You can replace your current registry with da0 [at which point all your software is de-installed effectively, but you can then load the current registry and edit the key that stops regedit....and then load *that* registry... but this worm has pretty much trashed several registry keys...

Symantec has a claimed removal tool, worth a shot.

Since there are two new ones as of yesterday, w32.swen is no longer front page at

You can search for it with w32.swen and find the removal tool and the details of why the tool may not be 100% effective....

Or try these:

tiny version:

tiny version:

If you can get it online, you can have Symantec (Norton AV) do a scan for you using explorer and active x to ID the trouble.

They are at

Otherwise a boot disk is you friend or a bootable CD to just fire it up and cancel whatever the CD is to get into windoze or DOS mode maybe.

With a boot disk or CD, the virus won't load into memory.

Norton can be run from a command line if you know the path. You will need to know the virus definitions path too and add it with a switch or make an autoexec.bat file for it's location with a path like C:\progra~1\nav\shared~1\update.xxx or whatever it is and run the bat first, then the navw32.exe under it's own path.

My Norton AV also came with a boot disk for this, but the bat file with the definitions path has to be in there or it uses the old set on the disk.

Hope this helps,

Mike

86/00 CJ7 Laredo, 33x9.5 BFG Muds, 'glass nose to tail in '00 88 Cherokee 235 BFG AT's

TJim wrote:

Thanks, guys. I knew I could count on you. I got Sven removal instructions and the tool from Symantec and I plan to try that route. I printed your instructions, too, Lon. Thanks again.

try this - it is supposed to be as good ( I have been told that it is better) than Symantec...........& it's free

Thanks, everyone, for all your input. I have absolutely identified the worm as Swen. I downloaded both AVG's and Symantec's Swen removal tools and write-ups and will be treating the patient today. I knew it was one of the new worms, it was the identification I was having trouble with. There seem to be so many recently, sometimes it's hard to keep track. ;-)

speaking of which................I see some posts/email with the little message at the bottom that it has been scanned by grisoft & safe. Does that only come after you pay for it?