Well a mate did the dumd dumd and responded to the fake microsoft e-mail and this is the virus he got. From what I can see he's not alone.
OK there's a removal tool (or two) but I can't get it to work as every time I try to execute a command I get an error message to the effect that it can't find Hnnswsg.exe and then it wont execute.

I have gotten rid of most of the files ASAIK, but what now.
Can't even use regedit.exe??

Any assistance gratefully recieved.

Thanx

Sorry if this is the wrong place, but couldn't find any better one to my eye anyway.

W32/Swen.A

W32/Swen.A is particularly difficult to remove because it disables a number of the common Windows tools used to remove worms, and disables antivirus programs. It spreads by eMail, KaZaa, IRC Chat and over local network/

http://www.aaxnet.com/info/virusfix.html#SwenA :t

Thanx for your reply Baddog, but I can't put the process into operation as when I try to execute regedit -s \swena.reg
It just comes up with the same error.
I can't execute any command at all - at least any I have tried so far. can't even open a dos window (win98 BTW).
Am working in safe mode, at a dead end.
Dont want to go the format routine if I can help it.
Any further suggestions??

Thanx again

The Panda ActiveScan (http://www.pandasoftware.com/activescan) seems to work well against Swen/Gibe. It scans and removes, though it soungs like you may need some repair work as well.
Let us know how it works for you.

I have had vrisues disable EXE files by modifing the registry so that instead of an EXE running, the virus executes. You can boot to DOS by pressing F8 at startup and copy regedit.exe to regedit.com and you will be able to run regedit in windows. You can also run regedit from the command prompt i believe.

regedit -i file.reg - I would use the full path to the file instead of \swena.reg. I would type c:\swena.reg or whatever path you saved the file in.

The key that usually causes this problem is: HKEY_CLASSES_ROOT\exefile\shell\open\command
The value should be: "%1" %* - Use the quotes around %1 when entering the value.

Some viruses set the value to: virus.exe "%1" %* keeping exe files from running but not .com files. It is worth a try to avoid a format until you can run apps and perform a good backup.

Thanx guys,
Sound like you had a similar virus rraehal.
Had tried changing the tag to com instead of exe, but no go.
Do you know if you can use regedit in dos, cause it won't run from command promt in windows now that this **** virus has taken over?
Anyway, too late now - just got home (11.00PM) from work, will try some more tomorrow.

Thanx again

Originally posted by rraehal
You can also run regedit from the command prompt i believe.

regedit -i file.reg

I think the limit from the command prompt is that you can only import files, you do not get a GUI of any kind. I have not used regedit from DOS for a while but I remember it working. Like I said before, -i, may not be the correct switch. If you want to delete and entry from the registry you simply need to place a minus sign in front of the Value line or key name.

[HKEY_LOCAL_MACHINE\SOFTWARE\TEST] in a reg file would create a key called test
-[HKEY_LOCAL_MACHINE\SOFTWARE\TEST] or [-HKEY_LOCAL_MACHINE\SOFTWARE\TEST] will delte the entry if I remember right.

We do not troubleshoot computers much at work any more. It is much more cost effective to copy the user files and ghost the PC.

All going again, thanx to you guys, especially rraehal.
Changed regedit.exe to com as suggested (had tried .cmd before) started in safe mode command prompt only and ran regedit.com c:\swena.reg (from symantec)
Did the job straight away.
Restarted in safe mode again - all seemed OK but to be sure ran the fixswena tool from symantec. It found another 3 registry entries to fix and 1 file. Required a restart to fix, and now all is well.
:t
:) :)