downloader.swizzor and 64-bit woes... (a.k.a. just making sure)

Hi! :wave

I think all the remnants of the virus are gone, but I was hoping that you wouldn’t mind going over my logs and just make sure. I’m paranoid about this computer, and I’d rather be safe than sorry.

When I started up my computer for the day, to check forums, email, and then go and play the play The Witcher, AVG anti-virus started one of it automatic system checks, as it always does. Since running a game while AVG runs its scan usually makes the game laggy and choppy, I decided to wait and just surfed around a bit more while I waited. Right in the middle of posting in another MG forum, AVG popped up a message saying it had found a virus! Apparently something called downloader.swizzor was sitting in a folder in another account, and AVG wanted to verify that it was okay to quarantine that file and fix any damage the virus may have caused.

I clicked on "quarantine", and a few minutes later another AVG window popped up and told me that everything was "successfully healed" and that I needed to reboot he computer to finish up the cleaning process. Like a good user, I promptly rebooted.

Then, just to make sure that everything was cleaned away, I decided to go through the Read & Run thread, and post the logs here. However, I ran into some issues about half-way through.

CCleaner ran on all three accounts without problems, and disabling UAC was smooth, simple, and easy. Combofix, on the other hand, would not run. It gave me two error messages, saying that a couple of registry files/folders could into be saved, and then shut itself down. That’s when I grabbed my laptop, open a notepad window and begun taking notes… unfortunately I wasn’t able to remember the paths to the files. I double-clicked on Combofix again, hoping the errors were just flukes, and it went straight to “preparing to scan”, then shut itself once more.

At that point I decided to move on. I don’t have a Combofix log though, since it never made it that far.

Spybot ran like a champ, and found absolutely nothing, so I don’t have a log from that application either. AVG anti-spyware also ran just fine, and I do have a log from that scan. I’ll be attaching it to this post.

Then I tried to run MGTools, and this is where the real hassle started.

UAC was already disabled, so I double-clicked the MGTools.exe file, and watched the DOS window that came up. After only a second or so an error message came up, saying that the function time.exe could not run, due to incompatibility with my 64-bit operating system. I clicked Okay, thinking that the rest of the scans might be able to run at least. As soon as I clicked, an identical error message came up and informed me that locate.com had the same problem. Clicking on Okay for that error message did not make it go away however, nor did clicking on the red x in the upper corner. I had to open TaskManager and end the process there, to get rid of the error message.

Ever stubborn, I then moved on with the rest of the instructions, and right-clicked on GetLogs.bat and told it to run as administrator. The errors referring to time.exe and ocate.com being incompatible with 64-bit Vista came up again, but this time they both went away when I clicked Okay, and GetLogs seemed to be able to do its thing and produce scans and/or logs. Ones it was done with the rnkey one though, the 64-bit incompatibility messages came up again, and once again from time.exe and locate.com. This time, the locate.com message closed down and a message from Vista itself popped up and said "SteelWer WhoAmI application has stopped working". I closed that application, and the locate.com incompatibility message came right back.

Once more I had to go to TaskManager to get rid of the persistent error message, and once more the MGTools application shut down when the error message did. I’m going to attach the logs anyway, since they still might have helpful information.

Apologies for the long post… I live under the delusion that the more information I can provide, the easier it is for you to do whatever it is you need to do. To be honest. I really just want comforting reassurance that swizzor is completely gone.

And now, if you'll excuse me, I need to go reboot so UAC turns back on.

 

Hi Mimsy!
I think everyone's avoiding you. Vista. ...
Your tools didn't run correctly, so I think Chas is going to have to look at this. Did you run them according to the Vista instructions?
abri

 

That's okay, I can be patient. I haven't seen any pop-ups or other weird symptoms, so I'm starting to believe AVG did its job as thoroughly as it claims.

I did follow the Vista procedure, but I wasn't surprised to see some compatibility problems. The vast majority of the applications I have installed, including my games, are in the "special 32-bit" Program Files folder.

 

I don't mind being a tester, as long as you don't mind that all I'll be able to do is follow instructions and give reports; what I know about how software actually works can't even fill a shot glass.

Since there is a large number of files in the MG Tools folder, I assume the answer to your first question would be "yes". I can try listing them, but like I said, there is a lot of them. GetRunKey, analyse.exe, ShowNew, RegFix, and GetDetails.exe are some of them.

 

So when this is over I will have software knowledge that has nothing to do with gaming? Wow. I'm branching out! LOL

I'll look for the PM, but fair warning: I'm insanely busy for the next few days. My state's caucus is this Tuesday, and I'm volunteering a lot of time at a local campaign office. So in other words, take your time. I'll be watching this thread for updates too.

Running zip.exe:
A window blinks briefly, but then goes away. It looks like it is black with white text, so probably some kind of DOS window but it flashes past so quickly that that's all I can get out of it.

 

zip
The command prompt responded by telling my the default action to this is to add ro replace zipfile entires, and then went on to give me a long list of commands (it looked a little bit like the response to "man <command>" in the Ubuntu installation I have used for over a year and really should know more about than I do).

grep
Usage: grep [OPTION]... PATTERN [FILE]...
Try 'grep --help' for more information.

locate
A familiar window pops up and tells me that the feature locate.com can't be run due to incompatibility with my 64-bit version of Vista. The message is repeated in the cmd-window.

 

Okay... processordll.exe gave me a weird error message I have never seen before. So I took a screen shot and cropped it a bit to make it easier to read, and attached the error message to my post.

vfind.exe produced a long list of help information, so that one seems to have worked.

 

First: The Programs list has .NET Framework 1.1 plus a hotfix for it.

Second: GRK64.bat absolutely refused to work until I ran it as Administrator. Once I did, it ran, but it did say it failed to find a registry key. I tried to attach MGlogs.zip to this post, but I got an error message saying that I had attached it already.

 

I saw nothing about updating, and no references to C:\MGtools\temp

File attached.

 

I always have UAC enabled, just because it seems like the smart thing to do. I completely forgot the part about it needing to be disabled to run these tools. And yes, I did see the command prompt window, but there were no messages about either updating or C:\MGtools\temp.

Give me a few moments, I'll go disable UAC, reboot, rerun GRK64.bat, and attach the new MGlogs.zip.

 

I leave the room for five minutes, and the keyboard is hi-jacked...

I tried to attach the new MGlogs.zip, but I once again ran into the error message that told me I had already attached that file. I did see something similar to these in the command window when I ran GRK64.bat:

Edit:
It occurred to me to try and attach the runkeys.txt file, and that seems to have worked. Any other file you need?

 

Wow. I feel extremely stupid.

Okay, I can fix this...

• Deleted existing MGtools.zip file.
• Moved GRK64.bat to C:\MGTools
• Remembered just in time that I need to disable UAC, so did that and rebooted
• Double-clicked GRK64.bat and watched the command window closely... it closed immediately after posting the last line, too fast for me to be able to see what it was.
• Checked and found a new C:\MGlogs.zip It's attached to this post.

 

Happy to help. I'll keep an eye out for another PM then.

And UAC is back on. I feel kind of naked without it...