Repair F135

Read about more computer repairs>>

This certainly is! (a virus that is)

 

This computer arrived with the complaint that it was running very slowly and the desktop icons went away.
I plugged it all in and switched on and the desktop appeared. During booting-up I noticed a couple of warning notices about some file or other but didn't pay too much attention as I imagined I could sort that out later.

After re-booting a few times, and failing to make sense of what I was seeing, because each time I did, it was different, I tried SFC. This worked but reported, much to my surprise, that all was perfect and there were no files either missing or corrupted.
I tried MSCONFIG but this wasn't very happy and did not burst into life as expected.
I rebooted and tried SCANREG from DOS. Much to my surprise, the Registry was reported to be in tip top shape. Somehow I doubted this but Microsoft knows best. Anyway just to be on the safe side, when prompted, I selected the earliest version offered which was about a month previous.
Continuing to reboot eventually brought up the desktop but right clicking "My Computer" did nowt.

I decided to go along with what had been reported on the screen. When a file was said to be missing, using my Workshop computer I put it on a floppy and installed it in the appropriate directory.
I repeated this over and over again but it was like digging the Channel Tunnel with a plastic shovel. I was getting nowhere very fast. The more I put in the more that went missing.

I vaguely imagined it was a corruption in Windows 98 so I put in a CD and started to re-install it.. with some confidence I must admit. So it came as a bit of a shock to suddenly see the computer switch off, preceded by its orange coloured switching off notice. I pressed the go button and within three seconds the machine went off again. What next?
As it was now 7pm I thought I'd sleep on it!

Later that evening I thought about viruses. It certainly had all the hallmarks!
How could I load Norton and then visit the Internet and download the latest stuff?
Certainly not on the sick machine.
What if I removed the hard drive and fitted it into the workshop machine?
This has a front accessed plug-in hard drive module into which any hard drive may be fitted and I could configure it to appear as a slave on the secondary IDE.
Hopefully the rogue drive's software load would be dormant as my own drive has the working Windows 98.
The Workshop computer isn't connected to the Internet but it does connect via a LAN to my Accounts machine which has a modem and also has the latest virus definitions.
I first tested out Norton Anti-virus to see if it balked at checking hard drives over the LAN. No problem. It worked fine.
I went out to the workshop and removed the rogue drive, fitted it in the plug-in module then booted up the workshop computer.
The BIOS set up the new drive without a hitch and it conveniently appeared in the middle of the existing partitions as "Drive D". The LAN therefore allowed me to see it without making any changes to sharing as "D" is one of the partitions on the workshop machine's drive.
I went back into the office and settled down in front of the Accounts machine. Norton recognised the remote drive and away it went. Almost immediately up came a virus detected indication. I let Norton continue for another 20 odd minutes and after checking 24,000 further files no others had appeared.
When it had finished Norton asked if I wanted the virus sorting out automatically. I said yes and up came a message about replacing a certain file…. I noted this and went back to the workshop and switched everything off.
The next morning I removed the plug-in module, extracted the drive and refitted it to the customer's computer.
It fired up OK and the desktop appeared but whatever I clicked on gave the response "can't find Files32.vxd".
I looked on the Workshop computer but it knew nothing about this file, neither did the bigger Accounts machine so I logged onto Norton's website and eventually navigated my way to a page entitled "PrettyPark.Worm". This being the designation Norton Anti-virus had come up with the previous night.
Reading the pages of script I could see what had been happening. Not only that but I had seemingly found a lot more about the virus than had Norton. Either that, or there were two virus's at work.
The definition said that "Pretty Park" was responsible for proliferating itself via E-mail but didn't clearly state what else it actually did. It's supposed to send E-Mails to all the people listed in the Address Book and open the computer to prying eyes. It certainly didn't imply it was a disastrous type so either my copy is a new derivative or Norton didn't find out about the worst aspects.
What I'd found was that the virus was responsible for deleting critical EXE and DLL files. Somehow it had picked up the most frequently used ones and got rid of them. Not only that but SFC seemed to be oblivious to the fact that they were disappearing. It may also have picked up on the fact that a re-install of Windows was being attempted and put a stop to that. All this was not consistent with the "LOW" damage indication in the description of the virus.
I didn't think much of the "EASY" removal indication either. Nothing could be further from the truth!
Fortunately the instructions included in the write up described how to sort things out. One cannot use an EXE file to carry out the modification to the Registry; wherein lay the root of the problem. Another method was needed and based on the instructions given I started to sort it out. First I had to copy REGEDIT.EXE from my Workshop computer to a floppy because it had, not surprisingly gone missing. Then I copied it as a COM file which provided an alternative to the EXE and put it in the rogue machine's floppy drive. Selecting DOS and with the C:\WINDOWS prompt I typed A:START REGEDIT.COM and quick as a flash the Registry appeared on the screen. Next I had to locate the modified key viz.
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
Herein should be the mystifying code "%1"%* but instead the contents, placed there by the virus, included an extra bit about Files32.vxd.
This extra bit caused every execute command using an EXE file to be first intercepted by Files32.vxd. From the evidence the latter was responsible for deleting EXE and DLL files presumably identified from within a table giving the history of their usage.
I deleted the extra bit about Files32.vxd and feeling a little apprehensive rebooted.
The desktop appeared and I clicked on a sample icon. Instead of a warning notice "My Computer" started. This was an improvement… not all was well however as when the window appeared the machine, for some peculiar reason, thought it would try to access the Internet.
After a few puzzling moments I found that this was caused because the "View as Web Page" option was set.
Removing this option stopped the problem. Was this associated with the virus I wonder? This would have been a method of triggering the ISP and open the way for the rogue E-Mails?
Right clicking My Computer failed to produce a response as did clicking the "System" icon. Randomly clicking icons on the Desktop showed also that most were misbehaving. Clearly, bereft of a random selection of EXE and DLL files, not much was going to work as the designer's intended.
The solution was clearly going to have to be a re-install of Windows 98. Fortunately, this time it worked and afterwards I found I could use all the tools and all the icons worked OK.
Except of course the applications programs!
Word was missing WINWORD.EXE and most others also had bits missing.
A complete reload of Office sorted out the main applications.

During the Windows re-install I'd noticed that most of the hardware seemed to have been found. Plug and play stuff usually works correctly after a re-install but rarely the modem.

I looked on "System" and found, as I'd expected, the modem had a red exclamation mark against it. I looked on the Control Panel and selected the picture of the telephone. The modem was identified as a "Rockwell Software Modem". The suppliers were cheapskates. These things are a quid cheaper than the hardware types but are invariably very difficult to set up.
I looked in my collection of drivers. All seemed to be hardware modem drivers. I flipped over the last page of my CD wallet and found to my relief a copy of a software modem driver CD. Tongue in cheek, I put it in the drive and commenced to carry out the installation procedure. After lots and lots of mouse clicking everything suddenly started to load. I'm wise to these things now and rarely follow the instructions which never work as described.
Two entries are needed in the list of hardware items. One is the modem and the other is the mystifying "Connexant PCI Modem Enumerator". Only when both titles are present will the modem work correctly.

I clicked on the "Internet" icon and up came the "Dial up networking" box, waiting for a password rather than proclaiming that, "no modem seemed to be available".
I cancelled this and clicked on a few of the other applications icons. Some worked fine but others, short of EXE and DLL files just came up with grumbling messages.
Nothing I could do here.. I would have to let the customer re-install these.
As an afterthought I decided to look in the deleted E-Mail queue. There were 70 odd entries and up near the top, in the subject column, was a note from a lady in New Zealand. "Ever so sorry but I seem to have sent you a virus"!
Was this the answer?
Anyway my parting shot to the computer's owner was, "When you get home run Norton Live Update.. before you check your E-Mails!!!!"
On and off, interspersed with TV and VCR repairs, it had taken the best part of a couple of days. What do I think of the virus writers? Well I suppose I'm kept busy and when I'm busy I'm at least earning money. I'd certainly have a different opinion if it was my computer that suffered.
Road Rage would be as nothing compared with Computer Rage!

 

Return to computer faults page