This computer arrived with the complaint that it was running
very slowly and the desktop icons went away.
I plugged it all in and switched on and the desktop appeared.
During booting-up I noticed a couple of warning notices about
some file or other but didn't pay too much attention as I imagined
I could sort that out later.
After re-booting a few times, and failing to make sense of
what I was seeing, because each time I did, it was different,
I tried SFC. This worked but reported, much to my surprise, that
all was perfect and there were no files either missing or corrupted.
I tried MSCONFIG but this wasn't very happy and did not burst
into life as expected.
I rebooted and tried SCANREG from DOS. Much to my surprise, the
Registry was reported to be in tip top shape. Somehow I doubted
this but Microsoft knows best. Anyway just to be on the safe
side, when prompted, I selected the earliest version offered
which was about a month previous.
Continuing to reboot eventually brought up the desktop but right
clicking "My Computer" did nowt.
I decided to go along with what had been reported on the
screen. When a file was said to be missing, using my Workshop
computer I put it on a floppy and installed it in the appropriate
directory.
I repeated this over and over again but it was like digging the
Channel Tunnel with a plastic shovel. I was getting nowhere very
fast. The more I put in the more that went missing.
I vaguely imagined it was a corruption in Windows 98 so I
put in a CD and started to re-install it.. with some confidence
I must admit. So it came as a bit of a shock to suddenly see
the computer switch off, preceded by its orange coloured switching
off notice. I pressed the go button and within three seconds
the machine went off again. What next?
As it was now 7pm I thought I'd sleep on it!
Later that evening I thought about viruses. It certainly
had all the hallmarks!
How could I load Norton and then visit the Internet and download
the latest stuff?
Certainly not on the sick machine.
What if I removed the hard drive and fitted it into the workshop
machine?
This has a front accessed plug-in hard drive module into which
any hard drive may be fitted and I could configure it to appear
as a slave on the secondary IDE.
Hopefully the rogue drive's software load would be dormant as
my own drive has the working Windows 98.
The Workshop computer isn't connected to the Internet but it
does connect via a LAN to my Accounts machine which has a modem
and also has the latest virus definitions.
I first tested out Norton Anti-virus to see if it balked at checking
hard drives over the LAN. No problem. It worked fine.
I went out to the workshop and removed the rogue drive, fitted
it in the plug-in module then booted up the workshop computer.
The BIOS set up the new drive without a hitch and it conveniently
appeared in the middle of the existing partitions as "Drive
D". The LAN therefore allowed me to see it without making
any changes to sharing as "D" is one of the partitions
on the workshop machine's drive.
I went back into the office and settled down in front of the
Accounts machine. Norton recognised the remote drive and away
it went. Almost immediately up came a virus detected indication.
I let Norton continue for another 20 odd minutes and after checking
24,000 further files no others had appeared.
When it had finished Norton asked if I wanted the virus sorting
out automatically. I said yes and up came a message about replacing
a certain file
. I noted this and went back to the workshop
and switched everything off.
The next morning I removed the plug-in module, extracted the
drive and refitted it to the customer's computer.
It fired up OK and the desktop appeared but whatever I clicked
on gave the response "can't find Files32.vxd".
I looked on the Workshop computer but it knew nothing about this
file, neither did the bigger Accounts machine so I logged onto
Norton's website and eventually navigated my way to a page entitled
"PrettyPark.Worm". This being the designation Norton
Anti-virus had come up with the previous night.
Reading the pages of script I could see what had been happening.
Not only that but I had seemingly found a lot more about the
virus than had Norton. Either that, or there were two virus's
at work.
The definition said that "Pretty Park" was responsible
for proliferating itself via E-mail but didn't clearly state
what else it actually did. It's supposed to send E-Mails to all
the people listed in the Address Book and open the computer to
prying eyes. It certainly didn't imply it was a disastrous type
so either my copy is a new derivative or Norton didn't find out
about the worst aspects.
What I'd found was that the virus was responsible for deleting
critical EXE and DLL files. Somehow it had picked up the most
frequently used ones and got rid of them. Not only that but SFC
seemed to be oblivious to the fact that they were disappearing.
It may also have picked up on the fact that a re-install of Windows
was being attempted and put a stop to that. All this was not
consistent with the "LOW" damage indication in the
description of the virus.
I didn't think much of the "EASY" removal indication
either. Nothing could be further from the truth!
Fortunately the instructions included in the write up described
how to sort things out. One cannot use an EXE file to carry out
the modification to the Registry; wherein lay the root of the
problem. Another method was needed and based on the instructions
given I started to sort it out. First I had to copy REGEDIT.EXE
from my Workshop computer to a floppy because it had, not surprisingly
gone missing. Then I copied it as a COM file which provided an
alternative to the EXE and put it in the rogue machine's floppy
drive. Selecting DOS and with the C:\WINDOWS prompt I typed A:START
REGEDIT.COM and quick as a flash the Registry appeared on the
screen. Next I had to locate the modified key viz.
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
Herein should be the mystifying code "%1"%* but instead
the contents, placed there by the virus, included an extra bit
about Files32.vxd.
This extra bit caused every execute command using an EXE file
to be first intercepted by Files32.vxd. From the evidence the
latter was responsible for deleting EXE and DLL files presumably
identified from within a table giving the history of their usage.
I deleted the extra bit about Files32.vxd and feeling a little
apprehensive rebooted.
The desktop appeared and I clicked on a sample icon. Instead
of a warning notice "My Computer" started. This was
an improvement
not all was well however as when the window
appeared the machine, for some peculiar reason, thought it would
try to access the Internet.
After a few puzzling moments I found that this was caused because
the "View as Web Page" option was set.
Removing this option stopped the problem. Was this associated
with the virus I wonder? This would have been a method of triggering
the ISP and open the way for the rogue E-Mails?
Right clicking My Computer failed to produce a response as did
clicking the "System" icon. Randomly clicking icons
on the Desktop showed also that most were misbehaving. Clearly,
bereft of a random selection of EXE and DLL files, not much was
going to work as the designer's intended.
The solution was clearly going to have to be a re-install of
Windows 98. Fortunately, this time it worked and afterwards I
found I could use all the tools and all the icons worked OK.
Except of course the applications programs!
Word was missing WINWORD.EXE and most others also had bits missing.
A complete reload of Office sorted out the main applications.
During the Windows re-install I'd noticed that most of the
hardware seemed to have been found. Plug and play stuff usually
works correctly after a re-install but rarely the modem.
I looked on "System" and found, as I'd expected,
the modem had a red exclamation mark against it. I looked on
the Control Panel and selected the picture of the telephone.
The modem was identified as a "Rockwell Software Modem".
The suppliers were cheapskates. These things are a quid cheaper
than the hardware types but are invariably very difficult to
set up.
I looked in my collection of drivers. All seemed to be hardware
modem drivers. I flipped over the last page of my CD wallet and
found to my relief a copy of a software modem driver CD. Tongue
in cheek, I put it in the drive and commenced to carry out the
installation procedure. After lots and lots of mouse clicking
everything suddenly started to load. I'm wise to these things
now and rarely follow the instructions which never work as described.
Two entries are needed in the list of hardware items. One is
the modem and the other is the mystifying "Connexant PCI
Modem Enumerator". Only when both titles are present will
the modem work correctly.
I clicked on the "Internet" icon and up came the
"Dial up networking" box, waiting for a password rather
than proclaiming that, "no modem seemed to be available".
I cancelled this and clicked on a few of the other applications
icons. Some worked fine but others, short of EXE and DLL files
just came up with grumbling messages.
Nothing I could do here.. I would have to let the customer re-install
these.
As an afterthought I decided to look in the deleted E-Mail queue.
There were 70 odd entries and up near the top, in the subject
column, was a note from a lady in New Zealand. "Ever so
sorry but I seem to have sent you a virus"!
Was this the answer?
Anyway my parting shot to the computer's owner was, "When
you get home run Norton Live Update.. before you check your E-Mails!!!!"
On and off, interspersed with TV and VCR repairs, it had taken
the best part of a couple of days. What do I think of the virus
writers? Well I suppose I'm kept busy and when I'm busy I'm at
least earning money. I'd certainly have a different opinion if
it was my computer that suffered.
Road Rage would be as nothing compared with Computer Rage!
|