Solved

Jose_Luis

Posted on 2000-03-28
13
320 Views
Last Modified: 2012-05-04
I asked this question 3/27 but apparently it was deleted before I received any comments so I'm trying again.  What do I need to do to get rid of the "Pretty Park" virus?
0
Comment
Question by:Jose_Luis
  • 3
  • 2
  • 2
  • +5
13 Comments
 
LVL 1

Accepted Solution

by:
garzajd earned 200 total points
ID: 2666131
Ok I looked a good page up that will explain how the virus works and how it got onto your computer. The page link is
http://www.mycert.mimos.my/virus-info/prettypark.htm
You need to get an updated virus program such as Norton or whatever- there are links on the page above. It does have this is you want to remove the virus manualy without any virus protection software:




3.2.2    Removing this worm manually :
 
    1.    Goto the directory C:\WINDOWS\SYSTEM\ and delete the FILES32.VXD file.
    2.    Using REGEDIT (Click Start --> Run --> type "regedit"), modify the Registry entry :

           HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

            or

          HKEY_CLASSES_ROOT under exefile\shell\open\command,

           from FILES32.VXD "%1" %* to "%1" %*.
               NOTE : You may launch REGEDIT through Windows Start-menu-RUN. Then
                 search for "FILES32.VXD" in REGEDIT.

    3.    Delete the "Pretty Park.EXE" file.
    4.    Reboot your computer.
 
    You need to do step #2 above; otherwise, executable files may not run properly if you simply delete
    FILES32.VXD

 

Hope this helps. But if you want a free virus checker go to www.tucows.com and search on virus- then you can get some protection
0
 
LVL 1

Expert Comment

by:garzajd
ID: 2667650
anyone home?
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 2667917
No, it was asked and this was posted here but I think the site crashed.  I have mail from this site around that date that refers to non existent messages that came from here but I can't find.  Sigh.

There was a second post as well that recommended you to use Nortons or McAfee to remove the virus.


Pretty Park Worm

Manual Removal

Description

    PrettyPark.Worm

Aliases: Trojan Horse, W32.PrettyPark, Trojan.PSW.CHV, CHV
Infection Length: 37,376
Area of Infection: C:\Windows\System, Registry, Email Attachments
Likelihood: Common
Characteristics: Worm, PrettyPark.EXE, Files32.VXD

Description

This is a worm program that behaves similar to Happy99 Worm.
This is spread through email and IRC.
When the attached program called "PrettyPark.EXE" is executed, it may display the 3D pipe screen saver.
It will also create a file called FILES32.VXD in the WINDOWS\SYSTEM directory and modify the following registry entry value from "%1" %* to FILES32.VXD "%1" %* without your knowledge:

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

Once the worm program is executed, it will try to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book.

It will also try to connect to an IRC server and join a specific IRC channel. The worm will send information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel.

Via IRC, the author or distributor of the worm can obtain system information including the computer name, product name, product identifier, product key, registered owner, registered organization, system root path, version, version number, ICQ identification numbers, ICQ nicknames, victims email address, and Dial Up Networking username and passwords.
In addition, being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files.
If you have found you have this trojan it is a good idea to download a anti-virus program or update your present anti-virus program to check for other trojans and viruses.

You can use Datafellows, McAffee, AVP or Norton's to detect and remove this trojan.
or

Manual Removal
 

Using REGEDIT, modify the Registry entry HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command from FILES32.VXD "%1" %* to "%1" %*

(You may launch REGEDIT through Windows Start-menu-RUN. Then search for "FILES32.VXD" in REGEDIT.)

Delete WINDOWS\SYSTEM\FILES32.VXD
Delete the "Pretty Park.EXE" file.
Reboot your computer.
You need to do step #2 above; otherwise, executable files may not run properly if you simply delete FILES32.VXD

Safe Computing:
This worm, and other trojan-horse type programs, demonstrate the need to practice safe computing. You should not launch any executable-file attachment (EXE, SHS, MS Word or MS Excel file) that comes from an untrusted email or newsgroup source. These files should always be scanned by AntiVirus programs, using the latest virus definitions.

By: Cheri Walsh
June 10th, 1999
0
 

Expert Comment

by:evileban
ID: 2668502
buy a new computer
0
 
LVL 4

Expert Comment

by:pwoolford
ID: 2669642
evileban
Your computer studies have not got you very far if posting childish comments are all you can manage here


Jose
Now EE is up and running again have the other 2 posts helped you ?
If you reject evileban's answer the question will be opened up for other (proper) experts to look at it
0
 

Author Comment

by:Jose_Luis
ID: 2671827
I do not want to buy a new computer just to get rid of a virus.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Expert Comment

by:rem16
ID: 2676312
While I agree that you should probably purchase an anti-virus program (Norton, McAfee or Ontrack's System Suite which includes one), there used to be free help available from: http://www.housecall.antivirus.com and I think there still in operation.

P.S.  I also agree with pwoolford's comment about evileban, he ought to at least try to offer some constructive help or else stop taking up space.
0
 
LVL 1

Expert Comment

by:sidou
ID: 2909032
1. Go to:
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/fixppark.zip

2. Download the Fixppark.zip file to a floppy disk or to a folder on your hard drive.

3. Unzip the Fixppark.zip file, following the instructions of your unzip program. Two files will be extracted: Fixppark.com and Psapi.dll.

NOTES:
If you are not able to use your unzip program on the infected computer because files with the .exe extension will no longer function, we suggest that you download Fixppark.zip to an uninfected computer. Once downloaded, unzip it to a floppy disk, take the floppy disk to the infected computer, and go on to the next section.
Both Fixppark.com and Psapi.dll are required for this tool to work on Windows NT systems. Only Fixppark.com is required for Windows 95/98 computers. If you are running Windows NT, please leave both files in the folder to which you extracted them.

Run the tool
You need to run the Fixppark.com file, and then run a full system scan. Please follow these steps:

WARNING: This tool does not scan your hard drive for copies of PrettyPark. To ensure that there are no other instances of PrettyPark, you should rescan the hard disk with an antivirus tool after running this program.

1. Using Windows Explorer, locate the Fixppark.com file, and then double-click it. The FixPPark message box appears.
2. Click Remove! Fixppark.com searches for PrettyPark.Worm in memory and ends all processes of the worm that it finds. It deletes the Files32.vxd file, which is inserted by the worm. It also repairs the registry key that was changed by the worm. (If you see the message "Your Computer is not infected with PrettyPark!," then the worm was not found on your system. Click OK.)

NOTES:
Although this tool has a .com extension, it is actually a Windows executable file. It has been renamed to prevent possible problems if Files32.vxd has already been deleted from the system.
If you are running Windows NT, when you click Remove!, you may see the message "Missing psapi.dll error. Please make sure that psapi.dll is in the same directory as this tool." In that case, please go back to step 3 of the first section, and make sure that both Fixppark.com and Psapi.dll are in the same folder and that you run the Fixppark.com file from that folder.

0
 

Author Comment

by:Jose_Luis
ID: 2909418
This question has been answered.
0
 

Expert Comment

by:rem16
ID: 2913658
Jose Luis: If someone's comment resolved your dilemma, you need to accept that comment as an answer in order to close the question.  If the problem was resolved by more than one commentator, say garzaid and dbrunton, you can split the points between them.  You do need to close the question now that it has been answered to your satisfaction.
0
 

Author Comment

by:Jose_Luis
ID: 2916296
Please give garzaid and dbrunton each 200 points.
0
 
LVL 3

Expert Comment

by:darinw
ID: 2926412
Hello everyone,

I will be handling the awarding of Expert points for this member.

Jose_Luis, when you have about 15 minutes, please read our Help Desk links. They have a pretty good overview on how the site works and you will need to know how to handle awarding points if you wish to get the most out of EE.

I will award points to Expert garzajd in this thread.

dbrunton, please post an answer to:
http://www.experts-exchange.com/Computers/Q_10428656.html

darinw
Customer Service
0
 
LVL 3

Expert Comment

by:darinw
ID: 2926414
Comment accepted as answer
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Great sound, comfort and fit, excellent build quality, versatility, compatibility. These are just some of the many reasons for choosing a headset from Sennheiser.
In the modern office, employees tend to move around the workplace a lot more freely. Conferences, collaborative groups, flexible seating and working from home require a new level of mobility. Technology has not only changed the behavior and the expe…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now