Read about more computer repairs>>>>>

Repair F13x

And This!

The computer had visited the workshop a week or so previously (see Repair F135) for getting going after losing a lot of its EXE and DLL files.

After running an anti-virus program on the hard drive plugged into a host computer I'd discovered and eradicated a nasty virus. I'd been a little puzzled however as the signature of the named virus had not been exactly matched by the effects I'd corrected.
It was therefore not a totally unexpected event when on the 4th of September I got a phone call from the owner proclaiming that a number of problems had arisen that day.. and could I help? I tried a few trial searches for files over the phone and from the responses began to get concerned that a repeat of the previously fixed problems had recurred.

On the workshop bench, I tested the recalcitrant machine and soon discovered that only 50 odd EXE files and 92 DLL's were visible. With the particular software build in the machine I'd have expected to see closer to 500 and 1500 respectively so something was definitely amiss.
I removed the hard drive and checked it on a host computer. "No virus found", of course was the result. I had used this version of the virus detector on the same drive before so this was the result I'd expected.

I discussed the results with the owners. There were two options.. repeat the last fix or reformat the hard drive and reload all the software. The latter was the chosen option but before I started I mentioned the modem. When I'd last tried the Internet connection it had worked… but only just. Speed was indicated as 28kbaud and during the dial-up procedure there were lots of wailing noises. "Is there any possibility your modem was", I started to say…. "by lightning"... the owner finished my question! "Yes", I said. "Well funny you should say that because both our next door neighbours asked me if my modem had been damaged a few weeks ago because theirs needed replacing after a storm". I fitted a new modem and both dial-up and speed were restored to normal.

I started the recovery procedure by saving all the .DOC files. Next I saved all the files in the Quicken directory as this had been requested. There were quite a few.
I then typed the command I like doing most…. "FORMAT C:" and after a few minutes the hard drive was cleared of files. Then I FDISK'd and removed the primary DOS partition. Next I remembered … just. Switch off the mains power and wait a few moments before switching on again. This is to remove any memory resident virus that may be lurking. Then FDISK and load a fresh version of OEM Windows 98.

After this had all been done I loaded the applications software and added Norton anti-virus. Running the update facility offered the latest virus definitions which were then downloaded. At this point in time I connected up the hard drive used for saving the files.
I ran Norton on the first hard drive and found 30,000 clean files devoid of any signs of a virus. Then I ran it on the second drive and went off to do some tidying. When I got back there was a message waiting. No less than 199 infected files had been discovered. All were Quicken files and Norton eventually decided the best course of action was to put them in quarantine as it couldn't fix them.

The next step was to investigate the virus it had discovered. This was the VBS.Haptime.A@mm variety and low and behold it was said to delete as many EXE and DLL files as it could when the day and month number added up to "13". That was the very day, September 4th that the owner had reported the problem. The previous occurrence no doubt being August 5th! Why hadn't Norton found the virus last time? Because the definition files had only included it from the 6th September!

The virus had arrived in an E-mail and had set up keys in the Registry HKEY_CURRENT_USER\SOFTWARE\HELP\COUNT and FILENAME
It had probably E-mailed itself on to others as well. I then remembered I'd sent several test E-mails to myself but on reading further I found that Microsoft has written a patch to sort out a bug in Outlook Express which, it is believed, the virus exploits to get into other computers. This it can do without the owner even having to open the E-mail. Thankfully I had run the patch program a week earlier, perhaps I'm psychic?