this should work but its a little more work - from mcafee web site
11) In the event that the trojan was deleted before making the registry
is still possible to repair the registry. You will need
access to another computer, or
at a minimum, access to MS-DOS on the affected system.
Using MS-DOS edit,
create a file called UNDO.REG with the following content
(you can cut and paste):
12) Save this file to the Windows folder of the affected
system as the file
13) Click on START|RUN and type in UNDO.REG and press
ENTER. The contents of
UNDO.REG should be now imported to the registry.At 01:10
PM 3/6/00 -0500, you wrote:
>I deleted the files32.vxd and files32.vir before reading Gregg's email and
>sure enough I'm now stuck without being able to edit the registry or run
>most programs. I've even tried to "reinfect" myself but I can't run Pretty
>Any ideas are welcomed to someone who misses my Mac.
>Addison NW Supervisory Union
>Vergennes, VT 05491
>> -----Original Message-----
>> From: School Information Technology Discussion
>> [mailto:[log in to unmask]]On Behalf Of Gregg Martin
>> Sent: Monday, March 06, 2000 9:49 AM
>> To: [log in to unmask]
>> Subject: Re: pretty park virus
>> I just sent this to all my users:
>> I've been informed that a virus called "Pretty Park" has been propagating
>> locally. I have seen it show up on this system in a mailing list and
>> while the FirstClass server cannot be infected, it can transfer this
>> infection to end users. Here is information regarding "Pretty Park." By
>> the way, only Windows computers are susceptible to this - Macintosh
>> computers are immune to this particular strain.
>> What is PrettyPark?
>> "PrettyPark" is a worm, which is a program that is similar to a virus. It
>> spreads from one computer to another in the form of an attachment to email
>> messages and newsgroup posts. Usually what happens is that somebody sends
>> you a legitimate e-mail message, and without the sender's knowledge, the
>> worm generates a second e-mail message that is also sent to you. The
>> second message has the title C:\CoolProgs\Pretty Park.exe. A file is
>> attached named PrettyPark.EXE.
>> Your computer can't get infected with the worm simply from downloading
>> that email. It will get infected with the worm if you double-click on the
>> PrettyPark.EXE attachment to open it. If you do this, you may see the
>> Windows 3D Pipe screen saver displayed.
>> Once your computer is infected with PrettyPark, the emails you send and
>> the news articles you post will all generate a second email to the
>> recipient(s) with the worm program attached.
>> What can I do?
>> You have two possible courses of action:
>> * If you are a registered owner of a commercial antivirus
>> program, you may
>> want to see if there's an update available which addresses Pretty Park.
>> Some individuals have also created "cleaner" programs specifically
>> designed to rid your system of PrettyPark; we can't vouch for the
>> reliability of any one of these in particular, but they do exist, and you
>> are free to try them. You can find more information about antivirus
>> programs at http://www.getvirushelp.com.
>> * You can try removing PrettyPark from your system
>> manually. You can find
>> instructions on Symantec's site:
>> or on getvirushelp.com's site:
>> The manual fix involves editing the registry, and is therefore only
>> recommended if you're an advanced user of Windows.
>> Edit your registry at your own risk! If you make a mistake when editing
>> your registry, you might not be able to boot back into Windows. Together
>> Networks assumes no responsibility for errors made while editing your
>> In addition, you MUST FOLLOW THE INSTRUCTIONS IN THE CORRECT ORDER for
>> them to work properly. If you delete files32.vxd before editing the
>> registry as described on Symantec's site, you will not be able to run any
>> programs in Windows once you restart your computer, including the Registry
>> If you are uncomfortable with ANY part of the procedure, we recommend that
>> you either purchase an up-to-date antivirus software package capable of
>> disinfecting your machine for you, or contact a computer consultant for
>> If your computer was infected and you suspect you may have sent PrettyPark
>> to anyone via email, you should write to them and let them know, so they
>> can disinfect their machines and stop the spread of the worm.