Security

Step-By-Step: E-card proves to be anything but a friendly greeting

Find out what to do when the changes enacted by a virus are not fully reversed.


Cleaning up infected computer systems is critical to support. The residual effects of a virus should not be overlooked. After an initial cleanup, one can assume a problem is completely corrected, only to find out weeks later that the same virus is wreaking havoc. This can be the case when a virus is spotted and removed by scanning software, but the changes enacted by the virus—say, to the system registry—are not fully reversed. Many times, you don't think to blame the virus that was inoculated last week for the problems being experienced today.

TechRepublic member borrim experienced such a problem and posted her question in our Technical Q&A. Thanks to a post from another member, borrim learned that the problem was caused by a worm called Friendly Greet. In her words, support techs should remember that "just because you don't see the virus doesn't mean it can't be the problem."

The lesson: Beware of "friendly" greetings
According to the Symantec Security Response, an e-card entitled W32.Friendgreet.worm (a.k.a. FriendGreetings and Friend Greeting application) and linked to the Web site Friendgreetings.com has the characteristics of a worm. The e-card prompts recipients to install a software package in order to access the electronic greeting. During installation, the software asks for permission to perform mass-mailing functions. This in turn propagates the worm throughout the e-mail community by mailing the bug to everyone on your Microsoft Outlook contacts list. Symantec describes detailed instructions on the removal process and the specific file names and registry entries/changes.

The details
  • Operating system: Windows 98
  • The problem: The taskbar buttons that indicate running applications in Windows did not appear. Using [Alt] [Tab] toggles between open applications, but the buttons did not appear on the Windows taskbar.

The solution
Area systems coordinator Ken Jennings, a.k.a. SyscoKid, quickly pointed borrim to the Symantec Website. According to Jennings, a worm called W32.Friendgreet.worm apparently causes taskbar buttons to disappear. To remedy the situation, the following steps are recommended:
  1. Update your virus definitions.
  2. Restart the computer in Safe mode.
  3. Open the Add/Remove Programs applet.
  4. Uninstall the program named WinSrv Reg.
  5. Run a full system scan and delete all files associated with FriendGreet.
  6. Delete any files created by FriendGreet in the system registry.
  7. Reverse any changes made by FriendGreet in the system registry.

This fix apparently worked for borrim, as evidenced by her speedy, resounding thank you: "This was the answer! I printed the [removal] instructions from Symantec's site…and the icons for the applications are back….Thanks, thanks, thanks."

Editor's Picks