| Pretty Park is a email worm similar to the Happy99.exe worm. It comes in the form of an email attachment with the name prettypark.exe, files32.exe, or prettyorg.exe. Windows users are susceptible to the worm. Once the worm program is executed, it tries to email itself automatically every 30 minutes (or 30 minutes after it is loaded) to email addresses registered in your Internet address book. |
It also tries to connect to an IRC server and join a specific IRC channel. The worm sends information to IRC every 30 seconds to keep itself connected, and to retrieve any commands from the IRC channel. Through the IRC connection, the author of the worm could obtain system information, including the computer name, product name, product identifier, product key, registered owner, registered organization, system root path, version, version number, ICQ identification numbers, ICQ nicknames, victim's email address, and Dial Up Networking username and passwords. In addition, being connected to IRC opens a security hole in which the client can potentially be used to receive and execute files.
It creates a file called files32.vxd in the C:\Windows\System directory and modifies the following registry key located at
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
from "%1" %* to files32.vxd "%1" %*
A new variant of the Pretty Park Worm also creates a similar change to the following registry key.
HKEY_CLASSES_ROOT\exefile\shell\open\command
Manual Removal Instructions for Pretty Park.exe
Follow these instructions in the exact order, and as always, I claim no responsibility for you not understanding the instructions completely and wrecking havoc with your system. Changes to the registry should only be done by someone who understands the consequences of a mistake in the registry.
- On the Windows taskbar, click Start > Run.
- Type REGEDIT, then click OK.
- Modify
the following Registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\
Classes\exefile\shell\open\command
and change
files32.vxd "%1" %*
to
"%1" %*
These seven characters are the following: double quote, percent sign, the numeral one, double quote, space, percent sign, and asterisk. Don't forget the space. - Repeat
the above step for the following Registry Key
HKEY_CLASSES_ROOT\exefile\shell\open\command
- Using the File Command under the Start Menu, Find and Delete the PrettyPark.exe file.
- Restart your computer.
- Using Windows Explorer or the Find Command under the Start Menu, find and delete the \Windows\System\Files32.vxd file.
Automatic Removal of Pretty Park
For
Automatic Removal of PrettyPark and its variant,
download
Craig Schumugar's excellent Pretty Park Cleaner
Tools for Removing Spyware, Adware, and Malware
PC HELL
Other Pages
Welchia (Dllhost.exe and SVCHost.exe) Worm Removal
Uninstall Antivir Instructions
How to Manually Run the Microsoft Malicious Software Removal Tool
Bloodhound.Exploit.6 Virus Removal
Backdoor SDBot.H Trojan Removal
