Loading
Removed Fun.exe, dc.exe, SVIQ.exe virus
11 June 2009Posted by
NAIDU
0 Comments
I have got a virus, which automatically opening the Yahoo messenger. So, when I have looked the processes in the task manager, I have found the following processes Fun.exe, dc.exe, SVIQ.exe.
I killed those processes, by right clicking the process and select "End Process Tree". After I have killed all those processes, I searched Internet and found the following link W32.Imaut.AS (also called Dung Coi). Then I have deleted all the virus files and cleaned the registry.
I am describing the exact steps below:
- First go to the task manager (right click on the task bar > task manager) and select the processes tab.
- Right click on the Fun.exe, dc.exe, SVIQ.exe and select "End Process Tree". This stops the viruses from interrupting in the cleanup process.
- Go to the MSConfig (Win+R, type MSConfig and press enter). Go to the startup tab. Uncheck the dc.exe, fun.exe, SVIQ.exe, Other.exe, Win.exe. This stop the virus processes from starting with the windows.
- Next go to the Registry Editor (Win+R, type RegEdit and press enter). Remove the following keys
- dc, dc2k5, fun under the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- load, run under the key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
- Go to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and Modify Shell's value to "Explorer.exe".
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dc
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dc2k5
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Fun
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run
- Delete the following files.
- %Windir%\Help\Other.exe
- %Windir%\inf\Other.exe
- %Windir%\system\Fun.exe
- %Windir%\System32\config\Win.exe
- %Windir%\System32\WinSit.exe
- %Windir%\dc.exe
- %Windir%\SVIQ.exe
- %Windir%\System32\NWB.dat
- c:\PNga.txt
- %Windir%\wininit.ini
Thats it. I got rid from the virus. I read in the net that this virus will create a copy of virus file in directories with the same name and uses a folder icon, so that users will click on it thinking it was a folder. But, I dint get any files like that, if you got any files like that, don't click on them, delete them immediately. If you have any doubt, right click on that and select properties, then you can know whether it is a file or folder.
Subscribe to:
Post Comments (Atom)