Sunday, March 9, 2008

Removed Fun.exe, dc.exe, SVIQ.exe virus

I have got a virus, which automatically opening the Yahoo messenger. So, when I have looked the processes in the task manager, I have found the following processes Fun.exe, dc.exe, SVIQ.exe.

I killed those processes, by right clicking the process and select "End Process Tree". After I have killed all those processes, I searched Internet and found the following link W32.Imaut.AS (also called Dung Coi). Then I have deleted all the virus files and cleaned the registry.

I am describing the exact steps below:

  • First go to the task manager (right click on the task bar > task manager) and select the processes tab.
  • Right click on the Fun.exe, dc.exe, SVIQ.exe and select "End Process Tree". This stops the viruses from interrupting in the cleanup process.
  • Go to the MSConfig (Win+R, type MSConfig and press enter). Go to the startup tab. Uncheck the dc.exe, fun.exe, SVIQ.exe, Other.exe, Win.exe. This stop the virus processes from starting with the windows.
  • Next go to the Registry Editor (Win+R, type RegEdit and press enter). Remove the following keys
    • dc, dc2k5, fun under the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • load, run under the key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
    • Go to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and Modify Shell's value to "Explorer.exe".
    • Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dc
    • Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dc2k5
    • Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Fun
    • Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load
    • Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run
  • Delete the following files.
    • %Windir%\Help\Other.exe
    • %Windir%\inf\Other.exe
    • %Windir%\system\Fun.exe
    • %Windir%\System32\config\Win.exe
    • %Windir%\System32\WinSit.exe
    • %Windir%\dc.exe
    • %Windir%\SVIQ.exe
    • %Windir%\System32\NWB.dat
    • c:\PNga.txt
    • %Windir%\wininit.ini
I have created two files to automate the process of deleting the Registry keys, and the virus files. Download Fun Virus Removal, unzip it. Double click on the RemoveVirus.bat file.

Thats it. I got rid from the virus. I read in the net that this virus will create a copy of virus file in directories with the same name and uses a folder icon, so that users will click on it thinking it was a folder. But, I dint get any files like that, if you got any files like that, don't click on them, delete them immediately. If you have any doubt, right click on that and select properties, then you can know whether it is a file or folder.

Read More:
Important steps when cleaning virus
Disabling Auto Play in Windows
Task Manager Disabled?
Registry access disabled?
What is this Process?

Subscribe to my site feed for receiving more tips. You can get more tips in your email for free.

41 comments:

  1. Thank you very much... you saved my life.

    ReplyDelete
  2. Thanks very much it works but only when you do thr process in safe mode

    ReplyDelete
  3. Serving a lot. Great job done by you. Thanks. Sharing is Caring.

    ReplyDelete
  4. Hi,

    Thank you so much for the effort you took. As far as the safe mode opinion : that does not hold true ,however dont try stopping fun.exe before the rest. stop it at the end. It will work otherwise fine

    ReplyDelete
  5. Very Helpful.. Much Appreciated

    ReplyDelete
  6. Thanks a lot! I have the same virus in my machine. The problem I am facing .. it does not allow me to read my DVD drive, USB drive though they are getting recognized. The DVD drive in my explorer is projected as another partition in my disk and allows me to store files.

    ReplyDelete
  7. You are very generous, this is very valuable information for which there is not much advice for on the net.

    May blessings come your way thick and fast!

    ReplyDelete
  8. Thank you for your effort, the best solution that I could find on the internet.

    thanks for the effort you ut in

    Cheers.

    ReplyDelete
  9. Thank you very much... my saviour !!!

    ReplyDelete
  10. Millions thanks !

    For me I did observe the thing replication with a folder icon to mislead people but only on removable media (my camera's mamory stick), not on my hard drive.

    ReplyDelete
  11. Thanks a lot!
    Worked like a charm.

    ReplyDelete
  12. Thank you very much....
    its very nice information....
    thanks a lot..

    ReplyDelete
  13. thank you very much... my long search come to an end... love you dear...

    ReplyDelete
  14. you are an amazing person, thank you

    ReplyDelete
  15. thanks so much,keep post friends

    ReplyDelete
  16. Hello Sir,
    I Must say that there are very few people who can imagine the mental state of a victim of a computer virus.
    You have hit the nail! and done us all a wonder. You may have just copied this idea from the internet but your efforts so put up is itself worth an appraisal.
    Simple, Sweet, PERFECT!!!

    Thank YOU SO MUCH!!!

    ReplyDelete
  17. thanks a looooooooooooot.......

    ReplyDelete
  18. hey thanks a lot, it was exactly wat i needed.. :)

    ReplyDelete
  19. hey,thanks a lot....

    ReplyDelete
  20. Thank you Very Much. u made my day :) appreciate ur effort.. kudos

    ReplyDelete
  21. Thx a lot bro... u saved my time :)

    ReplyDelete
  22. Thx dude!!! Your guide helped me alot :D!! Keep it up!!

    ReplyDelete
  23. Superb .. it works. Great job...

    the value of human life is to share what you know and help the needy. That is what you have done ... Keep up your work.. May God bless you.
    Peter

    ReplyDelete
  24. Seeing that this post has been online since early 2008, and you just saved my a**e today.
    Waoh! A whole load of thanks man!
    keep it running!

    ReplyDelete
  25. Thanks u very much. the virus was removed but documents and settings folder becomes a file. How do i resolve this problem. My windows is Vista (64bit).

    ReplyDelete
  26. Another saved life, thanks :)

    (just to make this thread a bit longer :)

    ReplyDelete
  27. I have created a tool to remove that virus,...........

    http://www.ziddu.com/download/8746211/RemoveViruses.rar.html

    ReplyDelete
  28. دمت گرم
    خیلی باحالی
    ایشاالله فارسی یاد بگیری بفهمی چی می گم!!!
    الهی هرچی تو زندگیت می خوای بهش برسی

    ReplyDelete
  29. [ I read in the net that this virus will create a copy of virus file in directories with the same name and uses a folder icon, so that users will click on it thinking it was a folder. ]

    i have seen this on mine USB flash drive realy anoing
    im working whit 20 other pc all infected!!
    i think it delite also Autorun.inf on the flash drive

    mutch tanks for the .bat program :)

    ReplyDelete
  30. thanks, it really works, but in safe mode .


    sikandar

    ReplyDelete
  31. Thank you this was very helpful.

    But when i tried to delete process like dc.exe, fun.exe directly, it appeared again automatically within 1 second.

    Finally, it was solved.

    For people who couldn't delete process directly, Delete explorer.exe first from the process tab of task manager(dont panic, you can get it again). Then, go to File--> New Task(Run)--> Browse. Then do exactly what is written in the blog, you don't have to go to safe mode.

    I will explain you in short:
    1. Delete explorer.exe process
    2. Delete dc.exe process
    3. Delete fun.exe process
    4. Delete sviq.exe process
    5. Delete other.exe process(if present)
    6. Delete WinSit.exe process(if present)
    7. Delete all the above file from windows directory(as mentioned in this blog, this step is most important)
    8. Delete registries(File--> New Task(Run)--> regedit) with values/folder named dc.exe, fun.exe, sviq.exe, other.exe, win.exe.(here they will be removed from start-up too)



    You can also contact me at:
    jigar_tidus@hotmail.com

    Thanks & Regards,
    Jigar aka TiduS™

    ReplyDelete
  32. Just popping in to say nice site.

    ReplyDelete
  33. virus removal link has been deleted

    ReplyDelete
  34. hi, new to the site, thanks.

    ReplyDelete
  35. I really liked the article, and the very cool blog

    ReplyDelete
  36. Thank you very much. You saved my PC.
    Thanks again.

    Best wishes!

    ReplyDelete

Latest Posts