I have got a virus, which automatically opening the Yahoo messenger. So, when I have looked the processes in the task manager, I have found the following processes Fun.exe, dc.exe, SVIQ.exe.
I killed those processes, by right clicking the process and select "End Process Tree". After I have killed all those processes, I searched Internet and found the following link W32.Imaut.AS (also called Dung Coi). Then I have deleted all the virus files and cleaned the registry.
I am describing the exact steps below:
- First go to the task manager (right click on the task bar > task manager) and select the processes tab.
- Right click on the Fun.exe, dc.exe, SVIQ.exe and select "End Process Tree". This stops the viruses from interrupting in the cleanup process.
- Go to the MSConfig (Win+R, type MSConfig and press enter). Go to the startup tab. Uncheck the dc.exe, fun.exe, SVIQ.exe, Other.exe, Win.exe. This stop the virus processes from starting with the windows.
- Next go to the Registry Editor (Win+R, type RegEdit and press enter). Remove the following keys
- dc, dc2k5, fun under the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- load, run under the key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
- Go to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and Modify Shell's value to "Explorer.exe".
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dc
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dc2k5
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Fun
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run
- Delete the following files.
- %Windir%\Help\Other.exe
- %Windir%\inf\Other.exe
- %Windir%\system\Fun.exe
- %Windir%\System32\config\Win.exe
- %Windir%\System32\WinSit.exe
- %Windir%\dc.exe
- %Windir%\SVIQ.exe
- %Windir%\System32\NWB.dat
- c:\PNga.txt
- %Windir%\wininit.ini
Thats it. I got rid from the virus. I read in the net that this virus will create a copy of virus file in directories with the same name and uses a folder icon, so that users will click on it thinking it was a folder. But, I dint get any files like that, if you got any files like that, don't click on them, delete them immediately. If you have any doubt, right click on that and select properties, then you can know whether it is a file or folder.
Read More:
Important steps when cleaning virus
Disabling Auto Play in Windows
Task Manager Disabled?
Registry access disabled?
What is this Process?
Subscribe to my site feed for receiving more tips. You can get more tips in your email for free.
Thank you very much... you saved my life.
ReplyDeleteThanks very much it works but only when you do thr process in safe mode
ReplyDeleteServing a lot. Great job done by you. Thanks. Sharing is Caring.
ReplyDeleteHi,
ReplyDeleteThank you so much for the effort you took. As far as the safe mode opinion : that does not hold true ,however dont try stopping fun.exe before the rest. stop it at the end. It will work otherwise fine
Very Helpful.. Much Appreciated
ReplyDeleteThanks a lot! I have the same virus in my machine. The problem I am facing .. it does not allow me to read my DVD drive, USB drive though they are getting recognized. The DVD drive in my explorer is projected as another partition in my disk and allows me to store files.
ReplyDeleteYou are very generous, this is very valuable information for which there is not much advice for on the net.
ReplyDeleteMay blessings come your way thick and fast!
Thank you for your effort, the best solution that I could find on the internet.
ReplyDeletethanks for the effort you ut in
Cheers.
Thank you very much... my saviour !!!
ReplyDeleteMillions thanks !
ReplyDeleteFor me I did observe the thing replication with a folder icon to mislead people but only on removable media (my camera's mamory stick), not on my hard drive.
Thanks a lot!
ReplyDeleteWorked like a charm.
Thank you very much....
ReplyDeleteits very nice information....
thanks a lot..
Thanks a lot ..
ReplyDeletespybot helped me
ReplyDeleteMANY THANKS BRO!
ReplyDeletethank you very much... my long search come to an end... love you dear...
ReplyDeleteyou are an amazing person, thank you
ReplyDeletethanks so much,keep post friends
ReplyDeleteHello Sir,
ReplyDeleteI Must say that there are very few people who can imagine the mental state of a victim of a computer virus.
You have hit the nail! and done us all a wonder. You may have just copied this idea from the internet but your efforts so put up is itself worth an appraisal.
Simple, Sweet, PERFECT!!!
Thank YOU SO MUCH!!!
thanks a looooooooooooot.......
ReplyDeletehey thanks a lot, it was exactly wat i needed.. :)
ReplyDeletehey,thanks a lot....
ReplyDeleteThank you Very Much. u made my day :) appreciate ur effort.. kudos
ReplyDeleteThx a lot bro... u saved my time :)
ReplyDeleteThx dude!!! Your guide helped me alot :D!! Keep it up!!
ReplyDeleteSuperb .. it works. Great job...
ReplyDeletethe value of human life is to share what you know and help the needy. That is what you have done ... Keep up your work.. May God bless you.
Peter
Seeing that this post has been online since early 2008, and you just saved my a**e today.
ReplyDeleteWaoh! A whole load of thanks man!
keep it running!
Thanks u very much. the virus was removed but documents and settings folder becomes a file. How do i resolve this problem. My windows is Vista (64bit).
ReplyDeleteAnother saved life, thanks :)
ReplyDelete(just to make this thread a bit longer :)
THANK you
ReplyDeleteI have created a tool to remove that virus,...........
ReplyDeletehttp://www.ziddu.com/download/8746211/RemoveViruses.rar.html
دمت گرم
ReplyDeleteخیلی باحالی
ایشاالله فارسی یاد بگیری بفهمی چی می گم!!!
الهی هرچی تو زندگیت می خوای بهش برسی
[ I read in the net that this virus will create a copy of virus file in directories with the same name and uses a folder icon, so that users will click on it thinking it was a folder. ]
ReplyDeletei have seen this on mine USB flash drive realy anoing
im working whit 20 other pc all infected!!
i think it delite also Autorun.inf on the flash drive
mutch tanks for the .bat program :)
thanks, it really works, but in safe mode .
ReplyDeletesikandar
Thank you this was very helpful.
ReplyDeleteBut when i tried to delete process like dc.exe, fun.exe directly, it appeared again automatically within 1 second.
Finally, it was solved.
For people who couldn't delete process directly, Delete explorer.exe first from the process tab of task manager(dont panic, you can get it again). Then, go to File--> New Task(Run)--> Browse. Then do exactly what is written in the blog, you don't have to go to safe mode.
I will explain you in short:
1. Delete explorer.exe process
2. Delete dc.exe process
3. Delete fun.exe process
4. Delete sviq.exe process
5. Delete other.exe process(if present)
6. Delete WinSit.exe process(if present)
7. Delete all the above file from windows directory(as mentioned in this blog, this step is most important)
8. Delete registries(File--> New Task(Run)--> regedit) with values/folder named dc.exe, fun.exe, sviq.exe, other.exe, win.exe.(here they will be removed from start-up too)
You can also contact me at:
jigar_tidus@hotmail.com
Thanks & Regards,
Jigar aka TiduS™
Just popping in to say nice site.
ReplyDeletevirus removal link has been deleted
ReplyDeletehi, new to the site, thanks.
ReplyDeleteI really liked the article, and the very cool blog
ReplyDeleteThank you very much. You saved my PC.
ReplyDeleteThanks again.
Best wishes!