I have got a virus, which automatically opening the Yahoo messenger. So, when I have looked the processes in the task manager, I have found the following processes Fun.exe, dc.exe, SVIQ.exe.
I killed those processes, by right clicking the process and select “End Process Tree”. After I have killed all those processes, I searched Internet and found the following link W32.Imaut.AS (also called Dung Coi). Then I have deleted all the virus files and cleaned the registry.
I am describing the exact steps below:
- First go to the task manager (right click on the task bar > task manager) and select the processes tab.
- Right click on the Fun.exe, dc.exe, SVIQ.exe and select “End Process Tree”. This stops the viruses from interrupting in the cleanup process.
- Go to the MSConfig (Win+R, type MSConfig and press enter). Go to the startup tab. Uncheck the dc.exe, fun.exe, SVIQ.exe, Other.exe, Win.exe. This stop the virus processes from starting with the windows.
- Next go to the Registry Editor (Win+R, type RegEdit and press enter). Remove the following keys
- dc, dc2k5, fun under the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- load, run under the key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
- Go to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and Modify Shell‘s value to “Explorer.exe”.
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dc
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dc2k5
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Fun
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load
- Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run
- Delete the following files.
Thats it. I got rid from the virus. This virus will create a copy of virus file in directories with the same name and uses a folder icon, so that users will click on it thinking it was a folder. But, I dint get any files like that, if you got any files like that, don’t click on them, delete them immediately. If you have any doubt, right click on that and select properties, then you can know whether it is a file or folder.
I’ve been asked this question many a times: Why can’t we create a folder by name CON? Although it seems a wonder or magic that we can’t create a folder by that name, in reality, it is not so. It has a definite reason, and in fact, a folder can be created using that reserved name.
Gone are the days when computers had only CUI OS, that is, Character User Interface Operating Systems, like MS-DOS. When I joined my first computer course nine years ago, Windows 95 was ruling. You could see Windows 98 here and there. We were in 8th standard, and working on a computer was like a dream coming true. Microsoft’s Paint Brush was the only known (for us) GUI software and was the greatest means of entertainment. The instructors taught us only MS-DOS commands and how to Shut Down the computer. Remembering such weird names as DIR, CD, MD, RD, CHKDSK, FDISK, VER, ATTRIB, REN, DEL etc. along with their syntax and usage was a great accomplishment. But I had a problem understanding this: DOS has a separate dedicated command for every action; literally every action, except… creating a file!
Yes, we used COPY CON filename to create a file with name filename. Anyone can say that it is a form of COPY command. So, why was creating a file different than all other commands? I didn’t understand it, till I found out how to print using DOS, almost four years later.
DOS uses different names for the attached devices, I learnt. PRN was one such name. TYPE filename would display the contents of a file and TYPE filename > PRN would print it instead of displaying. Curiosity brings many hidden matters out. PRN would surely mean Printer and will redirect the output to the printer instead of console. Console (monitor) is the implicit default output device, and it can be bypassed if needed. So, how to put it explicitly? There must be some means to do that. Yes, there is! TYPE filename > CON performs exactly same function as TYPE filename. These special names for the devices really mean something special for the operating system and those names can not be used as folder or file names: CON, PRN, NUL, COM1 to COM9, LPT1 to LPT9, which stand for CONsole, PRiNter, NULl, serial COMmmunication ports, Line PrinTer ports.
The time has changed and Operating System can also be fooled! But still, many people think that it is not possible to create a folder by name CON. Using the path of network drive, these special names can also be used as folder names! Here is how:
- Goto DOS
- Type MD \\.\C:\CON. The folder will be created. You can check it in Windows Explorer also, but you can’t access it
- To delete the folder, type RD \\.\C:\CON
In short, use the network path syntax instead of absolute path syntax.
Now on to the practical aspect of this. Why can’t we create it directly but using the network path syntax? The answer is simple. A computer can have only one default console, printer, null etc. So, if it is accessed from a network, theoretically, the console should belong to another node in the network. Since that node may not have a device which can be referred using the name CON, it will no longer be considered as a reserved name. Hence, the folder can be created.
The next time when someone asks the question why we can’t create a folder by name CON, say with confidence that it is not true…
when you try to add or remove a program on a computer that is running Windows XP or Windows Server 2003: “The Windows Installer service could not be accessed”
when install or uninstall program getting and error message “The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.”
|1.||Determine the location of the Msiexec.exe file on your hard disk. To do this, follow these steps:
|2.||Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Make sure that the location of the Msiexec.exe file in Registry Editor is correct. To do this, follow these steps:
Recently, I had been facing this problem on all the virus hit systems on one of my client’s network. The problem was that I was getting the “Open With” dialog every time I double clicked any drive in My Computer. I had to select Internet Explorer from Open With dialog to open the drives. One of my friends came up with an idea and it worked great. The idea was to create a blank autorun.inf file in the drive having problems. And it was perfect .. now I can open all my drives (after placing the blank autorun.inf in the drive) by double clicking them.
To make a blank autorun.inf, open notepad and Save As “autorun.inf”. Place the autorun.inf in the affected drive.
Having the same problem? Did this trick solve your problem or you had a better solution? Share your experiences.
UPDATE: Please use the following DOS command for the ease of deleting the autorun.inf file.
C:\>attrib -S -H -R C:\autorun.inf
C:\>del /F C:\autorun.inf
Replace C with your drive that you want to disable autorun of.
There is a trojan/virus (either the Win32/Pacex virus or the Win32/PSW.Agent.NDP trojan) that uses those two files. Here is how you can get rid of them:
1) Open up Task Manager (Ctrl-Alt-Del)
wscript.exe is running, end it.
explorer.exe is running, end it.
4) Open up “File | New Task (Run)” in the Task manager
6) Run the following command on all your drives by replacing c:\ with other drives in turn (note: if you have autorun.inf files that you think you need to backup, do so now):
del c:\autorun.* /f /a /s /q
7) Go to your Windows\System32 directory by typing
dir /a avp*.*
9) If you see any files names
avp0.exe, use the following commands to delete each of them:
attrib -r -s -h avpo.exe del avpo.exe
10) Use the Task Manager’s Run command to fire up
11) Navigate to
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run (as usual, take a backup of your registry before touching it!)
12) If there are any entries for
avpo.exe, delete them.
13) Do a complete search of your registry for
ntde1ect.com and delete any entries you find.
14) Restart your computer.
“Task Manager has been disabled by your administrator”
Here is solution from the Microsoft article about enabling the task manager:
Enabling Task Manager from Group Policy Editor
1. Go to “Start” -> “Run” -> Write “Gpedit.msc” and press on “Enter” button.
2. Navigate to “User Configuration” -> “Administrative Templates” -> “System” -> “Ctrl+Alt+Del Options”
3. In the right side of the screen verity that “Remove Task Manager”” option set to “Disable” or “Not Configured”.
4. Close “Gpedit.msc” MMC.
5. Go to “Start” -> “Run” -> Write “gpupdate /force” and press on “Enter” button.
Enabling Task Manager from Registry Editor
1. Go to “Start” -> “Run” -> Write “regedit” and press on “Enter” button.
Warning: Modifying your registry can cause serious problems that may require you to reinstall your operating system.
Always backup your files before doing this registry hack.
2. Navigate to the following registry keys and verity that following settings set to default:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]
3. Reboot the computer.
For your convenience, I have created a registry file. Just download, double click it and add the info to your registry. The task manager will be enabled. Post your experiences please.
Enabling Task Manager from the Run Menu
Abdullah mailed me this solution. Go to Start –> Run and copy and paste the following and press OK.
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Here are two ways to enable the registry editing in Windows.
1- From Group Policy Editor
Go to Run –> gpedit.msc
In the left hand menu, go to User Config –> Administrative Templated –> System.
Now In the right hand pane, select “Prevent access to registry editing tools”. It will probably be not configured or enabled. If it’s enabled, disable it and if it’s not configured, first enable it, apply settings and then disable it. Most probably the settings have been applied instantly. If not, then run gpupdate in command prompt to apply the group policies.
2- From the Run Menu
I got this tweak while surfing the internet. Go to Start –> Run, copy and paste the follow in the Run box and press OK.
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
The effects are usually instant. If not then you should see the results after restarting your computer.