Archive

Archive for the ‘Windows’ Category

How to Remove Fun.exe, dc.exe, SVIQ.exe virus

November 13, 2008 32 comments

I have got a virus, which automatically opening the Yahoo messenger. So, when I have looked the processes in the task manager, I have found the following processes Fun.exe, dc.exe, SVIQ.exe.

I killed those processes, by right clicking the process and select “End Process Tree”. After I have killed all those processes, I searched Internet and found the following link W32.Imaut.AS (also called Dung Coi). Then I have deleted all the virus files and cleaned the registry.
I am describing the exact steps below:

  • First go to the task manager (right click on the task bar > task manager) and select the processes tab.
  • Right click on the Fun.exe, dc.exe, SVIQ.exe and select “End Process Tree”. This stops the viruses from interrupting in the cleanup process.
  • Go to the MSConfig (Win+R, type MSConfig and press enter). Go to the startup tab. Uncheck the dc.exe, fun.exe, SVIQ.exe, Other.exe, Win.exe. This stop the virus processes from starting with the windows.
  • Next go to the Registry Editor (Win+R, type RegEdit and press enter). Remove the following keys
    • dc, dc2k5, fun under the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • load, run under the key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
    • Go to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and Modify Shell‘s value to “Explorer.exe”.
    • Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dc
    • Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\dc2k5
    • Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Fun
    • Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load
    • Remove HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run
  • Delete the following files.
    • %Windir%\Help\Other.exe
    • %Windir%\inf\Other.exe
    • %Windir%\system\Fun.exe
    • %Windir%\System32\config\Win.exe
    • %Windir%\System32\WinSit.exe
    • %Windir%\dc.exe
    • %Windir%\SVIQ.exe
    • %Windir%\System32\NWB.dat
    • c:\PNga.txt
    • %Windir%\wininit.ini


Thats it. I got rid from the virus. This virus will create a copy of virus file in directories with the same name and uses a folder icon, so that users will click on it thinking it was a folder. But, I dint get any files like that, if you got any files like that, don’t click on them, delete them immediately. If you have any doubt, right click on that and select properties, then you can know whether it is a file or folder.

For more technical articles, news and forum discussion logon

Advertisements
Categories: Windows

Why can’t we create a folder by name CON?

February 21, 2008 34 comments

I’ve been asked this question many a times: Why can’t we create a folder by name CON? Although it seems a wonder or magic that we can’t create a folder by that name, in reality, it is not so. It has a definite reason, and in fact, a folder can be created using that reserved name.

Gone are the days when computers had only CUI OS, that is, Character User Interface Operating Systems, like MS-DOS. When I joined my first computer course nine years ago, Windows 95 was ruling. You could see Windows 98 here and there. We were in 8th standard, and working on a computer was like a dream coming true. Microsoft’s Paint Brush was the only known (for us) GUI software and was the greatest means of entertainment. The instructors taught us only MS-DOS commands and how to Shut Down the computer. Remembering such weird names as DIR, CD, MD, RD, CHKDSK, FDISK, VER, ATTRIB, REN, DEL etc. along with their syntax and usage was a great accomplishment. But I had a problem understanding this: DOS has a separate dedicated command for every action; literally every action, except… creating a file!

Yes, we used COPY CON filename to create a file with name filename. Anyone can say that it is a form of COPY command. So, why was creating a file different than all other commands? I didn’t understand it, till I found out how to print using DOS, almost four years later.

DOS uses different names for the attached devices, I learnt. PRN was one such name. TYPE filename would display the contents of a file and TYPE filename > PRN would print it instead of displaying. Curiosity brings many hidden matters out. PRN would surely mean Printer and will redirect the output to the printer instead of console. Console (monitor) is the implicit default output device, and it can be bypassed if needed. So, how to put it explicitly? There must be some means to do that. Yes, there is! TYPE filename > CON performs exactly same function as TYPE filename. These special names for the devices really mean something special for the operating system and those names can not be used as folder or file names: CON, PRN, NUL, COM1 to COM9, LPT1 to LPT9, which stand for CONsole, PRiNter, NULl, serial COMmmunication ports, Line PrinTer ports.

The time has changed and Operating System can also be fooled! But still, many people think that it is not possible to create a folder by name CON. Using the path of network drive, these special names can also be used as folder names! Here is how:

  1. Goto DOS
  2. Type MD \\.\C:\CON. The folder will be created. You can check it in Windows Explorer also, but you can’t access it
  3. To delete the folder, type RD \\.\C:\CON

In short, use the network path syntax instead of absolute path syntax.

Now on to the practical aspect of this. Why can’t we create it directly but using the network path syntax? The answer is simple. A computer can have only one default console, printer, null etc. So, if it is accessed from a network, theoretically, the console should belong to another node in the network. Since that node may not have a device which can be referred using the name CON, it will no longer be considered as a reserved name. Hence, the folder can be created.

The next time when someone asks the question why we can’t create a folder by name CON, say with confidence that it is not true…

For more technical articles, news and forum discussion logon

Categories: Windows

when you try to add or remove a program on a computer that is running Windows XP or Windows Server 2003: “The Windows Installer service could not be accessed”

January 2, 2008 Leave a comment

when install or uninstall program getting and error message “The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.”

1. Determine the location of the Msiexec.exe file on your hard disk. To do this, follow these steps:

a. Click Start, click Run, type %windir%\system32, and then click OK.

Note This step will open the folder where the Msiexec.exe file is located.

b. Make a note of the location of the Msiexec.exe file. The location of the Msiexec.exe file will be a combination of the value in the Address text box and the Msiexec.exe file name itself.

For example if the Address text box contains a value of C:\Windows\system32, the location of the Msiexec.exe file will be C:\Windows\system32\Msiexec.exe.

2. Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Make sure that the location of the Msiexec.exe file in Registry Editor is correct. To do this, follow these steps:

a. Click Start, click Run, type regedit in the Open text box, and then click OK.
b. Expand HKEY_LOCAL_MACHINE, expand SYSTEM, expand CurrentControlSet, expand Services, and then click MSIServer.
c. In the right pane, right-click ImagePath, and then click Modify.
d. In the Value data text box, type the location of the Msiexec.exe file that you determined in step 1, followed by the value of /V, and then click OK.

For example, if the location of the Msiexec.exe file is C:\Windows\system32\Msiexec.exe, type the following text in the Value data text box:

C:\WINDOWS\System32\msiexec.exe /V
e. Click OK to close the Edit String dialog box.
f. Click the File menu, and then click Exit to close Registry Editor

Click Start, click Run, type msiexec /regserver in the Open text box, and then click OK.Still issue exists please click this link Microsoft article

For more technical articles, news and forum discussion logon

Categories: Windows

Get open with dialog when opening Windows drives?

December 28, 2007 Leave a comment

Recently, I had been facing this problem on all the virus hit systems on one of my client’s network. The problem was that I was getting the “Open With” dialog every time I double clicked any drive in My Computer. I had to select Internet Explorer from Open With dialog to open the drives. One of my friends came up with an idea and it worked great. The idea was to create a blank autorun.inf file in the drive having problems. And it was perfect .. now I can open all my drives (after placing the blank autorun.inf in the drive) by double clicking them.

To make a blank autorun.inf, open notepad and Save As “autorun.inf”. Place the autorun.inf in the affected drive.

Having the same problem? Did this trick solve your problem or you had a better solution? Share your experiences.

UPDATE: Please use the following DOS command for the ease of deleting the autorun.inf file.
C:\>attrib -S -H -R C:\autorun.inf
C:\>del /F C:\autorun.inf
Replace C with your drive that you want to disable autorun of.

For more technical articles, news and forum discussion logon

Categories: Windows

Removing the ntde1ect.com and autorun.inf files

December 21, 2007 2 comments

There is a trojan/virus (either the Win32/Pacex virus or the Win32/PSW.Agent.NDP trojan) that uses those two files. Here is how you can get rid of them:

1) Open up Task Manager (Ctrl-Alt-Del)
2) If wscript.exe is running, end it.
3) If explorer.exe is running, end it.
4) Open up “File | New Task (Run)” in the Task manager
5) Run cmd
6) Run the following command on all your drives by replacing c:\ with other drives in turn (note: if you have autorun.inf files that you think you need to backup, do so now):

del c:\autorun.* /f /a /s /q

7) Go to your Windows\System32 directory by typing cd c:\windows\system32
8) Type dir /a avp*.*
9) If you see any files names avp0.dll or avpo.exe or avp0.exe, use the following commands to delete each of them:

attrib -r -s -h avpo.exe
del avpo.exe

10) Use the Task Manager’s Run command to fire up regedit
11) Navigate to HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run (as usual, take a backup of your registry before touching it!)
12) If there are any entries for avpo.exe, delete them.
13) Do a complete search of your registry for ntde1ect.com and delete any entries you find.
14) Restart your computer.

For more technical articles, news and forum discussion logon

Categories: Windows

Task Manager has been disabled by your administrator

December 21, 2007 1 comment

“Task Manager has been disabled by your administrator”

Here is solution from the Microsoft article about enabling the task manager:

Enabling Task Manager from Group Policy Editor
1. Go to “Start” -> “Run” -> Write “Gpedit.msc” and press on “Enter” button.
2. Navigate to “User Configuration” -> “Administrative Templates” -> “System” -> “Ctrl+Alt+Del Options”
3. In the right side of the screen verity that “Remove Task Manager”” option set to “Disable” or “Not Configured”.
4. Close “Gpedit.msc” MMC.
5. Go to “Start” -> “Run” -> Write “gpupdate /force” and press on “Enter” button.

Enabling Task Manager from Registry Editor
1. Go to “Start” -> “Run” -> Write “regedit” and press on “Enter” button.
Warning: Modifying your registry can cause serious problems that may require you to reinstall your operating system.
Always backup your files before doing this registry hack.

2. Navigate to the following registry keys and verity that following settings set to default:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“DisableTaskMgr”=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“DisableTaskMgr”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
“DisableTaskMgr”=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“DisableCAD”=dword:00000000
3. Reboot the computer.

For your convenience, I have created a registry file. Just download, double click it and add the info to your registry. The task manager will be enabled. Post your experiences please.

Download the registry file here.

Enabling Task Manager from the Run Menu

Abdullah mailed me this solution. Go to Start –> Run and copy and paste the following and press OK.

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

For more technical articles, news and forum discussion logon

Categories: Windows

Registry Editing Has Been Disabled By Your Administrator

December 21, 2007 19 comments

Here are two ways to enable the registry editing in Windows.

1- From Group Policy Editor

Go to Run –> gpedit.msc
In the left hand menu, go to User Config –> Administrative Templated –> System.
Now In the right hand pane, select “Prevent access to registry editing tools”. It will probably be not configured or enabled. If it’s enabled, disable it and if it’s not configured, first enable it, apply settings and then disable it. Most probably the settings have been applied instantly. If not, then run gpupdate in command prompt to apply the group policies.

2- From the Run Menu

I got this tweak while surfing the internet. Go to Start –> Run, copy and paste the follow in the Run box and press OK.

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

The effects are usually instant. If not then you should see the results after restarting your computer.

For more technical articles, news and forum discussion logon

Categories: Windows