Remove Chir Virus

INTRODUCEMENT

This virus, runouce.exe is a deceptive name. Very close resembles with a legitimate original windows file named runonce.exe , which is Run Once wrapper.



CAUSES

This virus is installed by a worm installer called W32.Chir (some anti-virus says W32.Chir@mm) which can slow your computer. This virus can connect your computer to its remote hosts which can cause your computer download harmful files from internet and send mass-mailing to e-mail addresses which is gathered from your computer or your e-mail contacts. This is the example of message that virus sends:

From: @hotmail.com or iloveyou@btamail.net.cn
Subject: Hi, i am
Attachments: P.exe

If the people download that attachment, their computers will be also infected. If you find this virus in your computer, you need to disconnect your internet connection as soon as possible.

This virus is also infecting file with .exe extension which can cause fail processing the infected programs. More programs you have installed in your computer, there will be more disk space filled by the virus because the infected programs will has bigger file size. It may crash if the computer has only below 128MB of RAM or the C:/ drive has over-capacity because of those bigger programs' file size.

And the worse, this virus can close anti-virus window or even disable it, the infected computer will not able to install (run a setup) anti-virus. And also this virus will prevent the internet browser to open anti-virus website.

PROBLEM SOLVING

We will tell you how to remove this annoying virus, how to fix, and how to gather your infected programs back as well.

Run 'msconfig' and unmark the runouce.exe, and then restart your computer. Hit F8 repeatedly before your computer load and enter the Windows loading screen. Then run your computer in "Safe Mode".

After you logon your computer in Safe Mode, go to Folder Options and mark the "Show hidden files and folders" in Windows XP or "Show hidden files, folders, and drives" in Windows 7. You also need to mark "Show hide protected operating system files", then click 'OK' button. If you don't know how to do that, read articles in this link: Show Hidden Files and Folders in Windows 7 (the Windows XP has similar way).

Afterward, you need to make sure the runouce.exe which you have disabled from the startup is not running by pressing CTRL + ALT + DEL keys to open Task Manager, switch the tab to 'Processes', then look for the Image name runonce.exe or runouce.exe which has command C:/Windows/system32/runouce.exe (Yes, its Image name is runonce.exe which it is an original Windows' file, but the command directory says it is runouce.exe). If you can't find runouce.exe or runonce.exe Image name, it means you have successfuly disabled the virus from running at startup from msconfig. But if you found it, you need to stop its process by click "End Process", then click "Yes".


If you have anti-virus, run it now and do full-scan your computer every directory with no exception. If you don't have or not able to run anti-virus, just skip that.

After it is finished scan your computer, detected, and removed the virus, you need to make sure the virus is removed completely, we will tell you how you do it. If you don't have anti-virus or not able to run it, just follow the same instruction.

Delete these files:

C:\readme.eml
C:\Inetpub\wwwroot\readme.eml
C:\Windows\System32\runouce.exe
C:\Program Files\Common Files\System\ado\readme.eml (for Windows XP)
C:\Program Files\NetMeeting\readme.em (for Windows XP)

You need also detele readme.eml in the shared folder.

If you done, do search and delete any installer with 10 KB size by using Windows Search. Then, run your anti-virus again.

To fix the infected files, we recommend you to neutralize/disinfect them with Kaspersky Anti-virus, but it is up to you to use whatever anti-virus, but some anti-virus just do delete the infected files without disinfect them, it means you are about to ready to lose your files which is infected.

To fix the registry, we suggest you to use CCleaner to scan and remove all harmful registry. Or you can do remove runouce.exe from startup manually from Regedit (by click Start Menu, go to Run and enter 'regedit'), and remove this registry:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

To make everything's clear, hit CTRL + F and enter 'runouce.exe', then remove every runouce.exe found in the search result on Regedit.

Restart your PC and everything is back to normal. If you still have the virus there, just repeat the trick above.

Having trouble? Write down on the comment in this article.