1. /
  2. Security Response/
  3. W32.Funlove.4099

W32.Funlove.4099 - Removal

Risk Level 2: Low

Discovered:
November 8, 1999
Updated:
February 13, 2007 11:34:17 AM
Also Known As:
Win32.FunLove.4070 [KAV], W32/FunLove.gen [McAfee], PE_FUNLOVE.4099 [Trend], W32/Flcss [Sophos], Win32.Funlove.4099 [CA]
Type:
Virus
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

The procedure for removing the W32.FunLove.4099 virus depends on your operating system.

Windows 95/98/Me users
If you are running Windows 95/98/Me, Symantec Security Response has provided a free removal tool. You can obtain the tool and instructions for its use here.

If you prefer to remove the infection manually, see the instructions in the sections that follow.

To delete the Flcss.exe file that was placed on the hard drive by the W32.FunLove.4099 virus:
  1. Run LiveUpdate to make sure that you have the latest virus definitions.
  2. Run a full system scan. Make sure that you scan all hard drives and that NAV is set to scan all files. If NAV detects the virus and prompts you for an action, then click Quarantine.
  3. Click Start, point to Find, and click Files or Folders. The Find All Files dialog box appears.
  4. Make sure that Look in is pointing to the drive on which Windows is installed.
  5. In the Named box, type flcss.exe and then click Find Now.
  6. If the file is found, then right-click the Flcss.exe file in the results pane. Click Delete, and click Yes to confirm the deletion.
  7. Close the Find All Files dialog box.

NOTES:
  • If you continue to be reinfected with the W32.FunLove.4099 virus, you will have to restart Windows in Safe Mode to remove the virus. Please follow the steps for the version of Windows you are running:
    • Windows 95
      1. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
      2. Click Restart the computer, and then click Yes.
      3. When you see the "Starting Windows 95" message, press F8.
      4. Type the number for Safe Mode, and then press Enter.
      5. Run a full system scan. Make sure that you scan all hard drives and that NAV is set to scan all files.
      6. Repeat steps 3 through 7 in the previous section to find and delete the Flcss.exe file.
    • Windows 98
      1. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
      2. Click Restart, and then click OK.
      3. Immediately press and hold down the Ctrl key.
      4. Type the number for Safe Mode, and then press Enter.
      5. Run a full system scan. Make sure that you scan all hard drives and that NAV is set to scan all files.
      6. Repeat steps 3 through 7 in the previous section to find and delete the Flcss.exe file.
  • If NAV detected the Flcss.exe file and placed it in the Quarantine folder, then you can either leave it there, which prevents it from being run, or delete it. To delete a file from Quarantine, please follow the steps for the version of NAV you are running:
    • NAV 5.0
      1. Start NAV, and click Quarantine.
      2. In the right pane of the Quarantine window, click the file that you want to delete and then click Delete Item.
      3. Close the Quarantine window.
    • NAV 2000
      1. Start NAV, and click Reports.
      2. Double-click "View and manage the items in Quarantine."
      3. In the right pane of the Quarantine window, click the file that you want to delete and then click Delete Item.
      4. Close the Quarantine window.
  • This virus can infect .exe files. If it infects Windows program files, such as Explorer.exe, Windows may no longer run. If this happens, then you must replace the .exe file. Please see your Windows documentation for information on how to do this.

Windows NT users
If you are using Windows NT, Symantec Security Response has provided a free removal tool. You can obtain the tool and instructions for its use here.

If the computer becomes reinfected
There have been several cases reported of computers being reinfected after following the previous procedure. In that case, you must remove the virus using the Emergency Boot Disk. Follow these steps to do this:
  1. Click Start, click Shut Down. Click Shut Down, and then click OK.
  2. Turn off the computer when prompted. You must turn off the computer to clear the memory; do not simply press the reset button. Wait at least 30 seconds.
  3. Insert the Emergency Boot Disk into drive A, and then turn on the computer.
  4. Press any key when prompted, and then follow the on-screen prompts for the Emergency Boot Disk that you are using:
    • Norton System Works Emergency Boot Disk.
      1. Select Norton AntiVirus.
      2. Look for the following line of text at bottom of the screen:

        navdx c:\ m+ /b+ /repair /cfg:a:\
      3. Replace that line with the following one, and then press Enter:

        navdx c: /doallfiles /repair
      4. Allow the process to finish, remove the disk, and then restart the computer.
    • Norton AntiVirus Emergency Boot Disk.
      1. Press Ctrl+C.
      2. Type the following, and then press Enter:

        navdx c: /doallfiles /repair
      3. Allow the process to finish, remove the disk, and then restart the computer.

NOTE: Several cases have been reported in which reinfection continued to occur because the Explorer.exe and Flcss.exe files had been added to the NAV exclusions list. To check for this, follow these steps:
  1. Start NAV, and click Options.
  2. Click Exclusions.
  3. In the list, look for files such as Explorer.exe and Flcss.exe. Any files in this list will not be scanned by NAV.
  4. Select these files if you find them, and then click Remove. (Do not remove the *.vi? entry.)
  5. Click OK, and then exit NAV.


Writeup By: Peter Szor

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver