Tuesday, August 12, 2008

VIRUS SOLUTION: MicrosoftPowerPoint.exe, Orkut Banned - Solution

Virus Details

Names:

heap41a
MicrosoftPowerPoint.exe
Orkut Banned virus
AutoHotKey

Size: Around 261 KB depending on each version

Processes commonly running:

Winlogons.exe
MsUpdate.exe

You have the Virus if you have any one of the below symptoms

  • There is a folder called Heap41a in C:\
  • You have a small "H" icon in green color that sits on your task-bar
  • Orkut is not working, messages like "muhuhahaha orkut is banned you fool" keep appearing
  • Mozilla and Internet Explorer opening messages similar to above
  • Folder options are not working, they never display the hidden files.
  • A file called "MicrosoftPowerPoint.exe" has infected your pendrive.
  • Autoruns are created and double-click on drive opens in a new window

Virus Removal Steps:

Enable Task-Manager, Regedit access by the first post, else run these registry entries to get them back temporarily.
Download TuneUp Utilities and follow the standard three steps:

1. Kill Process (Use Tune-up task-manager if Task-Manager is disabled)
2. Remove from File System (You can use unlocker, if necessary)
3. Remove registry Entries (Use Tune-up Registry editor if regedit is disabled)


Technicalities:

The Following .BAT code is again a repetition of what's said above, the three steps


You can either copy this code, save it as virusRemover.BAT or download it from here
Run this (Double-Click) this in safe-mode. The steps are:
  1. Restart computer
  2. Keep pressing F8
  3. Choose one of the three Safe Mode options
  4. Login to your Account
  5. Double-Click on this file
  6. Once it is done, restart back normally
______________________________________________________

title MicrosoftPowerPoint.exe Removal
echo off
cls
echo MicrosoftPowerPoint.exe Removal
echo Killing Virus Processes...
pause
taskkill /IM "MsUpdate.exe" /t /f
taskkill /IM "WinLogons.exe" /t /f
pause
echo Deleting Virus files from file-System...
pause
del "%userprofile%\Local Settings\TEMP\MSDATA" /f /a
del "%userprofile%\Local Setings\Temp\IXP000.TMP" /f /a
del "%windir%\system32\WinLogons.exe" /f /a
del "C:\heap41a\*.*" /f /a
del "D:\heap41a\*.*" /f /a
del "E:\heap41a\*.*" /f /a
del "F:\heap41a\*.*" /f /a
del "C:\autorun.inf" /f /a
del "C:\MicrosoftPowerPoint.exe" /f /a
del "D:\autorun.inf" /f /a
del "D:\MicrosoftPowerPoint.exe" /f /a
del "E:\autorun.inf" /f /a
del "E:\MicrosoftPowerPoint.exe" /f /a
del "F:\autorun.inf" /f /a
del "F:\MicrosoftPowerPoint.exe" /f /a
echo Reverting Registry Entries...
echo Enabling Registry...
pause
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
echo Enabling TaskManager...
pause
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
echo Enabling Run...
pause
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRun /t REG_DWORD /d 0 /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisallowRun /t REG_DWORD /d 0 /f
echo Enabling Control Panel...
pause
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 0 /f
echo Enabling Folder Options...
pause
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
echo Enabling Hidden Files...
pause
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_DWORD /d 2 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v DefaultValue /t REG_DWORD /d 2 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v DefaultValue /t REG_DWORD /d 2 /f
echo Removing Autoruns...
pause
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /f
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runonce /f
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runonce /f
echo Fixing Explorer Handles...
pause
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d Explorer.exe /f
echo Finishing...
echo MicrosoftPowerPoint.exe Remover terminated successfully
pause
exit
______________________________________________________
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)