MicrosoftPowerPoint.exe / Monitor Virus
MicrosoftPowerPoint.exe/H icon logo taskbar/ monitor/~DF450D.tmp.exe
The Kaspersky Latest Update do not detect this virus yet on 8 Nov, 2007. And i did it b4 as i promised . . .
This is the new version of the old “orkut virus” if u remember … Mu hu ha ha ha ….. but it doesnt do anything like that now… : )
And i have got the website of the programmer who developed this virus… It’s http://sapn4.tripod.com/
But PLZ i request, do not go to that site, or else ur comp may be seriously affected. The virus automatically starts d’loading.
There’s nothing on the site but a few google ads.
Its quite old virus now. But still Kaspersky doesn’t detect it. Probably no one reported.. he he
VIRUS FILES
File Name: MicrosoftPowerPoint.exe
Icon: Folder with a small “my comp” icon within it
Type: Applicaion
Description: MicrosoftPowerPoint
Size: 261 KB (268,082 bytes)
Size on disk: 272 KB (278,528 bytes)
Modified: Tuesday, June 26, 2007, 1:06:24 PM
Attributes: Read-only, Hidden+System, Archive
File Name: Winlogons.exe
Icon: Folder
Type: Winlogons
Description: MicrosoftPowerPoint
Size: 261 KB (268,082 bytes)
Size on disk: 272 KB (278,528 bytes)
Modified: Wednesday, October 31, 2007, 10:20:00 PM
Attributes: Read-only, Hidden+System, Archive
File Name: MsUpdate.exe
Icon: ‘H’ in green color
Type: Application
Description: AutoHotKey
Size: 230 KB (235,520 bytes)
Modified: Wednesday, June 20, 2007, 10:38:52 PM
Attributes: Archive
File version: 1.0.46.17
Internal Name: AutoHotKey
PARTIALLY DETECTED BY KASPERSKY
Trojan-Downloader.Win32.AutoIt.t -> monitor 2.6 KB
SYMPTOMS
These two hidden system files automatically copies to ur removable drives:
MicrosoftPowerPoint.exe
autorun.inf
Double Clicking of the removable drives doesn’t work
Tools>Folder Options is disabled
YOu are unable to see your hidden files
BEHIND THE SCREEN
DeleteDir C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMP
CreateFile C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMPTMP4351$.TMP
CreateFile C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMPMsUpdate~1
CreateFile C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMPMsUpdate.exe
CreateFile C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMPmonitor
CreateRegValue REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOncewextract_cleanup0
runs the file
C:Documents and SettingsPiyush ChandraLocal SettingsTempIXP000.TMPMsUpdate.exe
CreateRegValue REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesexplorerRunExplorer
Creates a value:
Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesexplorerRun
Value: Explorer
New data(Unicode null-terminated string):Winlogons
Deletes the value:
Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce
Value: wextract_cleanup0
Data(Unicode null-terminated string):
rundll32.exe C:WINDOWSsystem32advpack.dll,DelNodeRunDLL32 “C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMP”
THE VIRUS PROGRAM
<the script is of type Trojan-Downloader.Win32.AutoIt.t>
The virus has been written in AutoHotKey 1.0.46.17
xxxxxx Deleted by PiyushLabs for security reasons xxxxxx
SOLUTION
End Task
Open Run and paste the following codes one by one.
TASKKILL /f /t /fi “IMAGENAME eq svchost.exe” /fi “USERNAME ne NT AUTHORITY*”
TASKKILL /f /t /fi “IMAGENAME eq MsUpdate.exe”
TASKKILL /f /t /fi “IMAGENAME eq Winlogons.exe”
Enable CMD
Open Run and paste the following codes.reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableCmd /t REG_DWORD /d 0 /f
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableCmd /t REG_DWORD /d 0 /f
Delete Open Run>CMD and paste the following codes one by one.
del “%userprofile%LOCAL SETTINGSTEMPMSDATA” /f /a
del “%userprofile%Local SettingsTempIXP000.TMP” /f /a
del “%temp%~DF450D.tmp.exe” /f /a
del “%windir%system32Winlogons.exe” /f /a
Delete the virus from the pen drives if u use any. (**** replace K with ur the drive name.. )
del K:autorun.inf /a /f
del K:MicrosoftPowerPoint.exe /a /f
Registry
Open Run>CMD and paste the following codes one by one.
reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce /va
reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesexplorerRun
reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon” /v Shell /t REG_SZ /d Explorer.exe
PRECAUTIONS
Never double click your pen-drives. It spreads through removable drives. Always use folder view for navigation. And enable the view to see system files n hidden files. And delete the files in the pendrives.
13 June, 2008 at 2:54 pm
DARYL
delete in safe mode, or use UnLocker software to delete
20 July, 2008 at 12:37 pm
i tried as was written in ur 2nd step to paste the following codes…. to delete MicrosoftPowerpoint virus…..
but….stil…the CMD is showing some other messages…..i.e wrong volume or something like that…!!!l
22 July, 2008 at 4:35 pm
ARJUN
check what drive letter u are using??
27 July, 2008 at 12:08 pm
drive ‘G’
30 July, 2008 at 7:53 pm
I typed the statements in dos…..to remove virus frm the pen drive……
i.e
”
del G:\autorun.inf /a /f
del G:\MicrosoftPowerPoint.exe /a /f
”
but still the virus is there on my pen drive…….what to do…???
I also want to copy some of my important or urgent files from it…..
9 September, 2008 at 8:05 pm
you r doing a gr8 job..!!! Keep it up..
21 October, 2008 at 5:06 pm
do u know a file called TOSbtExt? keeps on poping up