MicrosoftPowerPoint.exe / Monitor Virus

MicrosoftPowerPoint.exe/H icon logo taskbar/ monitor/~DF450D.tmp.exe

The Kaspersky Latest Update do not detect this virus yet on 8 Nov, 2007. And i did it b4 as i promised . . .

This is the new version of the old “orkut virus” if u remember … Mu hu ha ha ha ….. but it doesnt do anything like that now… : )

And i have got the website of the programmer who developed this virus… It’s http://sapn4.tripod.com/

But PLZ i request, do not go to that site, or else ur comp may be seriously affected. The virus automatically starts d’loading.

There’s nothing on the site but a few google ads.

Its quite old virus now. But still Kaspersky doesn’t detect it. Probably no one reported.. he he

VIRUS FILES

File Name: MicrosoftPowerPoint.exe
Icon: Folder with a small “my comp” icon within it
Type: Applicaion
Description: MicrosoftPowerPoint
Size: 261 KB (268,082 bytes)
Size on disk: 272 KB (278,528 bytes)
Modified: Tuesday, June 26, 2007, 1:06:24 PM
Attributes: Read-only, Hidden+System, Archive

File Name: Winlogons.exe
Icon: Folder
Type: Winlogons
Description: MicrosoftPowerPoint
Size: 261 KB (268,082 bytes)
Size on disk: 272 KB (278,528 bytes)
Modified: Wednesday, October 31, 2007, 10:20:00 PM
Attributes: Read-only, Hidden+System, Archive

File Name: MsUpdate.exe
Icon: ‘H’ in green color
Type: Application
Description: AutoHotKey
Size: 230 KB (235,520 bytes)
Modified: Wednesday, June 20, 2007, 10:38:52 PM
Attributes: Archive
File version: 1.0.46.17
Internal Name: AutoHotKey
PARTIALLY DETECTED BY KASPERSKY

Trojan-Downloader.Win32.AutoIt.t -> monitor 2.6 KB

SYMPTOMS

These two hidden system files automatically copies to ur removable drives:
MicrosoftPowerPoint.exe
autorun.inf

Double Clicking of the removable drives doesn’t work
Tools>Folder Options is disabled
YOu are unable to see your hidden files

BEHIND THE SCREEN

DeleteDir C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMP
CreateFile C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMPTMP4351$.TMP
CreateFile C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMPMsUpdate~1
CreateFile C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMPMsUpdate.exe
CreateFile C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMPmonitor
CreateRegValue REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOncewextract_cleanup0

runs the file
C:Documents and SettingsPiyush ChandraLocal SettingsTempIXP000.TMPMsUpdate.exe

CreateRegValue REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesexplorerRunExplorer

Creates a value:
Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesexplorerRun
Value: Explorer
New data(Unicode null-terminated string):Winlogons

Deletes the value:
Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce
Value: wextract_cleanup0
Data(Unicode null-terminated string):
rundll32.exe C:WINDOWSsystem32advpack.dll,DelNodeRunDLL32 “C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMP”

THE VIRUS PROGRAM

<the script is of type Trojan-Downloader.Win32.AutoIt.t>

The virus has been written in AutoHotKey 1.0.46.17

xxxxxx Deleted by PiyushLabs for security reasons xxxxxx

SOLUTION


End Task
Open Run and paste the following codes one by one.

 

TASKKILL /f /t /fi “IMAGENAME eq svchost.exe” /fi “USERNAME ne NT AUTHORITY*”
TASKKILL /f /t /fi “IMAGENAME eq MsUpdate.exe”
TASKKILL /f /t /fi “IMAGENAME eq Winlogons.exe”

 Enable CMD
Open Run and paste the following codes.
reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableCmd /t REG_DWORD /d 0 /f
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableCmd /t REG_DWORD /d 0 /f

Delete Open Run>CMD and paste the following codes one by one.

del “%userprofile%LOCAL SETTINGSTEMPMSDATA” /f /a
del “%userprofile%Local SettingsTempIXP000.TMP” /f /a
del “%temp%~DF450D.tmp.exe” /f /a
del “%windir%system32Winlogons.exe” /f /a

Delete the virus from the pen drives if u use any. (**** replace K with ur the drive name.. )

del K:autorun.inf /a /f
del K:MicrosoftPowerPoint.exe /a /f

Registry
Open Run>CMD and paste the following codes one by one.

reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce /va

reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesexplorerRun

reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon” /v Shell /t REG_SZ /d Explorer.exe

PRECAUTIONS

Never double click your pen-drives. It spreads through removable drives. Always use folder view for navigation. And enable the view to see system files n hidden files. And delete the files in the pendrives.

28 Responses to “MicrosoftPowerPoint.exe / Monitor Virus”

  1. piyushlabs Says:

    DARYL
    delete in safe mode, or use UnLocker software to delete

  2. Arjun kp Says:

    i tried as was written in ur 2nd step to paste the following codes…. to delete MicrosoftPowerpoint virus…..
    but….stil…the CMD is showing some other messages…..i.e wrong volume or something like that…!!!l

  3. piyushlabs Says:

    ARJUN
    check what drive letter u are using??

  4. Arjun kp Says:

    drive ‘G’

  5. Arjun kp Says:

    I typed the statements in dos…..to remove virus frm the pen drive……
    i.e

    del G:\autorun.inf /a /f
    del G:\MicrosoftPowerPoint.exe /a /f


    but still the virus is there on my pen drive…….what to do…???
    I also want to copy some of my important or urgent files from it…..

  6. Arun Chandrasekhar Says:

    you r doing a gr8 job..!!! Keep it up..

  7. daryl Says:

    do u know a file called TOSbtExt? keeps on poping up

  8. perry Says:

    i got this on my friends USB now when i do the CMD things trying to delete it it says unknow invalid blah blah blah, but the RUN stuff worked, hopefully this got rid of it. thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: