'MicrosoftPowerpoint.exe' virus!!!

[ankushkool]

my usb has this virus, its not removed even if i format it what sud i do???

[zyberboy]

may be the virus is running in ur compu and rewriting iteself

first download http://www.hijackthis.de/ hijackthis , scan and post the log file here

[~Phenom~]

^^true , else format removes all viruses.

[a_k_s_h_a_y]

it means ur comp is now infected with that viurs
coz once it comes to your comp from USB it copies to Comp all the drives
and then nxt time when u plug in usb drive...it copies itself into it
it copies itself every time in all the drives if its deleted......
just find out a way...start in safe mode and search it and delete it everywhere
search for it in registry and delete all entries related to it

else get an anti virus which can fix it

also dont forget to google search MicrosoftPowerpoint.exe

[ankushkool]

yes i think there is a virus on my comp as i cannot see hidden items on my comp??? how 2 remove this virus???

Quote:

Originally Posted by cyberboy_kerala

first download http://www.hijackthis.de/ hijackthis , scan and post the log file here

here is de log file

Logfile of HijackThis v1.99.1
Scan saved at 12:34:53 AM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
E:\Program Files\pc suite\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
E:\Program Files\pc suite\Nokia PC Suite 6\OneTouchAccess.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\LimeWire\LimeWire.exe
E:\Program Files\GetRight\getright.exe
E:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = +
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - e:\PROGRA~1\YETISP~1\IEBUTT~1.DLL
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...tml?p=ZRfox000
O8 - Extra context menu item: Download with GetRight Pro - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - e:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - e:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E550478-9B30-4FB7-96C7-CCB4CA49EE69}: NameServer = 202.56.230.5 202.56.240.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD958065-2DD7-4596-89FD-121423D33976}: NameServer = 192.255.255.0,192.255.255.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)

************************************************** *********************************

i tried many antivirus , only 'clamWin Portable' detected de following virus(it has latest def) but it did not take any action.
K: is my USB drive


K:\MicrosoftPowerPoint.exe: Trojan.Mozban FOUND
----------- SCAN SUMMARY -----------
Known viruses: 140122
Engine version: 0.90.2
Scanned directories: 1
Scanned files: 2
Skipped non-executable files: 0
Infected files: 1

************************************************** *****************************

i even scaned de file using 'Kaspersky File Scanner' it showed de following:


microsoftpowerpoint.exe/data.rar/archive comment - OK
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/drivelist.txt - OK
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/Install.txt - infected by Trojan.Win32.Agent.aoe
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/pathlist.txt - OK
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/svchost.exe - OK
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/svchost.exe - OK
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/svchost.exe - OK
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/Icon.ico - OK
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/2.mp3 - OK

[zyberboy]

Quote:

Originally Posted by ankushkool

i even scaned de file using 'Kaspersky File Scanner' it showed de following:


microsoftpowerpoint.exe/data.rar/archive comment - OK
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/drivelist.txt - OK
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/Install.txt - infected by Trojan.Win32.Agent.aoe
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/pathlist.txt - OK
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/svchost.exe - OK
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/svchost.exe - OK
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/svchost.exe - OK
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/Icon.ico - OK
microsoftpowerpoint.exe/data.rar/MicrosoftPowerPoint/2.mp3 - OK

Your compu does't seems infected
That virus(MicrosoftPowerPoint.exe) is in the usb isn't?.Have u tried delete the virus manually?
Can u see hidden folders in ur compu,if not set it to tat option and open the USB drive by right clicking(dont double click the usb drive) the usb drive and click EXPLORE,now delete the autorun file and MicrosoftPowerPoint.exe...Does the virus reappears???

[Charan]

@ankushkool the solution is given by the author of the virus here

@cyberboy_kerala Whats the problem with you ?? Dont remember Orkut/Youtube virus writen by fennedman? you have even replied to his post

[zyberboy]

^^I know man, but chk out the hijackthis log file that ankushkool posted, heap41a virus is no where to see running.But sure his usb contains virus heap41a thats why i asked him to delete the virus manually to see what happens
Lets see ankushkool reply....

[Charan]

^^Heap41a is a directory not a virus

Quote:

After all this go to folder options uncheck hide protected files
you'll see C:\heap41a folder, delete it and you'll see microsoftpowerpoint.exe in your pen drives along with autorun.inf , delete them

[zyberboy]

I YEAH I KNOW
what i said is there is no svhost.exe running from C:\heap41a folder,and virus name is not that different from its folder
W32/AHKHeap.

[Charan]

^^ Ok I think you got a little upset. I will leave that for now, lets see what ankush has to say.

[ankushkool]

guys i couldht delete de file on my comp, it reappers. i formated my drive on my friends comp only then de virus dissappered.

[harikrishnat]

Quote:

Originally Posted by ankushkool

guys i couldht delete de file on my comp, it reappers. i formated my drive on my friends comp only then de virus dissappered.

1. Press CTRL+ALT+DEL and go to the processes tab
2. Look for svchost.exe under the image name. There will be many but look for the ones which have your username under the username
3. Press DEL to kill these files. It will give you a warning, Press Yes
4. Repeat for more svchost.exe files with your username and repeat. Do not kill svchost.exe with system, local service or network service!
5. Now open My Computer
6. In the address bar, type C:\heap41a and press enter. It is a hidden folder, and is not visible by default.
7. Delete all the files here
8. Now go to Start --> Run and type Regedit
9. Go to the menu Edit --> Find
10. Type "heap41a" here and press enter. You will get something like this "[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt"
11. Select that and Press DEL. It will ask "Are you sure you wanna delete this value", click Yes
12. Now close the registry editor.

Now the virus is gone. But be sure to delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.

and the microsoftpowerpoint.exe ll be stored in temp folder also search for the same and delete all.

to remove it in pen drive insert it into a linux machine and delete the folder.

[ankushkool]

thanx dude it worked
thanx everyone 4 helpin.... keep up de good work

[zyberboy]

^^weird ur log file did't showed svhost.exe frm heap41a
anyway can u see hidden files in ur compu?

[praka123]

else u can boot a knoppix linux livecd to access hidden "$" files to delete and clear(ntfs too).

[ankushkool]

no i still cannot see hidden files??? where can i get this knoppix live cd

[zyberboy]

^^Solution is given in the first link that charangk gave in post 7, there is a registry entry to edit.....

[digitalpbk]

Manual Removal
Since the virus automatically hides all the files, you cant easily find it.
First run msconfig, and look at the start up values to find the location of the virus.
Remove that entry by unchecking the tick mark.
Reboot the system.
Do the steps given in here

Find the location where it resides, from msconfig and delete the contents of the folder. Usually in /Documents and Settings/User/Local Settings/Temp/.

Now the system must be free of the virus.
Disable the autorun
to prevent further infections.

for more chk out...
http://digitalpbk.blogspot.com/2008/...-usb-worm.html

[Hrithan2020]

Also in order to make sure that ur usb in not infected again.Make a blank .exe file named powerpoint.exe and then make it read only.Do the same for autorun(ie readonly).This way,virus wont be copied to ur usb.