|
Stuck opening mozilla by this message “I DNT HATE
MOZILLA BUT USE IE OR ELSE…” or this “ORKUT IS BANNED, Orkut is banned you
fool`, The administrators didn’t write this program guess who did?? ”
when you try to launch Orkut Or "youtube IS BANNED,youtube
is banned you fool`, The administrators didn’t write this program guess who
did??`r`r MUHAHAHA!!,30”. What virus that infected your PC?
Maybe your PC infected by this worm “W32/AHKHeap”
also know as powerpoint.exe virus.
Virus characteristic:
This virus spread from any removable drive because it can generate itself and
copied to your hard disk using the autorun.inf file that cause autoplay in your
removable drive:
You cannot access this file because it is hidden file.
The file that being copied is listed here:
C:\Documents and Settings\Administrator\Local Settings\Temp\ MicrosoftPowerPoint\MicrosoftPowerPoint\2.mp3
(56,467 bytes) --> Media file
C:\Documents and Settings\Administrator\Local Settings\Temp\ MicrosoftPowerPoint\MicrosoftPowerPoint\drivelist.txt
(72 bytes) --> List of drives it tries to replicate
C:\Documents and Settings\Administrator\Local Settings\Temp\ MicrosoftPowerPoint\MicrosoftPowerPoint\Icon.ico
(318 bytes) --> Icon file
C:\Documents and Settings\Administrator\Local Settings\Temp\ MicrosoftPowerPoint\MicrosoftPowerPoint\Install.txt
(8,743 bytes) --> AutoHotKey Script
C:\Documents and Settings\Administrator\Local Settings\Temp\ MicrosoftPowerPoint\MicrosoftPowerPoint\pathlist.txt
(varies) --> List of drives worm is copied to
C:\Documents and Settings\Administrator\Local Settings\Temp\ MicrosoftPowerPoint\MicrosoftPowerPoint\svchost.exe
(239,104 bytes) --> Copy of worm
c:\heap41a\2.mp3 (56,467 bytes) --> Media file played when alert box is
displayed
c:\heap41a\drivelist.txt (72 bytes) --> List of drives to scan for
c:\heap41a\Icon.ico (318 bytes) --> Icon file
c:\heap41a\reproduce.txt (834 bytes) -->AutoHotKey Script for registry
manipulation
c:\heap41a\script1.txt (3,588 bytes) --> AutoHotKey Script for Messagebox
creation
c:\heap41a\std.txt (439 bytes) --> AutoHotKey Script for registry manipulation /
run other scripts
c:\heap41a\svchost.exe (239,104 bytes) --> Copy of worm
c:\heap41a\offspring\autorun.inf (21 bytes) --> used to autorun the worm when
the drive is accessed
You cannot access this file because it was hidden file. And you still cannot
access this file because this virus is set to disable the hidden file option
even you set it at the folder option.
This virus also modify this registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
"winlogon"= "C:\heap41a\svchost.exe C:\heap41a\std.txt"
Disables the show hidden file options in folder options using the following
registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL "CheckedValue" = "00000000"
Step to remove this virus:
First you must terminate this file “svchost.exe” at
the task manager by press CTRL+ALT+DEL. Be careful, this file also is using by
windows it is critical file, but this file has been duplicated by this virus. So
you need to terminate the svchost.exe one by one,
Tips to delete, find the svchost.exe file that
launch from your user name account. Example, if you PC name “zooltechnology”
find the process at “User Name” zooltechnology.
If you suddenly terminate the windows svchost.exe
process, this message will popup:
Down worry, this can be fixed by opening your command prompt
(START ---> Run ---> CMD) and type “shutdown –a”
and the warning will be disappear.
Now you can open your Mozilla after terminate this process.
Modify the registry:
To delete the virus. You must edit your registry. (START
---> Run --->Regedit) and open this path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
"CheckedValue" = "00000000
Then click and the checked value and enter value “1” and click ok.
And you also must delete this startup value:
"winlogon"= "C:\heap41a\svchost.exe C:\heap41a\std.txt" at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Now you can show the hidden file and make sure to uncheck this value also in the
folder option –“Hide protected operating system files (Recommended)” because
some of this virus file is a system file.
Next you can delete this file:
C:\Documents and Settings\(yourPCname)\Local Settings\Temp\ MicrosoftPowerPoint\MicrosoftPowerPoint\2.mp3
(56,467 bytes) --> Media file
C:\Documents and Settings\(yourPCname)\Local Settings\Temp\ MicrosoftPowerPoint\MicrosoftPowerPoint\drivelist.txt
(72 bytes) --> List of drives it tries to replicate
C:\Documents and Settings\(yourPCname)\Local Settings\Temp\ MicrosoftPowerPoint\MicrosoftPowerPoint\Icon.ico
(318 bytes) --> Icon file
C:\Documents and Settings\(yourPCname)\Local Settings\Temp\ MicrosoftPowerPoint\MicrosoftPowerPoint\Install.txt
(8,743 bytes) --> AutoHotKey Script
C:\Documents and Settings\(yourPCname)\Local Settings\Temp\ MicrosoftPowerPoint\MicrosoftPowerPoint\pathlist.txt
(varies) --> List of drives worm is copied to
C:\Documents and Settings\(yourPCname)\Local Settings\Temp\ MicrosoftPowerPoint\MicrosoftPowerPoint\svchost.exe
(239,104 bytes) --> Copy of worm
c:\heap41a\2.mp3 (56,467 bytes) --> Media file played when alert box is
displayed
c:\heap41a\drivelist.txt (72 bytes) --> List of drives to scan for
c:\heap41a\Icon.ico (318 bytes) --> Icon file
c:\heap41a\reproduce.txt (834 bytes) -->AutoHotKey Script for registry
manipulation
c:\heap41a\script1.txt (3,588 bytes) --> AutoHotKey Script for Messagebox
creation
c:\heap41a\std.txt (439 bytes) --> AutoHotKey Script for registry manipulation /
run other scripts
c:\heap41a\svchost.exe (239,104 bytes) --> Copy of worm
c:\heap41a\offspring\autorun.inf (21 bytes) --> used to autorun the worm when
the drive is accessed
Next, empty your recycle bin, and restart your PC. We recommended you using this
antivirus McAfee VirusScan Enterprise because McAfee first discover this
virus@worm.
Another alternative step is, modify your registry first by following above step
then remove your hard disk and attach to another PC that not infected with this
virus and done all the above step except terminate the svchost.exe step.
 |
Subscribe to this comment's feed
