How to remove Microsoft Powerpoint.exe virus or Orkut Virus

Have you seen this message in your computer.

” ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did?? ”

Then you are infectedwith the above virus.
The virus, after affecting your computer, creates a folder named "heap41a" in your root drive ie; C drive, where it resides. This folder will be hidden and since this virus disables show hidden files and folders option, it is not easy to locate. This folder contains following:
* Offspring - an empty folder.
* 2.mp3 - a laughing sound.
* Icon.ico - a blank icon file.
* reproduce .txt - codes to change registry entries.
* svchost.exe - gives all kinds of pop-ups.
* script1.txt - codes for displaying pop-ups.
* std.txt - codes to change registry entries.

It will not let you open Orkut using Internet Explorer. It will not let you access even YouTube too.

This is the AHKHEAP Worm
MicrosoftPowerPoint.exe (462,050 bytes),
svchost.exe (239,104 bytes)
AliasesW32/AHKHeap-A (Sophos) worm_ahkheap.a (Trend Micro) Characteristics

Removal Process
Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

1. First you have to boot your computer in to safe mode by pressing F8 while booting.
2. Then go to search, select in advance option for search in hidden file & folders and system files & folders.
3. In search give keyword"heap41a"
4. You can see a folder name "heap41a" in C:\
5. Shift+ Delete that folder
6. If you can see the message system cam not delete the file, then click ctrl+ alt+delete
7. Try to end task a file svshost.exe
8. Then again try to delete that folder "heap41a".

Now i will tell you how you restore your registry.

If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft> Windows>CurrentVersion>Policies>Explorer>Run
3. In the right panel, locate and delete the entry:winlogon = "%System Root%\heap41a\svchost.exe %System Root%\heap41a\std.txt"

Deleting/Restoring Other Registry Entries

1. Still in the Registry Editor, in the left panel, double-click the following:HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft> Windows>CurrentVersion>Policies>Explorer>Run
2. In the right panel, locate and delete the entry:status = "present"
3. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft> Windows>CurrentVersion>Explorer> Advanced\Folder>Hidden>SHOWALL
4. In the right panel, locate the entry: checkedvalue = "0"
5. Right-click on the value name and choose Modify. Change the value data of this entry to: 1
6. Close Registry Editor.

Deleting the Malware Folders

1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
2. In the Named input box, type:MICROSOFTPOWERPOINT
3. In the Look In drop-down list, select My Computer, then press Enter.
4. Once located, check if the location of the file is the following:%User Temp% (Note: %User Temp% is the current user's Temp folder, which is usually C:\Windows\Profiles\{user name}\Temp on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Temp on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
5. If yes, select the file then press SHIFT+DELETE.
6. Again in the Named input box, type:heap41a
7. In the Look In drop-down list, select My Computer, then press Enter.
8. Once located, check if the location of the file is the following:%System Root% (Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
9. If yes, select the file then press SHIFT+DELETE.

Restoring AUTORUN.INF

1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
2. In the Named input box, type:AUTORUN.INF
3. In the Look In drop-down list, select a drive, then press Enter.
4. Select the file, then open using Notepad.
5. Check if the following lines are present in the file: [Autorun] open=MicrosoftPowerPoint.exe shellexecute=MicrosoftPowerPoint.exe shell\Auto\command=MicrosoftPowerPoint.exe
6. If the lines are present, delete the file.
7. Repeat steps 3 to 6 for AUTORUN.INF files in the remaining removable drives.
8. Close Search Results.

Now you are removed the virus file. Enjoy browsing. But before that you have to restore your show hideen file & system file normal, by following my above method , which described in this blog.

myspace, facebook, twitter, youtube, skyrock, music, online, promotion, promotions, marketing, online myspace marketing, myspace traffic incrase, indie, bands, music marketing, musicians, songwriters, musician, myspace promotion services, advertising, manager, artist, promoter, how to get more friends, myspace marketing, myspace promotion, myspace promotions, facebook marketing, facebook promotion, facebook promotions, twitter marketing, twitter promotion, twitter promotions, band promotion, promote my band, myspace work, facebook work, twitter work, youtube work, youtube marketing, youtube promotion, youtube promotions, skyrock work, skyrock marketing, skyrock promotion, skyrock promotions, indie promotions, online promotions, online marketing, social networking expert, website submission, search engine submission, web site submission, search engine, submission, web site, search engine, website, search engine optimization, seo, service, company