How to Remove Microsoft
by WinXPert
Type of file: exefile
Description:
Location: C:\WINDOWS\Microsoft\
Size: 3911179 b
MD5: 089D11B01A4C81EDEAB6C582D297D2E9
Attributes: Archive, Hidden, System, Read-Only
File Version: 1.00.0003
Company: By: Morgan Haueisen
Copyright: Copyright (c) 2003
Product Name: USA Quiz
Product Version: 1.00.0003
Original File Name: New.exe
Trademarks:
Internal Name: New
Comments:
Disables Registry Editor
Known system changes:
Description:
Location: C:\WINDOWS\Microsoft\
Size: 3911179 b
MD5: 089D11B01A4C81EDEAB6C582D297D2E9
Attributes: Archive, Hidden, System, Read-Only
File Version: 1.00.0003
Company: By: Morgan Haueisen
Copyright: Copyright (c) 2003
Product Name: USA Quiz
Product Version: 1.00.0003
Original File Name: New.exe
Trademarks:
Internal Name: New
Comments:
Disables Registry Editor
C:\Documents and Settings\Owner\Application Data\logs.dat
C:\Documents and Settings\Owner\Local Settings\Temp\UuU.uUu
C:\Documents and Settings\Owner\Local Settings\Temp\XxX.xXx
C:\WINDOWS\Microsoft\Microsoft.exe
C:\Documents and Settings\All Users\Application Data\TEMP
C:\WINDOWS\Microsoft
C:\Documents and Settings\Owner\Local Settings\Temp\UuU.uUu
C:\Documents and Settings\Owner\Local Settings\Temp\XxX.xXx
C:\WINDOWS\Microsoft\Microsoft.exe
C:\Documents and Settings\All Users\Application Data\TEMP
C:\WINDOWS\Microsoft
HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}
HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}\Implemented Categories
HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}\InProcServer32
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{FHC6186D-X430-3B61-3HFS-4K1554TSXEV6}
HKLM\SOFTWARE\Licenses
HKCU\Software\nagato
HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}\: "&Links"
HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}\MenuTextPUI: "@browselc.dll,-13138"
HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}\InProcServer32\: "%SystemRoot%\system32\SHELL32.dll"
HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{FHC6186D-X430-3B61-3HFS-4K1554TSXEV6}\StubPath: "C:\WINDOWS\Microsoft\Microsoft.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Policies: "C:\WINDOWS\Microsoft\Microsoft.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32: "C:\WINDOWS\Microsoft\Microsoft.exe"
HKLM\SOFTWARE\Licenses\{K7C0DB872A3F777C0}: random data
HKLM\SOFTWARE\Licenses\{I054347D90A928356}: 06 00 00 00
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies: "C:\WINDOWS\Microsoft\Microsoft.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System: "C:\WINDOWS\Microsoft\Microsoft.exe"
HKCU\Software\nagato\FirstExecution: "31/08/2014 -- 12:24"
HKCU\Software\nagato\NewIdentification: "nagato"
Manual Removal Instructions for Microsoft:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Make sure you create a System Restore point before proceeding:
1. Download Kill_Microsoft.bat and copy it to your Startup folder
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Make sure you create a System Restore point before proceeding:
1. Download Kill_Microsoft.bat and copy it to your Startup folder
2. Log-off and log-on. The batch file will run in an endless loop. Allow it to run for a few second until no more Microsoft.exe processes are being terminated.
3. Delete the following files.
del "%appdata%\\logs.dat" /f
del "%\Temp%\UuU.uUu" /f
del "%Temp%\XxX.xXx" /f
del "%windir%\Microsoft\Microsoft.exe" /f
4. Repair the system registry using the following commands.
reg delete "HKLM\SOFTWARE\Classes\CLSID\{24AA3079-047E-4182-047E-4182047E4182}" /f
reg delete "HKLM\SOFTWARE\Licenses" /f
reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{FHC6186D-X430-3B61-3HFS-4K1554TSXEV6}" /f
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /f
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System32" /f
reg delete "HKCU\SOFTWARE\nagato" /f
5. Delete the following folder. Clean your temps using TFC or CCleaner
rd "%WINDIR%\Microsoft" /s /q
6. Update your antivirus/antimalware program and perform a full scan of the computer.
All content ("Information") contained in this report is the
copyrighted work of WinXPert: Virus and Malware Removal.
Copyright © 2014 WinXPert. All rights reserved. All other
trademarks are the sole property of their respective owners.
The Information is provided on an "as is" basis. WinXPert
disclaims all warranties, whether express or implied, to the maximum
extent permitted by law, including the implied warranties that the
Information is merchantable, of satisfactory quality, accurate, fit for
a particular purpose or need, or non-infringing, unless such implied
warranties are legally incapable of exclusion. Further, WinXPert does
not warrant or make any representations regarding the use or the
results of the use of the Information in terms of their correctness,
accuracy, reliability, or otherwise.
No comments:
Post a Comment