Thursday, April 17, 2008

microsoftpowerpoint.exe win32 usb worm manual removal

MicrosoftPowerPoint.exe

MicrosoftPowerPoint.exe is a worm that spreads throught the USB Memory Sticks/Pen Drives from computer to computer. It slows down all usb operations.

Manual Removal
Since the virus automatically hides all the files, you cant easily find it.
First run msconfig, and look at the start up values to find the location of the virus.
Remove that entry by unchecking the tick mark.
Reboot the system.
Do the steps given below in the registry to unhide hidden files.


HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer searchidden en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer searchsystemdirs en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced hidden en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced showsuperhiden en 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced superhiden en 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN CheckedValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN DefaultValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValue 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL DefaultValue 1


Find the location where it resides, from msconfig and delete the contents of the folder. Usually in /Documents and Settings/User/Local Settings/Temp/.

Now the system must be free of the virus.
Disable the autorun
to prevent further infections.

To prevent infections again to the usb, delete the contents of MicrosoftPowerPoint.exe and place a 0byte file with the same name.

Thats all
:)

0 comments: