PowerPointView.exe

Last Updated on Thursday, 14 October 2010 01:09 Thursday, 14 October 2010 00:37

Trojan - W32.Bancos

The file name PowerPointView.exe has appeared along with other names in a virus analysis report. You can see it on this link

• Microsoft has a legitimate program with the name PowerPoint Viewer . If you are looking for this program, you can find it on this link at the Microsoft Download Center. Therefore you should not download a file named  PowerPointView.exe, as it is a Trojan virus. 
• The installer is of about 2.62 MB. It is identified as a virus Trojan Infostealer Bancos. Different Antivirus companies detect it as -
  Trojan-Banker.Win32.Banker.bave [Kaspersky Lab]
  Trojan-Banker.Win32.Banker [Ikarus]
  
  Trojan.Bancos runs silently in the background to monitor web browser activities. It can create fake login page for certain Brazilian banking sites which is used for stealing usernames and passwords which can be sent to the attacker via e-mail.
• It modifies the hosts file so as to redirect or block sites. 
• It can download harmful files from the internet.
• According to Symantec
  
  "The Trojan is most often spread by way of an email containing a social engineering trick such as a fake email from a bank asking the user to run the attached program and perform some other actions to verify their banking details. If the user complies with the request they could potentially reveal their account access information which may lead to significant financial loss." 
  
  You can read the the writeup at Symantec on this link

It creates PowerPointView.exe, libmySQL50.dll and other files on the infected computer that you need to search and delete. You should end running processes named PowerPointView.exe from Task Manager. And also remove the file's entries from windows startup.

Warning: It is possible that some legitimate software may be using the same file names as that of the virus files. You do not have to delete these files if they belong to some legitimate program installed on your computer. Use Windows Defender or SysInternals Process Explorer to differentiate between them. The information in this article is presented without making any claims regarding its usefulness or otherwise. In case of disagreement/ dispute, please send a note by adding a comment at the end of this page, or mail on support(at)comprolive.com

Using System Restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will be an easy way to undo the changes done by the virus

• Using system restore in windows XP
• Using system restore in windows Vista 
• Using system restore in windows7 

Boot in safe mode

Sometimes you can not delete a file. You should boot in safe mode and then try to delete it.

• How to boot in safe in windows XP
• How to boot in safe mode in windows Vista 
• How to boot in safe mode in windows7

View Hidden Files

 You need to enable to view hidden files and folders before searching.

• How to Enable to View Hidden Files and Folders in Windows XP
• How to Enable to View Hidden Files and Folders in Windows Vista
• How to Enable to View Hidden Files and Folders in Windows7 

 Remove Processes from Task Manager

• Press Ctrl Alt Del keys to open the Task Manager.
• Select Processes tab. You will see a list.
• Look for the names PowerPointView.exe in it.
• Select if found and press the End Process button. It will ask for your confirmation to end that process.
• Select Yes. You can end one process at a time.

You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista. It shows the path of a process and its publisher. Harmful processes may be shown under Unknown Publisher in windows defender. Whereas in Windows7 you can find that out from the task manager itself

• How to use Windows Defender in windows XP
• How to use Windows Defender in windows Vista
• How to use Windows Defender in windows7 

Or you can use Sysinternal's Process Explorer.

• How to use Sysinternal's Process Explorer

Removing entry from windows startup

The system configuration can be started in xp and in vista by typing msconfig in the run box/ start menu search box. In xp by clicking on Start > run . The windows startup is reversible. You can check / uncheck any entry from windows startup any number of times.

• Open system configuration window.
• Click on the Startup tab. You will see a list all the programs that are scheduled to start with windows.
• Expand the middle column using your mouse pointer. That will show you the full path of the program.
• Locate and uncheck the boxes in front of these names "PowerPointView.exe, libmySQL50.dll" (also look for any other suspicious names)
• Press Apply , Press Close/Ok , Select "restart" at the next prompt

Repairing Hosts file

 To repair/ edit the hosts file. Login as administrator. open the following file in notepad
C:\ WINDOWS\system32\driver \etc\hosts
remove anything other than 127.0.0.1 Localhost, and save and close the file.

Deleting files

The computer will restart now. Delete the following files and folders. Boot in safe mode or boot in the dos prompt if needed. You can use windows search utility to search for PowerPointView.exe, libmySQL50.dll

(You should keep in mind that these are some of the files that this virus creates, there could be more files downloaded once the computer is infected) 

Files

c:\libmySQL50.dll
c:\PowerPointView.exe
c:\PowerPointView.txt
[file and pathname of the sample #1]

(We do not know the name or the location of sample #1, it could be in your default download location or on the desktop or in a Temp folder. The files and folders in the Temp folder can be automatically removed, if you use a freeware temp files/ registry cleaner software like CCleaner)

Folders
none

Registry Keys

Some of the registry keys  will be automatically removed if you run Registry menu of CCleaner. For others you can see the report mentioned at the beginning of this article .

Using CCleaner

You can easily remove the files in the temp folder by running CCleaner. You can set CCleaner to run automatically each time the computer starts.

Do not forget to run CCleaner > Registry menu to remove the obsolete registry entries.

more about CCleaner on this link

Free tools to repair disabled folder options, registry, Task Manager etc

Whereas you can repair disabled Folder Options, disabled Registry Tools, disabled Task Manager, Disabled System Restore etc using these free tools

• Tools for Windows XP
• Tools for Windows Vista
• Tools for Windows7 

Use the System File Checker

To repair windows system files.

• How to run System File Checker utility in windows XP
• How to run System File Checker utility in windows Vista
• How to run System File Checker utility in windows7

  Reprinted with permission from Threatexpert.com