Cleaning Facebook Virus

Written By The Ones on Friday, December 4, 2009 | 8:32 AM

A computer virus is utilizing the popularity of Facebook to attack the victim. Consider the ways to clean facebook Virus W32/Obfuscated.D2! Genr and Antispyware Security Tools - antispyware fake - that accompany the article Vaksincom following:

1.Disable system restore during the cleaning process
2.Disconect computer from the network / internet
3.Best use in "safe mode"
4.Install software "Unlocker" (download at FileHippo)
5.kill active virus process in memory, use the tools "Security Task Manager", please download these tools in Neuber.com

Turn off the virus with "security task manager"

6.Fix registry, to accelerate the process of repair registry please copy this script in notepad and save it with the name [repair.inf]. Execute the following manner:

a.right click [repair.inf]
b.click [install]

[Version]
Signature = "$ Chicago $"
Provider = Vaksincom

[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del

[UnhookRegKey]
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKCU, Software \ Microsoft \ Internet Explorer \ Main, tart Page, 0, 'about: blank "
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, userinit, 0, "userinit.exe"

[del]
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, reader_s
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, 47543326
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, PromoReg
HKCU, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, reader_s
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, EnableProfileQuota
HKEY_LOCAL_MACHINE \ SOFTWARE \ AGProtect
HKEY_LOCAL_MACHINE \ SOFTWARE \ 47543326
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Network, UID
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion, Rlist
HKU,. DEFAULT \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ (43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6)
HKU,. DEFAULT \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ (8FFA689D-2C2B-2B2E-D865-74C04CA4EF06)

7. Remove files created by the virus by first showing tersebunyi files. Then delete the following files::

C: \ Documents and Settings \ All Users \ Application Data \ 47543326
C: \ Documents and Settings \ Elvina \ Start Menu \ Programs \ Security Tools.lnk
C: \ Documents and Settings \ Elvina \ Desktop \ Security Tools.lnk
C: \ Documents and Settings \ Elvina \ Application Data \ wiaservg.log
C: \ Documents and Settings \ Elvina \ Local Settings \ Temp \ *. tmp
C: \ WINDOWS \ Temp \ wpv311256600826.exe
C: \ WINDOWS \ Temp \ wpv411256806849.exe
C: \ Documents and Settings \% user% \ reader_s.exe
C: \ Documents and Settings \% user% \ Start Menu \ Programs \ Startup \ isqsys32.exe
C: \ WINDOWS \ system32 \ reader_s.exe
C: \ Windows \ system32 \ wbem \ proquota.exe
C: \ windows \ system32 \ sdra64.exe
C: \ Windows \ system32 \ lowsec
local.ds
user.ds
user.ds.lll

Note:
To remove the folder [C: \ Windows \ system32 \ lowsec] and [C: \ windows \ system32 \ sdra64.exe], use the tools "Unlocker" to separate the process system process windows (explorer.exe and svchost.exe), because the file will inject file [explorer.exe and svchost.exe] how:

* Right click on the file [C: \ windows \ system32 \ sdra64.exe] or the [C: \ Windows \ system32 \ lowsec]
* Then click menu "Unlocker"
* On Unlocker screen, select the option [delete]
* Then click the [OK]
* If the error message, in disregard it (click ok)


8.delete temporary files and temporary interet files, use the tools ATF-Cleaner.

9.for optimal cleaning and prevent re-infection, anti-virus scan with up-to-date. You can also use tools to clean with Norman Malware Cleaner or Malwarebytes Anti-Malware.

Consider also the earlier analysis by the virus Vaksincom Facebook:

* Virus Facebook: It's Fall, and Bitten Affected Dogs Appliances
* Identify Characteristics Facebook Email Virus Carrier


The author, Adang Jauhar Taufik, the analyst of Vaksincom antivirus.

0 comments:

Post a Comment