Friday, 12 August 2011

How to remove Facebook Chat Virus “hi. how are you?” AKA KOOBFACE

How to remove Facebook Chat Virus “hi. how are you?” AKA KOOBFACE

Sample Chat :
“hi. how are you?”
*If you reply , it will sent you :*
“Wanna laugh? :)
*If you reply again , it will sent you :*
“It is you on the video ?)) want to see?)”
*If you reply again , it will sent you the virus link*

The sample website :

Will my computer get infected once I clicked the link ?
No ! Unless you download some files from the link. (Currently they use drive-by method)

HOW TO FIX!
If your computer is infected and can’t access to Facebook , please refer to Method 1.

Method 1 :

Windows operating systems contain a file called ‘hosts’ that will force resolution of your domain name.

  1. Open the hosts file
    1. Go to the Start menu and choose Run. Type the following in the Run dialog box: Edit Host File
      1. For Windows NT and Windows 2000
        1. C:\winnt\system32\drivers\etc
      2. Windows XP, Windows Vista or Windows 7
        1. C:\Windows\System32\drivers\etc
    2. Click the OK button (This should open a window with several files in it.)
    3. Find the file called ‘hosts’ and double–click it. If prompted, specify that you would like to choose a program to open the file withfrom a list of programs.
      1. Choose ‘Notepad’ from the list of available programs.
  2. Edit and save the hosts file
    1. The contents of your hosts file should look something like this
    2. Find the line with the word facebook.com (example: “127.0.0.1 http://www.facebook.com” )
    3. Remove it.
    4. Close the hosts file and save it when prompted.

Method 2: [Source]

UPDATED : Try ComboFix ( http://www.combofix.org/ )

1.Start Task Manager
2.Kill these processes:
fbtre6.exe
mstre6.exe
Delete these registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”systray” = “c:\windows\mstre6.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”systray” = “C:\Windows\fbtre6.exe”
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating;
Method:
Launch the Registry Editor. Press the Start button and then click Run. Type in regedit into the Open: field. Then click on the OK button.
New window will be pop out and type regedit. click Ok
Find the virus file by following the below steps
HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > Current Version > Run > ”systray”
To make sure before you delete, delete the value that consist “c:\windows\mstre6.exe” and press delete.
PERHATIAN: JANGAN SEWENANG-WENANGNYA DELETE FAIL YANG ANDA TAK PASTI. LAPTOP/PC ANDA MUNGKIN TAK DAPAT START KALAU TERSALAH DELETE
Warning : DO NOT SIMPLY DELETE! YOU COMPUTER MAY NOT ABLE TO BOOT UP.
3 Delete these files:
C:\\Windows\\fbtre6.exe
C:\\Windows\\fmark2.dat
Still don’t understand how to use regedit?
More Detailed Guide :

More Info :
Clean your startup (msconfig), use ccleaner.
Run your virus scanner to make sure that the virus on your PC is removed.

If your account has been taken over and used to send spam, you should follow these steps immediately:

  • Reset your Facebook password. You can do this by clicking the “Forgot your password?” link on the login page or by going to the Account Settings page once logged in.
  • If you can’t reset your password because the email address you use to log in has changed, or if your account has been disabled, visit our help page.
  • Make sure you have up-to-date security software on your computer, run a scan, and remove any malicious files. If you don’t do this, and your computer is infected, your account may be taken over again. If you don’t yet have protection for your computer, you can download a complimentary six-month subscription of McAfee security software. Learn more on the Software tab.

Download :
CCleaner: http://www.piriform.com/ccleaner/download
Use this to clean up unneeded files (TEMP files, cookies, etc)

Malwarebytes: http://www.malwarebytes.org/mbam.php
This is a great anti malware software update then scan your PC one time a week at least.

SuperaAntiSpyware: http://www.superantispyware.com/download.html
This is an anti spyware software use this after MB once a week also.

How about use Anti-virus/malware to remove?
The virus/worm is now FUD. It need sometime for the antivirus company to update the definition to detect it.

FYI : The person who make this virus/worm also can make a new (FUD) virus files that can’t be detected.

VirusTotal Report

File name: Flash-Player.exe
Submission date: 2011-07-21 11:10:11 (UTC)
Result:11/ 43 (25.6%)



No comments: