Thursday, September 9, 2010

LOL is that you in this picture? Koobface virus removal instructions for windows XP/ME

This is the message my friend got on his facebook. Its a facebook virus. I removed it for my friend and just wanted post some details for those interested. (BTW, I know the instructions are not formatted very well).

There is a virus that commonly affects facebook users called the "Koobface". It spams links and tries to trick people in downloading their "flash player update" called ''flash_player.exe". This is the mechanism that is used to infect individuals.

Removing the virus for Windows XP (print off instructions before proceeding)
Windows XP
  1. Disable system restore- This step is essential in enabling an antivirus to fully scan your computer.
From Microsoft Help Website, to do this:
  1. Click Start, right-click My Computer, and then click Properties.
  2. In the System Properties dialog box, click the System Restore tab.
  3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
  4. Click OK.
  5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
    You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

    Do you want to turn off System Restore?
    After a few moments, the System Properties dialog box closes.
 2. Restart in safe mode.
From Microsoft Help Website, to do this:
1.You should print these instructions before continuing. They will not be available after you shut your computer down in step 2.
2.Click Start and then click Shut Down.
3.In the drop-down list of the Shut Down Windows dialog box, click Restart, and then click OK.
4.As your computer restarts but before Windows launches, press F8. 
On a computer that is configured for booting to multiple operating systems, you can press F8 when the boot menu appears.
5.Use the arrow keys to highlight the appropriate safe mode option, and then press ENTER.

2. Remove start up entries.
1. Click start --> run.
2. Type in "regedit" without quotes
3. Browse through the left hand pane:


4. Delete the entry:

sysftray = "%Windows%\fbtre6.exe"

5. Close the regedit.

3. Remove the following files by using the windows search function. Press windows key +F. Input the following into the search input box.
  1. %Windows%\fmark2.dat
  2. %System Root%\5465465465463.BAT
 When these files have been located, click Shift+ delete to permanently delete.

5. Restart computer.
6. Run an antivirus of your choice. If no antivirus has been installed on the computer, use a free online virus scan. My recommendations:
  1. Panda Online Scan
  2. Trend Micro HouseCall
  3. Kapersky
  4. Symantec

Random Info That May Be Useful
McAfee As for the motivations behind this Koobface variant, analysis shows that during infection a proxy server is installed to %ProgramFiles%\tinyproxy\tinyproxy.exe and a service named Security Accounts Manager (SamSs) is created to load the server at startup.   This component listens on TCP port 9090 and proxies all HTTP traffic, in particular looking for traffic to Google, Yahoo, MSN, and for the purpose of hijacking search results.  Search terms are directed to  This enables ad hijacking and click fraud.

No comments:

Post a Comment