Facebook Virus

First off I feel dumb. LOL

There is a facebook virus going around. I got a wall post from someone that I haven't talked to in forever that said they had a picture of me. There was this strange link. I should have been smart enough to not click on it, but I did and downloaded the file. It was an exe file. -_- Well I ran norton and it said it quarantined a URL redirect virus. However, I wasn't able to delete it from my system. Today I have been noticing that my processor is working harder...I am not sure if this has something to do with that. Anyways what other programs should I run to double check to make sure Norton got everything? Also is there any way to delete it even if it is only quarantined in norton?
Thanks,
Tim

 

Well, I personally don't find Norton to be a very good AV, but that's just my opinion. Have you tried scanning with anti-spyware software to see if that picks anything up?

 

Shoot...I'm surprised that NIS even let you finish downloading the EXE. Let alone have to stop it from executing.

What was the name of the EXE?

You might as well read the stickies too Tim, because there are several free AV scanners you can use .

 

AVG seems to work really great, I know it was able to catch the msn virus whereas my norton couldnt.

 

Yeah I know Norton isn't the greatest. My school forces me to use it. -_- I like AVG a lot more.

I am not sure what the exe was called Greg. I promptly deleted it. lol Yeah I am reading the sticky right now. I just wanted to see if other people have been as stupid as me and what they have done to remove it.
Tim

 

I got it as well

Talked about them seeing a naughty picture of me and gave a link which was google..something


links to a file called picture_dll.exe

(instructions are to open or run it)

soon as i saw the exe extension, I deleted the email. I've been getting a few of these facebook things.


==============================================================================

Give Nod32 or Kaspersky a shot

 

Tim, same with me, some random person I havent talked to forever left a message on my wall. The spam link didnt work though... FAIL!

 

I even tried clicking that link on johnny's wall, after he told me to (you did, ****it). Luckily, it didn't work.

 

I just noticed something interesting. There are two firefox.exe processes running. One is 101,000K in size and the other is only 2,452K in size. I think the second one is related to the virus somehow. -_-

Time to download all the antivirus and spyware programs I can and run them. LOL
Tim

 

Avast would probably have caught it in time too and prevented your current problem. And I am using the free version and pretty impressed so far....

Maybe uninstall Norton (totally) and install Avast free (temporarily) just to see if it can fix the problem after a full system scan and get rid of your headache...

Just a thought

Cheers,
Theo

 

Or a Nod32/kasperskys trial. Just to get rid of it.

 

Yeah I will probably have to do that. I ended that second firefox process and nothing appeared to happen. Seems that there is a hidden copy of firefox that was running in the background. I am going to scan first with AVG and see what happens.
Tim

 

Good luck Tim...please keep us updated on your progress.

Thanks,
Theo

 

TBH, seeing that three people in a two page thread have already had a run in with this virus, maybe this should be stickied(stickyed? I suck at spellings) or something to alert other NBR Facebook users.

 

lol, you ran the .exe?

Anyways, this is an older post of mine where I got rid of a pretty annoying trojan from limewire:

 

If its running extra processes (mozilla) antivirus scans won't work all of the time, I used norton & Avira and the one I had kept ieexplores running in the backround eating at my cpu processes.

Use the method I listed above.

 

Funny enough its 2 mods and a senior member...lol I don't think this needs to be sticked as there should be enough posts in this to keep the thread up somewhere near the top. People seeing facebook and virus in the same sentence are going to panic...

 

There will be a lot of panic.

But yeah. Why did we click that link?

 

Maybe another first for NBR. When crap hits the fan NBR members pull together. And try and find a solution. And help the rest out there.

FaceBook. Just imagine

Go Tim and test quickly please

Cheers,
Theo

 

I wanted to see a shocking picture of myself? (but really, I trust my anti spyware/virus enough to click that link. )

 

Actually, I trust mine as well, so I never worry about these kinds of things. Just wanted to know what our rationale was.

 

Yea yea...but the temptation is irrestable "spelling"

Remember a lot of users now squat about anything besides Facebook. Like a drug. We are here to help. And inform.

So, we don't click on strange links. We know it is asking for trouble. But the rest of the people need education. And we are here to give it.

Cheers,
Theo

 

I was just curious as well. lol

Well I ran Ad-Aware 2008 and that didn't find anything. I am running AVG right now and it found two things. Both are trojan horses called SHeur.CAZB

One is in C:\Windows\system32\splm\lmfunit32.dll and the other one is C:\PROGRA~1\MOZILL~1\FIREFOX.EXE (4760)

If this doesn't remove them I will try your suggestion ARom.
Tim

 

Oh found some tracking cookies too...fun fun...
Tim

 

u should try ending one of the processes

 

FB is pretty tight when it comes to spam. It should be all gone in a few days. They dont want to turn FB into MySpace aka SpamSpace.

You might want to reinstall firefox, clean the registry and run the scans again.

 

Well I am a little stuck right now. I ended up uninstalling firefox. Then I followed ARom's advice. I was able to find 4 registry entries that were from the trojan. They are in C:\Windows\System32\splm

It doesn't look like there are any legitimate programs in there. The splm folder was hidden and all the files within it were hidden. I was able to unhide them...but after a few seconds they automatically hide again. -_- I tried deleting them but I don't have permission too. Anyone have some ideas so I can delete this entire folder. I think the registry entries were deleted, but when I refreshed autoruns the entries reappeared so I deleted them again. Are they really deleted if they reappear after I refresh autoruns? Also how do I completely remove the splm folder?
Thanks for all the help...I am getting close
Tim

 

If you have vista, try changing permissions for the folder. That usually works. Just takes a few times and a few clicks in (you need to go Folder properties>security Tab>Advanced>Edit>choose a user>Edit>Give yourself full controll. You can remove controll from whomever you want in the process).

 

Unfortunately it isn't allowing me to change the security settings on that folder. It says access is denied when I tried to deny permission from the Creator Owner and from TrustedInstaller. Any other ideas?
Tim

 

Did you ever try running an anti-virus scan in safe mode or on boot. I suggest Avira myself. You should also try Super Anti Spyware and/or Malwarebytes Anti Malware. I find both of those to be far more effective than Ad Aware.

 

See if there's a remover made specifically for this virus?

 

I am running AVG in safe mode right now. It detected the virus in the splm folder and moved it to the Virus Vault. It also detected another virus in C:\Windows\Explorer.exe <1244> called Win32/PolyCrypt and moved this to the virus vault as well.

Once I have these in the vault is there a way for me to delete them using AVG? Also is it possible for these files to reappear back in the splm folder even after they have been put in the vault?
Thanks for the continued help
Tim

 

Yeah, you can delete them from the vault and it should be the last you see of them.

I have some files in the AVG Virus Vault. What next?

Most of today's viruses (Trojan horses, I-Worms, Worms, etc) create their own files which contain nothing but a body of the virus. In such cases the only way to remove the infection is to delete the infected file. When you moved the file to the AVG Virus Vault it was deleted from its original location, coded, and then saved in a non-executable file in a hidden folder. Your PC is no longer infected then.


If you are not missing any data file and your applications are running, then you can delete these vaulted files from the AVG Virus Vault program.

You can do it selectively from AVG Virus Vault program -> select files -> delete. Or you can delete all AVG Virus Vault contents in one go:

* Double-click the AVG icon on your desktop -> choose the "History" menu and select the "Virus Vault" option -> click on the "Empty Vault" button.

http://www.grisoft.com/ww.faq.num-766#faq_766

 

Social networking sites like Facebook have been malware distribution channels for years, especially due to their huge growth.
While most folks are wary of 'dodgy' sites and will be much more wary when they tiptoe in to the dark side for whatever reason, presumably 'safe' sites like Facebook are becoming more and more popular for the distribution of new viri and malware (and sometimes old ones like the Storm Worm).

Kaspersky Lab Detects New Worms Attacking MySpace and Facebook
Sophos: Facebook Malware Attack Puts Work Computers at Risk
Facebook quashes malware attack

Adding a behavioural blocker like ThreatFire (32-bit only!) to your 'arsenal' of security programs can be a good idea to prevent infection through websites like Facebook.
The free version of ThreatFire can be used in conjunction with almost all common AV programs, including Norton/NIS2008, it has a low memory usage of 8 MB (on XP) and is very easy to use.
Just don't set it to the highest protection level (5), otherwise it becomes very 'talkative'.

Security software companies like Symantec are incorporating more behavioural based blocking techniques (like it's program Antibot) in upcoming versions ( NIS2009) but not just yet.
Cheers.

 

I see people get these all the time. Some seem really legit.

 

i stupidly clicked on that link too.

of course, nothing happened. thank you unix!

 

Well it's nice to see I wasn't the only one. LOL

I think I have competely removed the trojan. I ended up using AVG to quarantine some of the infected files. I was then able to delete those quarantined files. Next I went into my C drive to see if I could still find the splm folder which contained the trojan. The folder was still there so I thought AVG didn't work. I decided to try deleting the splm folder, and surprisingly it worked! So I quickly emptied my trash bin so I no longer have the splm folder on my laptop.

Next I downloaded NOD32 and ran the scanner and it came back clean. Then I restarted my laptop in safe mode and ran autoruns to delete any registry entries that were left over from the splm folder. I found one and deleted it.

Finally I ran SuperAntispyware, however it found 5 tracking cookies. I was able to delete them and I checked again and found 7 this time. -_-

One of those is techtarget...which is the company that owns NBR. =O Anyways should I still be worried or do you think I got it all?



Thanks for all the help
Tim

 

NBR is evil. But we knew this.

 

Its probably just from the TT advertisments.

Looks harmless... or maybe not!

 

Yeah I am curious if you guys run SuperAntispyware, do you have the same techtarget file?
Tim

 

This is some really good information, Baserk. Thank you. I do have a question for you, however. Since Threatfire is only for x86, do you have any idea what I can add to my arsenal if I'm using x64? I feel really safe with KIS, but do you think I need anything else?

 

Hi Thaansa3,

You ought to feel safe with KIS, it's (among) the best money can buy.
Unfortunately there is no free alternative for Threatfire.
PC Tools is saying a 64-bit version is coming to market but they've been saying that for a while now.
I haven't read anything about a 64-bit beta version yet, so we will have to wait a bit longer.
In the mean while..., heck, you've got Kaspersky!
Cheers.

 

Don't forget Tim, I recently caught a something through TT's advertisements too. Andrew filed a complaint with Google and we no longer are at risk for that malware.

 

If I have UAC activated, and if I (hypothetically) tried to run this .exe file, will UAC ask me if I "really want to run this .exe?" And If I click no, will I still be safe from infection?

 

Browser tracking cookies aren't real malware. You don't really have to worry about them. If you don't want cookies, you can always turn them off in your web browser.

 

Yes, and because that dialog comes from a secure part of Windows Vista, you can be sure that no programs can intercept/tamper with the dialog box.