I came across this facebook worm for the first time today… It’s seems that more and more facebook users get their account hacked and then somebody posts links to malicious sites on the walls of their friends.
Unsuspecting friends then install updates to the ‘Flash Player’ or what-have-you and BANG!
In this instance the removal seems easy enough:
- Get a list of suspicious processes (HiJackThis can help). In this instance we have:
C:windowsld15.exe
C:windowspp12.exe
And lots of files in:
C:Documents and Settings[USER]Local SettingsTemp - I got myself a Linux Live CD (ubuntu) and booted into this live version
- I started deleting the files above
- I rebooted into save mode (press f8 just after BIOS message)
- When Windoze started, I went into the registry (press WinKey + r and enter ‘regedit’) and deleted the referring keys in:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent VersionRun
Restarted and prayed 🙂
But it seems to have worked, cause I don’t see any suspicious process in HiJackThis anymore.