Tag: virus

Removing the Koobface Worm (WORM/Koobface.bgn)

I came across this facebook worm for the first time today… It’s seems that more and more facebook users get their account hacked and then somebody posts links to malicious sites on the walls of their friends.

Unsuspecting friends then install updates to the ‘Flash Player’ or what-have-you and BANG!

In this instance the removal seems easy enough:

  1. Get a list of suspicious processes (HiJackThis can help). In this instance we have:
    C:windowsld15.exe
    C:windowspp12.exe
    And lots of files in:
    C:Documents and Settings[USER]Local SettingsTemp
  2. I got myself a Linux Live CD (ubuntu) and booted into this live version
  3. I started deleting the files above
  4. I rebooted into save mode (press f8 just after BIOS message)
  5. When Windoze started, I went into the registry (press WinKey + r and enter ‘regedit’) and deleted the referring keys in:
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent VersionRun

Restarted and prayed 🙂

But it seems to have worked, cause I don’t see any suspicious process in HiJackThis anymore.

Malware removal: PersonalAV

A friend of mine contacted me today with this issue:
PersonalAV – a malware programme she accidentally installed and can’t get rid of.

Here are some instructions to get rid of the programme, but I don’t know if it comes with any additional Trojans or something…

Step 1: Kill the running processes.

Go to the Task Manager:
right click on free space in the windows panel OR:
Press Ctrl + Alt + Del to get into a menu and choose the Task Manager

End the following processes:
PersonalAv.exe
services.exe
PerAvir.exe
winlogon.exe
services.exe

Step 2: Remove registry keys:

Start > Run > ‘regedit’ > Enter.
Search for the following keys and remove them:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallPersonal Antivirus_is1
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_ITGRDENGINE
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesITGrdEngine
HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer “PrS”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Personal Antivirus”

Step 3: Remove the programme files:

I have written two scripts that will do this work for you. Use either Windoze XP or Windoze Vista

You can also manually delete them:
PersonalAv.exe
c:Documents and SettingsAll UsersDesktopPersonal Antivirus.lnk
c:Documents and SettingsAll UsersStart MenuProgramsPersonal Antivirus
c:Documents and SettingsAll UsersStart MenuProgramsPersonal AntivirusPersonal Antivirus Home Page.lnk
c:Documents and SettingsAll UsersStart MenuProgramsPersonal AntivirusPersonal Antivirus.lnk
c:Documents and SettingsAll UsersStart MenuProgramsPersonal AntivirusPurchase License.lnk
%UserProfile%Application DataMicrosoftInternet ExplorerQuick LaunchPersonal Antivirus.lnk
%UserProfile%Application DataPersonal Antivirus
%UserProfile%Application DataPersonal Antivirussettings.ini
%UserProfile%Application DataPersonal Antivirusuill.ini
%UserProfile%Application DataPersonal Antivirusunins000.exe
%UserProfile%Application DataPersonal AntivirusUninstall Personal Antivirus.lnk
%UserProfile%Application DataPersonal Antivirusdb
%UserProfile%Application DataPersonal Antivirusdbconfig.cfg
%UserProfile%Application DataPersonal AntivirusdbTimeout.inf
%UserProfile%Application DataPersonal AntivirusdbUrls.inf
%UserProfile%Local SettingsApplication DataMicrosoftWindowslog.txt
%UserProfile%Local SettingsApplication DataMicrosoftWindowspguard.ini
%UserProfile%Local SettingsApplication DataMicrosoftWindowsservices.exe
c:Program FilesPersonal Antivirus
c:Program FilesPersonal Antivirusactivate.ico
c:Program FilesPersonal AntivirusExplorer.ico
c:Program FilesPersonal AntivirusPerAvir.exe
c:Program FilesPersonal Antivirusunins000.dat
c:Program FilesPersonal Antivirusuninstall.ico
c:Program FilesPersonal Antivirusworking.log
c:Program FilesPersonal Antivirusdb
c:Program FilesPersonal AntivirusdbDBInfo.ver
c:Program FilesPersonal Antivirusdbia080614.db
c:Program FilesPersonal Antivirusdbia080618x.db
c:Program FilesPersonal AntivirusLanguages
c:Program FilesPersonal AntivirusLanguagesIAEs.lng
c:Program FilesPersonal AntivirusLanguagesIAFr.lng
c:Program FilesPersonal AntivirusLanguagesIAGer.lng
c:Program FilesPersonal AntivirusLanguagesIAIt.lng
c:WINDOWSsystem32log.txt
%UserProfile%Application DataMicrosoftWindowswinlogon.exe
%UserProfile%Local SettingsApplication DataMicrosoftInternet ExploreriGSh.png
%UserProfile%Local SettingsApplication DataMicrosoftInternet ExploreriMSh.png
%UserProfile%Local SettingsApplication DataMicrosoftInternet ExploreriPSh.png
%UserProfile%Local SettingsApplication DataMicrosoftInternet Exploreriv.exe
%UserProfile%Local SettingsApplication DataMicrosoftWindowslog.txt
%UserProfile%Local SettingsApplication DataMicrosoftWindowspguard.ini
%UserProfile%Local SettingsApplication DataMicrosoftWindowsservices.exe

Good luck!

However, if you don’t want to do all this and are contemplating reinstalling Windows anyways, make the right decision and install a different OS altogether…