PDA

View Full Version : Manual Removal Guide for Fraud.Facebook.Messenger



Friday
2012-07-04, 13:25
The following instructions have been created to help you to get rid of "Fraud.Facebook.Messenger" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).

Threat Details:

Categories:
trojan

Description:
Fraud.Facebook.Messenger is a fake messenger for the social network Facebook. It installs itself to the computer pretending to be a messenger for Facebook. It compromises the system security and is likely to steal Facebook login information.
Removal Instructions:

Autorun:

Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.

Entries named "Facebook Update" and pointing to "?<$LOCALAPPDATA>\Facebook\Update\FacebookUpdate.exe? /c /nocrashserver".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.

Products that have a key or property named "{A8AF728F-2EE8-4322-96B3-656CAD1F7805}".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

The file at "<$LOCALAPPDATA>\Facebook\Messenger\2.1.4554.0\CefSharp.dll".
The file at "<$LOCALAPPDATA>\Facebook\Messenger\2.1.4554.0\CefSharp.WinForms.dll".
The file at "<$LOCALAPPDATA>\Facebook\Messenger\2.1.4554.0\chrome.pak".
The file at "<$LOCALAPPDATA>\Facebook\Messenger\2.1.4554.0\FacebookMessenger.exe".
The file at "<$LOCALAPPDATA>\Facebook\Messenger\2.1.4554.0\icudt.dll".
The file at "<$LOCALAPPDATA>\Facebook\Messenger\2.1.4554.0\libcef.dll".
The file at "<$LOCALAPPDATA>\Facebook\Messenger\2.1.4554.0\locales\en-US.pak".
The file at "<$LOCALAPPDATA>\Facebook\Messenger\2.1.4554.0\Newtonsoft.Json.dll".
The file at "<$LOCALAPPDATA>\Facebook\Messenger\2.1.4554.0\npFbDesktopPlugin.dll".
The file at "<$LOCALAPPDATA>\Facebook\Messenger\2.1.4554.0\ThirdPartyCopyrightNotices.txt".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\FacebookCrashHandler.exe".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\FacebookUpdate.exe".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\FacebookUpdateHelper.msi".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdate.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_ar.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_bg.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_bn.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_ca.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_cs.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_da.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_de.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_el.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_en.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_en-GB.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_es.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_es-419.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_et.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_fa.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_fi.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_fil.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_fr.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_gu.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_hi.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_hr.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_hu.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_id.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_is.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_it.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_iw.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_ja.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_kn.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_ko.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_lt.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_lv.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_ml.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_mr.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_ms.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_nl.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_no.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_or.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_pl.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_pt-BR.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_pt-PT.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_ro.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_ru.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_sk.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_sl.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_sr.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_sv.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_ta.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_te.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_th.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_tr.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_uk.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_ur.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_vi.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_zh-CN.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0\goopdateres_zh-TW.dll".
The file at "<$LOCALAPPDATA>\Facebook\Update\FacebookUpdate.exe".
The file at "<$PROGRAMS>\Facebook\Facebook Messenger.lnk".
The file at "<$STARTUP>\Facebook Messenger.lnk".
Make sure you set your file manager to display hidden and system files. If Fraud.Facebook.Messenger uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "<$APPDATA>\Microsoft\Installer\{A8AF728F-2EE8-4322-96B3-656CAD1F7805}".
The directory at "<$LOCALAPPDATA>\Facebook\CrashReports".
The directory at "<$LOCALAPPDATA>\Facebook\Messenger\2.1.4554.0\locales".
The directory at "<$LOCALAPPDATA>\Facebook\Messenger\2.1.4554.0".
The directory at "<$LOCALAPPDATA>\Facebook\Messenger".
The directory at "<$LOCALAPPDATA>\Facebook\Update\1.2.203.0".
The directory at "<$LOCALAPPDATA>\Facebook\Update\Download".
The directory at "<$LOCALAPPDATA>\Facebook\Update\Manifest\Initial".
The directory at "<$LOCALAPPDATA>\Facebook\Update\Manifest".
The directory at "<$LOCALAPPDATA>\Facebook\Update".
The directory at "<$LOCALAPPDATA>\Facebook".
The directory at "<$PROGRAMS>\Facebook".
Make sure you set your file manager to display hidden and system files. If Fraud.Facebook.Messenger uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

A key in HKEY_CLASSES_ROOT\ named "facebook.desktopplugin.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "facebook.desktopplugin", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "FacebookUpdate.OnDemandCOMClassUser.1.0", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "FacebookUpdate.OnDemandCOMClassUser", plus associated values.
Delete the registry key "{04FE3112-DB93-424D-B958-5E709395693F}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{04FE3112-DB93-424D-B958-5E709395693F}" at "HKEY_CURRENT_USER\Software\Classes\CLSID\".
Delete the registry key "{132885F2-8DE9-40F2-BEAE-1B31FDBAB159}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{1FD1FE74-9E3C-4C1C-AEEB-AAB592AD770F}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{1FD1FE74-9E3C-4C1C-AEEB-AAB592AD770F}" at "HKEY_CURRENT_USER\Software\Classes\CLSID\".
Delete the registry key "{3B692A7D-330E-4388-A955-724500AC0BC5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5E71E4F3-E8C7-4906-9626-973E418762B6}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5E71E4F3-E8C7-4906-9626-973E418762B6}" at "HKEY_CURRENT_USER\Software\Classes\CLSID\".
Delete the registry key "{649D9E01-9847-4EE9-9145-2CB4BC8298D0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{71692661-DCBA-484A-BD41-A39404532B52}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9F110A06-955A-400B-B7D5-5B22224F63D1}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{9F110A06-955A-400B-B7D5-5B22224F63D1}" at "HKEY_CURRENT_USER\Software\Classes\TypeLib\".
Delete the registry key "{B72C7377-0AA5-4F52-BDA2-85C4D1DB930E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D0843545-5E7C-4C6D-B4E2-05948F759440}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "126CA32108434D24DBA06457352FC9F2" at "HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\".
Delete the registry key "126CA32108434D24DBA06457352FC9F2" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\".
Delete the registry key "application/x-facebook-desktop-1" at "HKEY_CLASSES_ROOT\MIME\Database\Content Type\".
Delete the registry key "application/x-facebook-desktop-1" at "HKEY_CURRENT_USER\Software\Classes\MIME\Database\Content Type\".
Delete the registry key "F827FA8A8EE22234693B56C6DAF18750" at "HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\".
Delete the registry key "F827FA8A8EE22234693B56C6DAF18750" at "HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\".
Delete the registry key "facebook.com/fbDesktopPlugin" at "HKEY_CURRENT_USER\Software\MozillaPlugins\".
Delete the registry key "facebook.desktopplugin.1" at "HKEY_CURRENT_USER\Software\Classes\".
Delete the registry key "facebook.desktopplugin" at "HKEY_CURRENT_USER\Software\Classes\".
Delete the registry key "Facebook" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "FacebookUpdate.OnDemandCOMClassUser.1.0" at "HKEY_CURRENT_USER\Software\Classes\".
Delete the registry key "FacebookUpdate.OnDemandCOMClassUser" at "HKEY_CURRENT_USER\Software\Classes\".
If Fraud.Facebook.Messenger uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.