Update on Koobface Virus

To read this article on our new website, please go to http://tonysgeektips.com/?p=227

And you thought it was over!

As it turns out, this virus does, as I suspected, infect your system!

You may have noticed slower browsing, Google search redirects, etc. Well, you have Koobface to thank for that. When you installed that “flash_update.exe” (or equivalent, see previous post) file, it opened up a whole can of worms (pun intended) for your system.

Never fear though, I will walk you through eliminating the Koobface (and company…) virus from your system. I spent many hours today pouring over forums, my mom’s own infected system, and peering into the realm of my own knowledge (a scary place!), I was able to discover the answer.

It turns out that this isn’t the first time this virus has come up. It has made several appearances over its history, in a slightly different form every time. As you can imagine, this made it difficult for me to find relevant information!

In the end though, I was able to come up with a solution. Basically, what the virus does is install a bunch of files onto your computer. Amongst these files is a proxy (named tinyproxy). For the illiterate here, a proxy manages your connectivity to the internet…are we seeing a potential problem here?

In addition to that, it sticks a few .BAT files into your \%system%/folder (usually “windows“).

But wait, there’s more! In older strains of the virus, this would have been enough to solve the problem. But in this new strain, the “developers” (if we can even call them that, I prefer “black-hats”) got smarter. They went and created a startup service as well (named something like
Bolivar28…the number might be slightly different on yours)! This service reinstalls the virus on boot-up after you delete it! Smart, but I’m smarter.

Ok, so how do you solve the problem? I will be happy to provide the solution for only 3 easy payments of…ok, I won’t go there :P

Alright, here we go:

  • First of all, make sure you’re an administrator. If you’re not sure whether you are, go to Start -> Control Panel -> Users. Make sure your user is listed as an administrator. If your PC has only one user, or you are on the primary account, you more than likely have administrator privileges.
  • Now, set a system restore point just in case everything goes south (it could happen). Note, don’t actually do a system restore, just set a restore point.
  • Next you are going to want to configure your proxy settings. This will stop tinyproxy from managing your internet access, at least until you reboot…we’ll fix that in a minute. Here are instructions for both Internet Explorer and Firefox:

IE: From the menu select Tools -> Internet Options -> “Connections” Tab -> Lan Settings -> Uncheck “use a proxy server” or reconfigure your proxy settings if you were using one previously (not standard for home networks).

Firefox: From the menu select Tools -> Options -> Advanced Tab -> Network Tab -> Settings under “Connection” -> Select “No Proxy“, or, if you were using a proxy previously, reconfigure your settings to how you had them previously.

  • Next, we are going to start attacking the virus itself. First of all, we are going to stop it from running, and prevent it from restarting on boot-up. Here’s how to do it:

To stop tinyproxy.exe:

  1. Open up Windows Task Manager (ctrl+alt+delete)
  2. Go to the processes tab
  3. Right click on the process named “tinyproxy.exe” and select “end process
  4. Windows will yell at you, end the process anyway (when ending processes, make sure you know what you’re doing, you could accidentally end a needed one. This one, however, we need to kill)
  5. Close task manager (Click on the “x” in the upper right…ok, that was lame :P)

To stop the startup service:

  1. Open run (Window key + r …the Windows key is the one next to alt in the bottom left of the keyboard)
  2. Type msconfig
  3. Go to the “Startup” tab
  4. Find and uncheck “Bolivar28“. Again the number after “Bolivar” might be different, but everything I saw was in the “20″s (like 24, 26, 28, etc.).
  5. Click “Ok”. Again, Windows will scream at you, but that’s all right. Just make sure you select “Restart Later” (or equivalent), from the dialog. We’re not done yet!
  • Still with me? The next thing we’re going to do is delete the virus itself (yay!).

To delete the virus:

  1. Go to the program files directory (usually C://Program Files)
  2. Look for the “TinyProxy” folder.
  3. Delete it (right click, select delete). (This is why we had to stop the process earlier…otherwise you wouldn’t be able to delete the folder…and the evil therein…muahaha)
  4. I don’t know much about this, but I have also heard that there might be another directory named “ProtectService“. From what I’ve heard, you should also delete that one. I didn’t have that directory however.
  • Ok, that took out tinyproxy, but there are still a few files in your windows directory that it would be prudent to delete:
  1. Go to your Windows directory (usually “windows“)
  2. From the menu select “Tools
  3. Select “Folder Options
  4. Select the “View” tab
  5. Under “Hidden files and folders“, select “show hidden files and folders
  6. Uncheck “Hide protected operating system files“. Windows will yell at you, I know. You should set it back to normal later :p
  7. Click OK
  8. Scroll down, look for, and delete files with the following names: bolivar26.exe, bolivar28.exe, fmark2.dat, f49f4d98.dat, and kenny**.exe (didn’t have the last one, but other places said it wasn’t good…)
  • Reboot. That should do it. If, upon rebooting, you get an “error message” saying “Error installing flash update. Please contact support“, you’re not done yet! Either you have a new/different strain of the virus than I did, or you didn’t follow I all my instructions correctly.
  • Upon rebooting, you more than likely will have to fix your proxy settings again. Not sure why, but I did.

Well, there you have it. This worked for me, I hope it works for you.

Please feel free to comment with any questions.


What would an article be without a disclaimer?:

The contents of the above article is intended for informational purposes only. We do not insure the accuracy, validity, or correctness of the said article, although we do try to bring you accurate information. Modify your computer’s files at your own risk. We (the authors, contributors, administrators, and any other affiliates or dependencies of this blog, article, etc.) do not accept any responsibility for loss of identity, theft (informational or otherwise), damage (of computer hardware, software, or anything else), death, or any other damages, or otherwise badness that may arise as a result of using the information contianed in aforementioned article.
About these ads

80 Responses to Update on Koobface Virus

  1. Ray says:

    We do not accept any responsibility for … death, …or otherwise badness

    LOL that was funny! I have heard that AVG and Avast are excellent anti-virus programs.

  2. Tor Thorsen says:

    You are a scholar and a gentleman, sir! I followed these instructions and am now functioning normally again.

  3. James says:

    Thank you for posting this page. I just had a computer infected with Koobface and your information helped me kill the processes and delete the EXE files that I wouldn’t have found otherwise.

  4. Steven C says:

    Thanks for the info, but I wasn’t able to locate in the Windows Task Manager under processes tab “tinyproxy.exe”, so there was nothing to remove. I did revoe “Bolivar28″, then went on to delete the TinyProxy folder, but it said “access denied, may be in use.” So of course when I reboot, it’s back! Any help would be greatly appreciated.
    Steven

  5. That is funny Ray!

    Sounds like a pretty bad bug Jeff! Ughh…..

    We use AVG and it isn’t bad at all.

  6. Jeff says:

    @Steven C
    Are you running Vista?

    If you are, make sure you select “Show processes from all users”. Windows will yell at you, but we’re used to that by now ;)

  7. M says:

    Steven C-

    Did you try printing out the instructions, rebooting the system in safe mode, then following the cleanup instructions again?

  8. james says:

    Many Thanks Jeff,

    Thought I was never going to get rid of this having run Symantec and Adware to no avail. Your fixes have worked though :-)

  9. AJ says:

    This worked flawlessly. THANK YOU!! I found this site in about 10 seconds and had things running back to normal within 5-10 minutes. I really wasn’t in the mood to wipe the box clean and reload everything. You’re instructions were clear and I enjoyed the humor mixed in given the irritating circumstances. Thanks again.

  10. Steve says:

    Thanks for the info. I have the latest version of Mcafee and it didn’t manage to get rid of any of this. Considering how long Bolivar and Koobface have been around that’s pretty poor! I may well not renew my subscription!

  11. Jeff says:

    I agree. I have Mcafee as well, and it didn’t do a thing…even after a complete system scan!

    I believe one of the reasons Mcafee may not have picked it up is that tinyproxy is installed as an application (and a system file as well!). It may slip beneath the radar. It is still inexcusable on Mcafee’s part though.

  12. b says:

    Thanks for post. It is greatly appreciated

  13. DiveDeep says:

    Thanks you for your gratitude. I really appreciate you spending the time publishing this fix. I think it worked. But leaving the proxy settings unchecked made a difference because I changed it back before I rebooted. But unchecked afterwards and that seemed to work. Interestingly, McAfee found the worms and deleted them but it didn’t do what you said. Also, I dl the same worm onto my Mac with Leopard but it didn’t effect it. :)

    Cheers

  14. [...] you or anyone you know was infected with this, here is the fix… Update on Koobface Virus Jeff and Tony’s Geek Tips and Tutorials __________________ 2004 Silver IRL GM Stage 1 Nates 2.9 Modular Pulley Silencer/Snorkel [...]

  15. RunRiver says:

    Quick question. When I restart my windows, the System Configuration Utility pops up and wants me to select the normal start up under the general tab. After doing so, I notice that under the start up tab that the Bolivar startup item is still there and is checked off.

    I followed your instructions again and I see that the tinyproxy, bolivar, and the other couple of the fmark2 and other “f” files are not listed as I have deleted them previously.

    Should this be a concern that the Bolivar start up item is still listed under the start up tab even after I deleted it? When I do a file search, the bolivar file cannot be found. Should I reset the System Configuration Utility to have a normal start up with the bolivar tab selected….or should I keep the start up on Selective Start Up mode?

    I really appreciate your good work with helping those of us affected by this horrible worm/virus. Thanks!

  16. Jeff says:

    Hello RunRiver,

    Because you have modified your startup settings (when you unchecked Bolivar), you will now always use Selective Startup. This gives you the control over what loads on startup.

    So go in to msconfig, and make sure Bolivar is unchecked, click OK, and reboot. When the dialog comes up, select the “Don’t show this again” (or equiv.) checkbox.

  17. Hgblack says:

    THIS REALLY WORKS! THANK YOU!!!!! Finally, an answer that got rid of the virus!!!

  18. [...] Posted by TWoods450 Incase you or anyone you know was infected with this, here is the fix… Update on Koobface Virus Jeff and Tonys Geek Tips and Tutorials Thanks Twoods it helped a friend of mine who got an awful fright when their computer locked up [...]

  19. Ben says:

    This was exactly what i had been looking for all night. A clear step by step process for us computer handicapped to understand easily. This worked like a charm, THANK YOU so much.

  20. PC says:

    I had all those infected files, was able to clean it up with no problem, HOWEVER, the Internet is not working after a reboot. From the Command Prompt, i can’t use IPCONFIG or PING commands. It locks up. There’s no problem in Safe Mode. There are no proxy settings in Internet Explorer (meaning the settings are blank). WHAT ON EARTH IS THE FIX???? I’ve been at this for an untold number of hours.

    • Jeff says:

      @PC
      Thank you for posting your question. There is no need to shout, we’re all friendly here. I understand your frustration, however.

      Of course, as I do not know all the specs about your computer, internet connection, etc., there is no way I can give you a definitive answer, but I would check the following:

      1) First off, try deleting your Temporary Internet Files. From the IE menu select Tools -> Internet Options -> General tab -> Under browsing history select Delete... -> Delete the following: Temporary Internet Files, and Cookies. This may help clean up some of the residual junk that Koobface left.
      2) Ensure that the internet connection itself is working. If it is, try restarting it (the router, etc.). This will reset the ip, etc. See if another computer can access the internet through the same connection.
      3) Try running Internet Explorer in No Add-ons Mode. This will run the browser in the most basic state possible. To access it, from the start menu go: All Programs -> Accessories -> System Tools -> Internet Explorer (No Add-ons). If I am not mistaken, this is the version of IE that Safe-mode uses, so that may produce results.
      3) Make sure you didn’t clear all the startup options in msconfig. There are some important things in there, some possibly related to the internet.
      4) If you have one installed, give another browser (like Firefox) a try. Its possible that IE got trashed by the virus.
      5) Take a peek at the Windows firewall, as well as any anti-virus programs you have. They may have gotten messed up somehow.

      Please post back if any of this works, or if you have more questions. We have some smart folks who contribute/visit this blog, so one of them may have other possible solutions.

      ~Jeff

  21. Scott says:

    Thanks for the info. I am a tech coordinator for a school district and this has been invaluable for our staff and students!!

  22. Gregg says:

    Thanks for the great help but I’m still having an issue or two. I followed your directions but still have an issue with being redirected to different websites (http://%5Bskip%5D/search__arbkey–1__keyword–Logistics__noskip–1.html) when googling anything.

    I also get this questionable popup, which I close. (http://%5Bskip%5D/search.php?id=20253836&token=8241935683). It states “Please take a second to help us identify click fraud” and asks me to select the word I searched.

    EDIT from Jeff: URLs edited for security

    as a recap:
    I did not have the tinyproxy.exe file riunning on TaskManager.
    I unchecked the boliver28 startup service.
    I deleted the tinyproxy folder.
    I did not have the ProtectService directory.
    I deleted a file called f49f4daa.dat
    I rebooted.

    Help! Thanks!
    Gregg

    • Jeff says:

      @Gregg

      Hi Gregg,
      Thank you for your question. The symptoms you are describing indicate the virus is still alive on your computer. There are a few things that come to mind:

      1) As you will remember from my post, make sure your proxy settings have been fixed. Instructions for that are included in the post.
      2) Double check that tinyproxy.exe is not running. Make sure you select, under the processes tab, “Show processes from all users”. If tinyproxy is running as a system process, it will not normally show.
      3) If you got an error message on bootup that said something to the effect of “Flash update install failed. Please contact support”, then the virus is back on your computer, just like you haven’t done anything.

      Please reply if this helps (or doesn’t).

      Also, just as a word of advice for my readers, please be sure to clear your temporary internet files and especially your browser cookies after resolving the problem. The virus used a browser cookie to hack your facebook account in the first place, and if it remains, it could quite possibly do more damage in the future. In addition, change any passwords you entered while the virus was on your computer (especially online banking, pay-pal, Facebook etc.), as it has been suggested elsewhere that Koobface’s real goal is ID theft.

  23. Tim Askins says:

    AWESOME! I got mine on 12/04 and this Fixed my problem first try. Thanks

  24. Gregg says:

    Jeff,
    Thanks for the quick response, Sorry for not being as thorough as I should have been in my recap. I was (am) not using a proxy server (Set to: Use automatic configuration script) . The show processes for all users button was (is) checked and tinyproxy.exe is not running. I did not get the error message at boot up either. And I cleared all my temp files, cookies, history. This thing is driving me nuts.

    I’m running XP and IE7.

    The ID theft comment is what has had me concerned from the start of this mess.

    • Jeff says:

      If you have the Firefox browser installed, try using it and see what happens (Google something). This will determine whether it is IE’s problem or something deeper.

      If you don’t have it, download it here: http://en-us.www.mozilla.com/en-US/firefox/

      Please let me know what happens. If it works (i.e., doesn’t redirect you), I have more instructions for you. If it doesn’t, I have some other points of attack we could try.

      ~Jeff

  25. Gregg says:

    Jeff,
    I really appreciate the time here. When I open Firefox, I get a message that says :
    Firefox is configured to use a proxy server that is refusing connections.

    Shouel I change my settings back to Use Proxy?

    Gregg

    • Jeff says:

      Hi Gregg,

      No. Disable proxies completely. I have instructions on doing this in my post. Also, in IE, uncheck “Automatically Detect Settings”.

      From what it sounds like you have going on right now, I would say that tinyproxy is quite possibly gone. However, go look in your program files directory again and see if the tinyproxy folder came back. If it did, delete it again. Also look back in your Windows directory for the files I mentioned in my post.

      Let me know the result (good or bad).

      Also, just as a word of advice, once all this is done, I would dump your recycle bin.

      ~Jeff

  26. Gregg says:

    Jeff,
    I’m not that familiar with Firefox and don’t quite see a ‘No Proxy” option per your instructions. Connection Settings are set to: “Manual Proxy configuration” with HTTP proxy set with an IP. Below that option (but without a radio button) there is a line that states “No Proxy for:” and the same IP is listed, preceded by “localhost,”. SOCKSv5 is also checked.
    The only other options available are:
    Direct connection to internet
    Auto detect proxy…
    Automatic proxy config. for URL

    In IE, Automatically detect settings was unchecked.
    No files have reappeared.
    I just deleted my recycle bin and will reboot now.

    How concerned should I be about security right now?
    Should I be worried about typing un/pw’s on this computer?

    • Jeff says:

      Howdy Gregg,
      Here is a screenshot of what my Firefox browser proxy settings looks like:

      Proxy settings

      From your description, it appears that the top option is not there on your system, confirm?
      Are you using Firefox 3 (you are if you downloaded it from my link)?

      Please answer the above questions and we’ll go from there.

      ~Jeff

  27. Gregg says:

    Jeff –
    Confirmed. I have v2 on my machine. I will upgrade to v3 and test.

    PS. That snapshots applet(?) is a cool tool.

    Thanks
    Gregg

  28. PJ says:

    My wife’s laptop got infected this morning. Found your great instructions and it worked. Thanks a lot.

  29. Gregg says:

    Jeff,
    All I can say right now is hmmmm. I got sidetracked from the Firefox upgrade and started surfing on IE a bit after the reboot. I tested the links that I know were causing trouble beofre and all work correctly now. My machine still seems slower than normal but not sure if that is this virus or normal rendering since my pages are are not cached anymore …or something else. The only difference from before that I can track is that I purged the recyle bin.

    Could a deleted virus file in the recycle bin be a culprit?

    • Jeff says:

      That’s great Gregg! I’m glad the problem appears to be gone.

      I was having some IE problems after clearing the virus as well, they went away after a few days, however. I wasn’t able to trace the cause.

      I don’t think that purging the recycle bin could have done anything, but you never know with computers :).

      As one last precaution, I would change any passwords that you typed while the virus was on your computer. In case the virus harvested them, its always good to be safe. I wouldn’t worry too much about it, but I would definitely reset my passwords. If you bought anything with a credit card online (on that computer) during this time, I would get cancel my credit card and get a new one, as well. I know its hassle, but ID theft is huge these days, sadly.

      Feel free to come back to this blog and post a comment if you ever have any computer problems in the future, we’re always happy to help.

      God Bless,
      ~Jeff

  30. Gregg says:

    Jeff,
    Thank you so much for the help! I’m glad I found you and your site. I will certainly bookmark it!

    Have a wonderful holiday :)
    Gregg

  31. Melissa says:

    THANK YOU!!! I am so glad I found this and really appreciate the help. After agonizing for most of the weekend, tech peeps told me 3 days and my own wiz was busy til 5:30 and needed my computer overnight…so I set out to conquer the virus myself and was not able to until your instructions. Have a terrific week and thanks for helping me get back to work!

  32. Matt says:

    Hey guys PTL for good guys like you!

    I believe we have the virus, made the mistake of clicking and trying to install the bogus exe. I started your steps, stopped the tinyproxy but don’t see “Bolivar**” in the start up list. ?? I see some other things in there that don’t look good. Like Billgatesloh.exe. I’m using Firefox and my Norton subscription just ran out recently. First, thoughts on not having the Bolivar. Second any basic suggestions or opinions on virus scan removal software and tools.

    Thanks,
    Matt

  33. Ryan says:

    Hi Jeff,

    Like you, I’m fixing up a family member’s computer. I’ve got the virus out from everywhere I could find thanks to your suggestions and others I’ve found. But like PC above, I can’t get IE or Firefox running in regular mode. In safe mode with networking they run fine :(

    Things I’ve tried:
    run IE / FireFox in reg mode – freezes
    restart in safe mode w/ networking – works
    run in regular mode with extentions off – freezes
    reset IE to remove add-ons and go back to factory defaults – freezes

    proxy server settings are off.
    If you can even point me in a new direction I’d appreciate the help,

    Thanks,
    Ryan

    • Jeff says:

      Next up, lets look at Ryan’s problem:

      Hi Ryan,
      The good news is that your internet is working at least! I have a few suggestions for you (assuming tinyproxy is gone and proxy settings are fixed):

      1) Open up command prompt (open run (windows key + r) -> type in ipconfig. See what comes up. You should see various settings. What you are looking for are numbers, such as 192.168.0.1, 255.255.255.0, as well as various other things.
      2) Once you have done that, type in ping tonysgeektips.wordpress.com. If you get an error, or nothing comes up, you have an internet connection problem. I would recommend taking a look at that. Restart your router if you’re on wireless.
      3) Reinstall Firefox, and see what happens.

      The first two instructions will see whether the problem is with the browser. If you are pinging successfully, then it is a browser problem.

      Please respond with your results. But do not post the results of your ipconfig, as that information is invaluable to hackers (MAC address, domain provider, IP address…its like a dream come true for hackers).

      ~Jeff

  34. Darby says:

    This was such a lifesaver! I have spents hours, trying to get rid of this thing! I was finally able to get everything off of my system, but could not access the Internet. You quickly answered my question, and I am now back online and (timidly) surfing! Thank you, thank you, thank you!

  35. Kim says:

    My system has been down since Friday and a wonderful friend directed me to you yesterday…thank God for friends! As I’ve worked to clear up the mess I created, I’ve followed every step of your process and ran into a little bump in the road: I’m not finding anything in the Windows directory.. once I uncheck “Hide protected operating system files” and click OK, then I see is a “Systems” folder and it’s empty…what have I done????? I’m not able to access an internet browser at all, so am having to run back and forth between computers to try to fix this mess. Any additional help you can provide will be greatly appreciated.

    • Jeff says:

      Wow, where to begin! I woke up this morning with a whole slew of comments to moderate! I will do my best to try and answer them in the order received.

      First of all, lets discuss Matt’s problem:

      Hi Matt, thanks for posting.

      First, lets talk about Bolivar. As Viruses are constantly being updated in some cases, it may change form from computer to computer. You may not have it on your computer. It may have taken a different form/name, however.
      After doing a little searching around. I found that Billgatesloh.exe is an undesirable program. Clever name. I don’t know much about it however, so I can’t give you any solid advice on that one. If I were you, I would do the following (with the standard liability disclaimer that I gave in the post):

      1) Set a system restore point.
      2) Run process explorer (download here from Microsoft: technet.microsoft.com/en-us/sysinternals/bb896653.aspx
      3) Find the Billgatesloh.exe process. See which directory its running out of. Write it down.

      Please post back with the directory it was running out of.

      As for good virus scanning programs, I run McAfee, and it works ok. It didn’t catch Koobface on the infected computer, though. Other ones that I have heard of are: AVG and Avast. I have no experience with either, but have heard that they’re good.

      ~Jeff

    • Jeff says:

      Last (for now), but not least, lets turn to Kim’s problem:

      Hi Kim, thanks for posting.

      First of all, if the windows directory was empty, you wouldn’t be starting your computer, and definitely not checking to see if there was anything in it. You must not be looking in the right place. I want you to do the following:

      1) Open run
      2) Type cmd
      3) Type cd c:\windows // this assumes that your primary drive is the “c” drive (standard for most PCs)
      4) Type DIR

      What you most likely see is a slew of files and folders. Your Windows directory isn’t empty.

      Regarding your second post, I cannot speak for the efficacy, worth, or usefulness of the scan you used. However, from what you reported, it appears that either your computer is really messed up (from more that Koobface), the scan is hyper-active, or Koobface is a lot worse than everybody is saying it is (unlikely, as surely somebody would have figured it out by now…).

      However, I’m going to give you the same advice I would normally give someone in your situation. Please note that if any of the following work, you don’t need to continue following the instructions.:

      1) Open command prompt (run -> type cmd
      2) Type ipconfig. You should see a slew of information. What you are looking for are numbers, such as 192.168.0.1, 255.255.255.0, as well as various other things.
      3) Type ping tonysgeektips.wordpress.com. It should respond successfully. If the request times out, or you get an error, the problem is probably with your internet connection. Reset your router if you are on wireless, and check to see if other computers can use the same connection.
      4) Restart the computer in safe mode (reboot, press F8 repeatedly after it begins to boot the computer. A menu will come up, select “Safe Mode”). Try to use the internet. If you can, switch back to normal mode (reboot, select normal startup if the menu reappears…no need to press F8 this time).
      5) Try running Internet Explorer in No Add-ons Mode. This will run the browser in the most basic state possible. To access it, from the start menu go: All Programs -> Accessories -> System Tools -> Internet Explorer (No Add-ons). If I am not mistaken, this is the version of IE that Safe-mode uses, so that may produce results.
      6) Clear your IE Temporary internet files, and cookies. From the IE menu select Tools -> Internet Options -> General tab -> Under browsing history select Delete… -> Delete the following: Temporary Internet Files, and Cookies. This may help clean up some of the residual junk that Koobface left. Please note that you should do this weekly (at least the files).
      7) Empty your recycle bin…hey, its worth a shot ;)

      Please let me know what happens!

      ~Jeff

  36. Kim says:

    It’s me again…I was finally able to get through the entire process, but still cannot access the internet. I was advised to run a malware program and it detected 140 (yikes) infected files…BUT when the scan is complete and I click to remove the files, the computer locks up. The infected files are Trojan files (?); HKEY Registry files (?); AVRLABS (?) and more…..
    Can I be helped?!

  37. Darrin says:

    Thank you for providing the information to remove Koobface. Your instructions were easy to follow and dead on, although, I didn’t have anything relating to a “Bolivar” file. Very much appreciated!

  38. Kim says:

    I’m baaack! Okay, I got to step 2, typed ipconfig; the curser moves to the next line, flashes and that’s it…5 minutes, no change. You won’t find a much more basic person than me when it comes to computer knowledge (or lack thereof) so I can’t thank you enough for attempting to help out here…I’m feeling like you hit the nail on the head with my computer being way messed up! The other computer in the house (the one I’m using now) is running fine on the internet.
    Anything else I can do?

  39. Ryan says:

    Thanks Jeff, as soon as I get an ip address from the router (watching the progress in the taskbar) I’m not able to run ipconfig or ping out to anywhere. In safe mode the ipconfig comes up fine. I thought he might have zlog in addition to koobface, but going through the fixes for that has also gotten me nowhere. I may have to get him to start fresh.

    Thanks

    Ryan

    • Jeff says:

      Hi Ryan,
      Give safe-mode a shot, trying all the standard ipconfig, ping, IE in no add-ons mode stuff that I’ve been talking about. In addition, try pinging your router (typically 192.168.0.1). Also, double check your proxy settings again. I shooting in the dark here, as I don’t have the machine right in front of me.

      I’m not sure about “zlog” (the real name is “zlob”, if its the one I think you’re talking about), as I’ve never gotten to play around with it. I’d like the chance (not on my machine, of course :-p ), maybe I should just open up a PC repair shop…

      Anyways, back to the subject. If I were you, from what I’ve heard about your friends machine, it sounds like even if you are able to fix it, the machine may need a wipe anyway, for all you know he may have a gazillion (just love that number…) problems on it. To get zlob and Koobface is pretty sad, and shows signs of a lack of any security-consciousness (no offense to your friend, everyone starts somewhere :-) ). I wouldn’t throw the towel in just yet though…

      Let me know what happens.

      ~Jeff

  40. Cameron says:

    Many thanks, Jeff. Facebook has nothing helpful — they just say “use an AV program”. Norton includes koobface in its list of known viruses, but nevertheless fails to remove it.

    My startup list did not include anything with “bolivar”, but it did have a “FlashUpdate” or something similar, and disabling that prevented the problem from recurring on reboot.

  41. SleepyMom says:

    I am jetlagged and sleep deprived, but sent your instructions to my afflicted daughter. Worked like a charm, now I can sleep knowing her internet based business will continue. Thanks so much for your work and kindness sharing it with us!!

  42. Sandra says:

    THANK YOU THANK YOU THANK YOU!!!!

    Everything else I was able to find said “download this to fix it” – which I couldn’t do because I was on my cell phone web because *my browser was not working you morons!* How was I supposed to download a program if I couldn’t get on the internet with my computer? :P

    Anyway, my mom found these instructions for me and they were top notch!

    A few things for others:

    I have mcafee, and it seemed to have cleaned up a lot (but not all). I wasn’t able to find the tinyproxy in the processes at all, or anything relating to “bolivar” anything. However, I just kept going, and I DID find the tinyproxy folder, the fmark2.dat file and the f49f4d98.dat file and also another one called f49f4daa.dat.

    Thank you SO much, my computer is back online and all is well! THANK GOD because I run a home business which makes photo cards and this happened right smack dab in the middle of christmas card season, I was *freaking out* and my customers have been waiting while I tried to fix this (with no way for me to contact them to let them know what is going on!!)

    Thank you thank you thank you. See, people with computer knowledge like this should be using their powers for good like you do, instead of making stupid viruses that are nothing but a huge pain in the a***.

    Post edited for content

    THANKS!

  43. Gregg says:

    Jeff,
    I see you’ve been busy but I’m back. I am once again being redirected on websites using IE. I ran the same google search test on Firefox v3 and it works fine. I know you said you may have some ideas?

    Oh, and and re-did all your steps and nothing new found anywhere.

    Just when I thought it was safe to go back into the water…

  44. Gregg says:

    Jeff,
    Some new info (as I’m still at this thing). I decided to download Malwarebytes Anti-Malware and ran it with some interesting results- here is the log:
    12/10/2008 12:11:24 AM
    mbam-log-2008-12-10 (00-11-24).txt

    Scan type: Quick Scan
    Objects scanned: 63980
    Time elapsed: 9 minute(s), 11 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 6
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{6a26574a-dd6d-4382-8c76-0df06c478d3a} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6a26574a-dd6d-4382-8c76-0df06c478d3a} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6a26574a-dd6d-4382-8c76-0df06c478d3a} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cf5c6a80-c938-478c-bc8b-8d7b00788154} (Rogue.Installer) -> Not selected for removal.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Not selected for removal.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\351631\351631.dll (Trojan.BHO) -> Quarantined and deleted successfully.
    C:\WINDOWS\bitsadmin.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\glanyard.APPLICATIONS\results.txt (Malware.Trace) -> Quarantined and deleted successfully.

    I did not remove 2 of the items found as I was not sure they are harmful…any thoughts? Trojan.BHO is a bit worrysome after reading about it.

    (PS – not sure if this whole thread needs to be posted but wondering if others are still infected and don’t know it.

    Gregg

    • Jeff says:

      Hello again, Gregg. Thanks for stopping by.

      One thing I would do about the files you’re curious about is check to see when they were created. If they were created about the same time you got the virus, that may be a good hint.

      Thanks for the tip about posting the thread. I’m definitely considering it. Its amazing how much traffic this solution has generated my website, I should rename my blog to “Come and get Koobface fixed here”, or something like that. :p

      ~Jeff

  45. Dolly says:

    Jeff –

    You are the bomb! After being infected last week w/koobface, I proceeded to my local software store & purchased upon their recommendation, Kaspersky Int Securtity 2009. I had always relied on AVG, Norton, Zone Alarm, just to name a few of the freebee’s out there. Even after Kaspersky found & deleted this worm it kept coming back, just like cancer. If I hadn’t found your information here, I would have thrown this system into the street.

    I was at the end of my plug so to speak and I did not follow your directions exactly. I run Mozilla/Firefox & I did not change any proxy settings prior to doing this. I am by no means technically inclined or a computer geek, so if I can do this anyone can.

    I went directly to task mgr processes & found “tinyproxy” & ended task. NOTE: even after ending & re-checking processes it kept showing up until I found the “tinyproxy” file & deleting it. I had to end the process at least 3 times before I deleted the file. I did not have any of the other .exe files or processes that are associated w/koobface listed. My start up list did not include anything with “bolivar” or any others mentioned.

    After rebooting, I did get the server-proxy error. All I did was check off auto detect in options & connection was immediate.

    I cross my fingers, as I can finally say good riddance to koobface!

    THANK YOU!!!!!

  46. Liz Maverick says:

    Thanks. Your instructions totally worked. Much appreciated.

  47. Wayne Fusco says:

    Thanks for the info. I did everything you suggested, but I cannot delete tinyproxy. I also found a file 351631.dll which was created at the same time I downloaded the virus. I cannot delete that one either. It is located in windows/system32 in its own folder. any suggestions?

    • Jeff says:

      Hi Wayne,
      Please respond with the error message you get when you try to delete tinyproxy or the other folder.

      thanks,

      ~Jeff

  48. Rob says:

    I have a dual boot system, so my XP is infected, my Vista isn’t, using file names you posted i found em and nuked em from Vista no probs! Just have to restart XP now and do some ‘spring cleaning’ to make sure its all gone. I got rid of TinyProxy and Bolivar 29 AND Bolivar30 (is it normal to get 2 of em?)

    Will let u guys know if the dual boot ‘Nuke the virus from the other Hard Drive’ method works :P

    Also i use Panda Internet Security, which was simply shut off by the virus.

  49. Rob says:

    OK, Nuking the files from Vista worked great, back into XP, got rid of Bolivar30.exe but now my IE doesn’t work, or my BT Browser (tried it as a backup). Vista works fine though, any ideas on what’s wrong and/or how to fix it?

    The help so far on this site has been great! Nice one! If i had a Xmas card list u’d be on it!

  50. Rob says:

    oh, sorry, forgot, following your instructions i didn’t find f49f4d98.dat, but did see f49f4daa.dat. also created at the same date as fmark2.dat was fm123.dat, do these need to go also? (already deleted fmark2.dat)

  51. Candice says:

    Thank you VERY much! after spending quite a bit of fustrating time working on this your instructions worked perfectly.

  52. Mike from UK says:

    Thank you Jeff
    Iwas prompted by a Norton scan detecting koobface.
    I followed all your steps and I only found the fmark2.dat file, no bolivar exe etc but it was enough to prevent the Norton scan saying I had koobface. My AVG Security V8 hadn’t detected anything but I wonder who was right?
    Best wishes

  53. [...] a client, your great-grandma, or your dog have been infected, you might want to take a look at the fix I posted back on December 4 the last time it broke out like this. As always, the contributors here [...]

  54. Giovanne says:

    hey,

    thanks for your great site and informations.
    I’m using firefox and windows XP.
    i’ve tryied to follow all your procedings but yet i have problems with this thing! Some operations didn’t worked or were done in other ways (for finding or deleting for instance..) i think now to end it i have to locate the dll files but i don’t know how…
    hope you would have time to answer me…
    thanks you

    • Jack says:

      Hello,
      Thank you for contacting Tony’s Geek Tips.

      Before I begin providing my opinion on how you might try to fix this problem, let me mention that this post was for an older version of the virus, which, although more than likely quite similar, will probably have differences. I’m more than happy to help you, of course. That’s why we’re here.

      After reviewing the information you provided, there are a few more questions I would like to ask (most of which I covered in my post). At that point, I will offer my suggestions.

      1. What are your specific symptoms?

      2. Are there any processes running in your system that look like they may be related (e.g. boliver28.exe, tinyproxy.exe, etc.)?

      3. Are there any startup items that look like they may be related (e.g. bolvar28)?

      4. In your windows directory, as well as your windows\system32 directory, are there any .dll or .exe files that look like they have something to do with it (look in my post for examples)?

      5. Is your browser configured to use a proxy (other than normal, if you normally use one – see post for details)?

      6. Have you cleared your temporary internet files, cookies, cache, etc.?

      This information will provide useful information to aid in solving your problems. Please do not publicly post information that could personally identify you, your computer’s information, etc (I know, yada yada legal stuff…).

      Thanks,
      Jack

  55. Bert says:

    Hello Jack- I hope you can help me. About a week ago my PC-cillin quarantined a koobface virus (and a few since then). For the past week I have been getting redirected on my google searches, and have a ton of pop-ups all day long- the most annoying being an apparent free virus scan from Norton 360.

    I have unchecked use a proxy server under tools, but I do not see tinyproxy or bolvar running in my task manager or anything that looks like it except for tmproxy which I think is part of PC-cillin. I have emptied my temporary files.

    please help me! thanks for your time

  56. Jack says:

    Hi Bert,
    Sorry about the delay in responding to you. I missed your comment. Please let me know if you are still having problems and I will be happy to assist you.

    Jack

  57. Charlie says:

    Please Note: Comment edited for security.

    Hi Jack,

    I got a facebook email saying check ‘d*****.*e’ I have got several of these messages and have worked out that when you go on them, it looks like facebook but is acctually a phishing website that steals your password. They have been on my account and sent email to all of my friends saying look at d*****.*e

    Is there any chance that I could have got Koobface or anything similar in this process. Some of the other sites are:
    p***b***.*e
    d***s***.*e
    r**b***y.*e

    Thanks alot

    Charlie

  58. Jack says:

    Hi Charlie,
    Thanks for contacting Tony’s Geek Tips.

    I’ve got a friend who had this same thing happen to her. I think that this wave was simply a phishing scam, but obviously could have more to it. As far as I know, she changed her FB password and was fine. I haven’t asked her about it for a few weeks, however.

    Here is my opinion of your situation. As long as you didn’t download anything, you should be safe on the virus side. There is always the risk that something could have forced itself onto your computer however, so I suggest going through your system processes to check for anything fishy (google is your friend). Also, there might have been a browser cookie added to your browser. Also, run a good anti-virus software as well as Spybot S&D.

    It should go without saying that you need to change your Facebook password, clear everything in your browser (cookies, cache, temporary internet files, etc.), etc. The more you clean, the better. Also, I would suggest that you change all of your passwords (on a different computer perhaps?), as who knows what sort of browser cookie was put on your system.

    Please understand that what we offer on Tony’s Geek Tips is only our opinion. What you do with your computer is always your choice, and we cannot be held liable for any damages caused by following our suggestions.

    I hope that this helps!

    God Bless,
    Jack Chapa
    tonysgeektips.com
    Check us out on Twitter and Facebook!

  59. Leo says:

    Hi there,

    Not to sure if any1 will reply to this but I’m hoping for the best. I had a look at the step by step remove for the virus but I but there was one problem, I didn’t have and of the files or processes you told us to delete.

    Which you would think that mean my computer is virus free, well its not. All I can say is that I know i got it from Facebook, it was a link in a message and once I clicked it, it was to late. I didn’t download no flash player update or nothing, My computer was just infected from then on.

    That was last week, I have done 9 virus scans with different programs,( AVG, McAfee, Avlast, malwarebytes and ad-ware) and none of them find anything.

    Dose any1 know if this is a new virus or what?
    It still seems to work like a worm, cause it is using all the CPU and freezing, and once it then shuts itself down and i try to turn in on again it dosen’t BOOT like normal,something is happening i don’t know what but, and i have to kill the power and turn it on again for windows to load.

    I have no idea what to do, so any help will be great

    thanks
    Leo

    • Jack says:

      Hi Leo,
      Thanks for contacting Tony’s Geek Tips. I’d like to personally invite you to visit our brand new website, tonysgeektips.com. This is now our primary website, and is where we spend most of time monitoring and posting. I’m glad I checked this site tonight, though, and I’ll see if I have some ideas that may be able help you. For the remainder of this troubleshooting conversation, however, feel free to continue using this page.

      Before I begin, let me explain that everything that I say is only my opinion, and I (and anyone affiliated with me and/or Tony’s Geek Tips) cannot be held liable for any damages, problems, or otherwise. I will do my best to help you, however.

      Please be aware that this article is for a version of the Koobface virus that was initially discovered in December of last year. Since then, there have been other viruses that have spread via Facebook, so what I write about in this article may or may not be the type and/or version of the virus/problem that you have.

      From what you described, it definitely sounds like you have something on your computer that is slowing it down. I would strongly recommend backing up all of your data before doing anything, as in your troubleshooting efforts, or through the virus, you may lose some or all of your data. After that, the first thing that I would suggest you do in your situation is run Spybot S&D. You may have already run this, as you mentioned that you have already run a good deal of security software.

      Let me know what it turns up, or if you have already run anything like it. Also, please provide me with any other symptoms that you may have (apart from slowing and/or freezing).

      If you need to contact me directly, you may do at jack@tonysgeektips.com.

      Thanks,
      Jack

  60. angel tydon says:

    i think i got the koobface virus. i was thinkin about back up of all my files, and then reformate the computer. i don’t have much on my laptop, just few pic n few files here n there.
    i wanted to reformate my computer anyway. so does reformating would this fix my problem.

    thanks

  61. [...] Did some googling. Looks like it could possibly be the Koobface virus. Here is the link. Update on Koobface Virus Tony’s Geek Tips [...]

  62. ShortStuff3 says:

    It didn’t work. I dont have any of those – Tinyproxy/bolivar/fmark, etc.

    I may be doomed :(

    Can you help?

  63. Selina says:

    Hello,

    My computer has been infected with Koobface. However, I tried to look for tinyproxy.exe after clicking the Process tab after pressing Ctrl+Alt+Delete. Are there any other .exe to remove that are related to Koobface??

    Regards,

    Selina

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: