To read this article on our new website, please go to http://tonysgeektips.com/?p=227
And you thought it was over!
As it turns out, this virus does, as I suspected, infect your system!
You may have noticed slower browsing, Google search redirects, etc. Well, you have Koobface to thank for that. When you installed that “flash_update.exe
” (or equivalent, see previous post) file, it opened up a whole can of worms (pun intended) for your system.
Never fear though, I will walk you through eliminating the Koobface (and company…) virus from your system. I spent many hours today pouring over forums, my mom’s own infected system, and peering into the realm of my own knowledge (a scary place!), I was able to discover the answer.
It turns out that this isn’t the first time this virus has come up. It has made several appearances over its history, in a slightly different form every time. As you can imagine, this made it difficult for me to find relevant information!
In the end though, I was able to come up with a solution. Basically, what the virus does is install a bunch of files onto your computer. Amongst these files is a proxy (named tinyproxy
). For the illiterate here, a proxy manages your connectivity to the internet…are we seeing a potential problem here?
In addition to that, it sticks a few .BAT files into your \%system%/
folder (usually “windows
“).
But wait, there’s more! In older strains of the virus, this would have been enough to solve the problem. But in this new strain, the “developers” (if we can even call them that, I prefer “black-hats”) got smarter. They went and created a startup service as well (named something like
Bolivar28
…the number might be slightly different on yours)! This service reinstalls the virus on boot-up after you delete it! Smart, but I’m smarter.
Ok, so how do you solve the problem? I will be happy to provide the solution for only 3 easy payments of…ok, I won’t go there 😛
Alright, here we go:
- First of all, make sure you’re an administrator. If you’re not sure whether you are, go to
Start
->Control Panel
->Users
. Make sure your user is listed as an administrator. If your PC has only one user, or you are on the primary account, you more than likely have administrator privileges. - Now, set a system restore point just in case everything goes south (it could happen). Note, don’t actually do a system restore, just set a restore point.
- Next you are going to want to configure your proxy settings. This will stop
tinyproxy
from managing your internet access, at least until you reboot…we’ll fix that in a minute. Here are instructions for both Internet Explorer and Firefox:
IE: From the menu select Tools
-> Internet Options
-> “Connections
” Tab -> Lan Settings
-> Uncheck “use a proxy server
” or reconfigure your proxy settings if you were using one previously (not standard for home networks).
Firefox: From the menu select Tools
-> Options
-> Advanced
Tab -> Network
Tab -> Settings
under “Connection
” -> Select “No Proxy
“, or, if you were using a proxy previously, reconfigure your settings to how you had them previously.
- Next, we are going to start attacking the virus itself. First of all, we are going to stop it from running, and prevent it from restarting on boot-up. Here’s how to do it:
To stop tinyproxy.exe
:
- Open up Windows Task Manager (
ctrl+alt+delete
) - Go to the
processes
tab - Right click on the process named “
tinyproxy.exe
” and select “end process
“ - Windows will yell at you, end the process anyway (when ending processes, make sure you know what you’re doing, you could accidentally end a needed one. This one, however, we need to kill)
- Close task manager (Click on the “x” in the upper right…ok, that was lame :P)
To stop the startup service:
- Open
run
(Window key + r …the Windows key is the one next to alt in the bottom left of the keyboard) - Type
msconfig
- Go to the “
Startup
” tab - Find and uncheck “
Bolivar28
“. Again the number after “Bolivar” might be different, but everything I saw was in the “20”s (like 24, 26, 28, etc.). - Click “Ok”. Again, Windows will scream at you, but that’s all right. Just make sure you select “Restart Later” (or equivalent), from the dialog. We’re not done yet!
- Still with me? The next thing we’re going to do is delete the virus itself (yay!).
To delete the virus:
- Go to the program files directory (usually
C://Program Files
) - Look for the “
TinyProxy
” folder. - Delete it (right click, select delete). (This is why we had to stop the process earlier…otherwise you wouldn’t be able to delete the folder…and the evil therein…muahaha)
- I don’t know much about this, but I have also heard that there might be another directory named “
ProtectService
“. From what I’ve heard, you should also delete that one. I didn’t have that directory however.
- Ok, that took out
tinyproxy,
but there are still a few files in your windows directory that it would be prudent to delete:
- Go to your Windows directory (usually “
windows
“) - From the menu select “
Tools
“ - Select “
Folder Options
“ - Select the “
View
” tab - Under “
Hidden files and folders
“, select “show hidden files and folders
“ - Uncheck “
Hide protected operating system files
“. Windows will yell at you, I know. You should set it back to normal later :p - Click OK
- Scroll down, look for, and delete files with the following names:
bolivar26.exe
,bolivar28.exe
,fmark2.dat
,f49f4d98.dat,
andkenny**.exe
(didn’t have the last one, but other places said it wasn’t good…)
- Reboot. That should do it. If, upon rebooting, you get an “error message” saying “
Error installing flash update. Please contact support
“, you’re not done yet! Either you have a new/different strain of the virus than I did, or you didn’t follow I all my instructions correctly. - Upon rebooting, you more than likely will have to fix your proxy settings again. Not sure why, but I did.
Well, there you have it. This worked for me, I hope it works for you.
Please feel free to comment with any questions.
What would an article be without a disclaimer?:
We do not accept any responsibility for … death, …or otherwise badness
LOL that was funny! I have heard that AVG and Avast are excellent anti-virus programs.
You are a scholar and a gentleman, sir! I followed these instructions and am now functioning normally again.
Thank you for posting this page. I just had a computer infected with Koobface and your information helped me kill the processes and delete the EXE files that I wouldn’t have found otherwise.
Thanks for the info, but I wasn’t able to locate in the Windows Task Manager under processes tab “tinyproxy.exe”, so there was nothing to remove. I did revoe “Bolivar28”, then went on to delete the TinyProxy folder, but it said “access denied, may be in use.” So of course when I reboot, it’s back! Any help would be greatly appreciated.
Steven
That is funny Ray!
Sounds like a pretty bad bug Jeff! Ughh…..
We use AVG and it isn’t bad at all.
@Steven C
Are you running Vista?
If you are, make sure you select “Show processes from all users”. Windows will yell at you, but we’re used to that by now 😉
Steven C-
Did you try printing out the instructions, rebooting the system in safe mode, then following the cleanup instructions again?
Many Thanks Jeff,
Thought I was never going to get rid of this having run Symantec and Adware to no avail. Your fixes have worked though 🙂
This worked flawlessly. THANK YOU!! I found this site in about 10 seconds and had things running back to normal within 5-10 minutes. I really wasn’t in the mood to wipe the box clean and reload everything. You’re instructions were clear and I enjoyed the humor mixed in given the irritating circumstances. Thanks again.
Thanks for the info. I have the latest version of Mcafee and it didn’t manage to get rid of any of this. Considering how long Bolivar and Koobface have been around that’s pretty poor! I may well not renew my subscription!
I agree. I have Mcafee as well, and it didn’t do a thing…even after a complete system scan!
I believe one of the reasons Mcafee may not have picked it up is that tinyproxy is installed as an application (and a system file as well!). It may slip beneath the radar. It is still inexcusable on Mcafee’s part though.
Thanks for post. It is greatly appreciated
Thanks you for your gratitude. I really appreciate you spending the time publishing this fix. I think it worked. But leaving the proxy settings unchecked made a difference because I changed it back before I rebooted. But unchecked afterwards and that seemed to work. Interestingly, McAfee found the worms and deleted them but it didn’t do what you said. Also, I dl the same worm onto my Mac with Leopard but it didn’t effect it. 🙂
Cheers
[…] you or anyone you know was infected with this, here is the fix… Update on Koobface Virus Jeff and Tony’s Geek Tips and Tutorials __________________ 2004 Silver IRL GM Stage 1 Nates 2.9 Modular Pulley Silencer/Snorkel […]
Quick question. When I restart my windows, the System Configuration Utility pops up and wants me to select the normal start up under the general tab. After doing so, I notice that under the start up tab that the Bolivar startup item is still there and is checked off.
I followed your instructions again and I see that the tinyproxy, bolivar, and the other couple of the fmark2 and other “f” files are not listed as I have deleted them previously.
Should this be a concern that the Bolivar start up item is still listed under the start up tab even after I deleted it? When I do a file search, the bolivar file cannot be found. Should I reset the System Configuration Utility to have a normal start up with the bolivar tab selected….or should I keep the start up on Selective Start Up mode?
I really appreciate your good work with helping those of us affected by this horrible worm/virus. Thanks!
Hello RunRiver,
Because you have modified your startup settings (when you unchecked Bolivar), you will now always use Selective Startup. This gives you the control over what loads on startup.
So go in to msconfig, and make sure Bolivar is unchecked, click OK, and reboot. When the dialog comes up, select the “Don’t show this again” (or equiv.) checkbox.
THIS REALLY WORKS! THANK YOU!!!!! Finally, an answer that got rid of the virus!!!
[…] Posted by TWoods450 Incase you or anyone you know was infected with this, here is the fix… Update on Koobface Virus Jeff and Tony’s Geek Tips and Tutorials Thanks Twoods it helped a friend of mine who got an awful fright when their computer locked up […]
This was exactly what i had been looking for all night. A clear step by step process for us computer handicapped to understand easily. This worked like a charm, THANK YOU so much.
I had all those infected files, was able to clean it up with no problem, HOWEVER, the Internet is not working after a reboot. From the Command Prompt, i can’t use IPCONFIG or PING commands. It locks up. There’s no problem in Safe Mode. There are no proxy settings in Internet Explorer (meaning the settings are blank). WHAT ON EARTH IS THE FIX???? I’ve been at this for an untold number of hours.
@PC
Thank you for posting your question. There is no need to shout, we’re all friendly here. I understand your frustration, however.
Of course, as I do not know all the specs about your computer, internet connection, etc., there is no way I can give you a definitive answer, but I would check the following:
1) First off, try deleting your Temporary Internet Files. From the IE menu select
Tools -> Internet Options -> General tab ->
Underbrowsing history
selectDelete... ->
Delete the following:Temporary Internet Files
, andCookies
. This may help clean up some of the residual junk that Koobface left.2) Ensure that the internet connection itself is working. If it is, try restarting it (the router, etc.). This will reset the ip, etc. See if another computer can access the internet through the same connection.
3) Try running Internet Explorer in No Add-ons Mode. This will run the browser in the most basic state possible. To access it, from the start menu go:
All Programs -> Accessories -> System Tools -> Internet Explorer (No Add-ons)
. If I am not mistaken, this is the version of IE that Safe-mode uses, so that may produce results.3) Make sure you didn’t clear all the startup options in msconfig. There are some important things in there, some possibly related to the internet.
4) If you have one installed, give another browser (like Firefox) a try. Its possible that IE got trashed by the virus.
5) Take a peek at the Windows firewall, as well as any anti-virus programs you have. They may have gotten messed up somehow.
Please post back if any of this works, or if you have more questions. We have some smart folks who contribute/visit this blog, so one of them may have other possible solutions.
~Jeff
Thanks for the info. I am a tech coordinator for a school district and this has been invaluable for our staff and students!!
Thanks for the great help but I’m still having an issue or two. I followed your directions but still have an issue with being redirected to different websites (http://%5Bskip%5D/search__arbkey–1__keyword–Logistics__noskip–1.html) when googling anything.
I also get this questionable popup, which I close. (http://%5Bskip%5D/search.php?id=20253836&token=8241935683). It states “Please take a second to help us identify click fraud” and asks me to select the word I searched.
as a recap:
I did not have the tinyproxy.exe file riunning on TaskManager.
I unchecked the boliver28 startup service.
I deleted the tinyproxy folder.
I did not have the ProtectService directory.
I deleted a file called f49f4daa.dat
I rebooted.
Help! Thanks!
Gregg
@Gregg
Hi Gregg,
Thank you for your question. The symptoms you are describing indicate the virus is still alive on your computer. There are a few things that come to mind:
1) As you will remember from my post, make sure your proxy settings have been fixed. Instructions for that are included in the post.
2) Double check that tinyproxy.exe is not running. Make sure you select, under the processes tab, “Show processes from all users”. If tinyproxy is running as a system process, it will not normally show.
3) If you got an error message on bootup that said something to the effect of “Flash update install failed. Please contact support”, then the virus is back on your computer, just like you haven’t done anything.
Please reply if this helps (or doesn’t).
Also, just as a word of advice for my readers, please be sure to clear your temporary internet files and especially your browser cookies after resolving the problem. The virus used a browser cookie to hack your facebook account in the first place, and if it remains, it could quite possibly do more damage in the future. In addition, change any passwords you entered while the virus was on your computer (especially online banking, pay-pal, Facebook etc.), as it has been suggested elsewhere that Koobface’s real goal is ID theft.
AWESOME! I got mine on 12/04 and this Fixed my problem first try. Thanks
Jeff,
Thanks for the quick response, Sorry for not being as thorough as I should have been in my recap. I was (am) not using a proxy server (Set to: Use automatic configuration script) . The show processes for all users button was (is) checked and tinyproxy.exe is not running. I did not get the error message at boot up either. And I cleared all my temp files, cookies, history. This thing is driving me nuts.
I’m running XP and IE7.
The ID theft comment is what has had me concerned from the start of this mess.
If you have the Firefox browser installed, try using it and see what happens (Google something). This will determine whether it is IE’s problem or something deeper.
If you don’t have it, download it here: http://en-us.www.mozilla.com/en-US/firefox/
Please let me know what happens. If it works (i.e., doesn’t redirect you), I have more instructions for you. If it doesn’t, I have some other points of attack we could try.
~Jeff
Jeff,
I really appreciate the time here. When I open Firefox, I get a message that says :
Firefox is configured to use a proxy server that is refusing connections.
Shouel I change my settings back to Use Proxy?
Gregg
Hi Gregg,
No. Disable proxies completely. I have instructions on doing this in my post. Also, in IE, uncheck “Automatically Detect Settings”.
From what it sounds like you have going on right now, I would say that tinyproxy is quite possibly gone. However, go look in your program files directory again and see if the tinyproxy folder came back. If it did, delete it again. Also look back in your Windows directory for the files I mentioned in my post.
Let me know the result (good or bad).
Also, just as a word of advice, once all this is done, I would dump your recycle bin.
~Jeff
Jeff,
I’m not that familiar with Firefox and don’t quite see a ‘No Proxy” option per your instructions. Connection Settings are set to: “Manual Proxy configuration” with HTTP proxy set with an IP. Below that option (but without a radio button) there is a line that states “No Proxy for:” and the same IP is listed, preceded by “localhost,”. SOCKSv5 is also checked.
The only other options available are:
Direct connection to internet
Auto detect proxy…
Automatic proxy config. for URL
In IE, Automatically detect settings was unchecked.
No files have reappeared.
I just deleted my recycle bin and will reboot now.
How concerned should I be about security right now?
Should I be worried about typing un/pw’s on this computer?
Howdy Gregg,
Here is a screenshot of what my Firefox browser proxy settings looks like:
Proxy settings
From your description, it appears that the top option is not there on your system, confirm?
Are you using Firefox 3 (you are if you downloaded it from my link)?
Please answer the above questions and we’ll go from there.
~Jeff
Jeff –
Confirmed. I have v2 on my machine. I will upgrade to v3 and test.
PS. That snapshots applet(?) is a cool tool.
Thanks
Gregg
My wife’s laptop got infected this morning. Found your great instructions and it worked. Thanks a lot.
Jeff,
All I can say right now is hmmmm. I got sidetracked from the Firefox upgrade and started surfing on IE a bit after the reboot. I tested the links that I know were causing trouble beofre and all work correctly now. My machine still seems slower than normal but not sure if that is this virus or normal rendering since my pages are are not cached anymore …or something else. The only difference from before that I can track is that I purged the recyle bin.
Could a deleted virus file in the recycle bin be a culprit?
That’s great Gregg! I’m glad the problem appears to be gone.
I was having some IE problems after clearing the virus as well, they went away after a few days, however. I wasn’t able to trace the cause.
I don’t think that purging the recycle bin could have done anything, but you never know with computers :).
As one last precaution, I would change any passwords that you typed while the virus was on your computer. In case the virus harvested them, its always good to be safe. I wouldn’t worry too much about it, but I would definitely reset my passwords. If you bought anything with a credit card online (on that computer) during this time, I would get cancel my credit card and get a new one, as well. I know its hassle, but ID theft is huge these days, sadly.
Feel free to come back to this blog and post a comment if you ever have any computer problems in the future, we’re always happy to help.
God Bless,
~Jeff
Jeff,
Thank you so much for the help! I’m glad I found you and your site. I will certainly bookmark it!
Have a wonderful holiday 🙂
Gregg
THANK YOU!!! I am so glad I found this and really appreciate the help. After agonizing for most of the weekend, tech peeps told me 3 days and my own wiz was busy til 5:30 and needed my computer overnight…so I set out to conquer the virus myself and was not able to until your instructions. Have a terrific week and thanks for helping me get back to work!
Hey guys PTL for good guys like you!
I believe we have the virus, made the mistake of clicking and trying to install the bogus exe. I started your steps, stopped the tinyproxy but don’t see “Bolivar**” in the start up list. ?? I see some other things in there that don’t look good. Like Billgatesloh.exe. I’m using Firefox and my Norton subscription just ran out recently. First, thoughts on not having the Bolivar. Second any basic suggestions or opinions on virus scan removal software and tools.
Thanks,
Matt
Hi Jeff,
Like you, I’m fixing up a family member’s computer. I’ve got the virus out from everywhere I could find thanks to your suggestions and others I’ve found. But like PC above, I can’t get IE or Firefox running in regular mode. In safe mode with networking they run fine 😦
Things I’ve tried:
run IE / FireFox in reg mode – freezes
restart in safe mode w/ networking – works
run in regular mode with extentions off – freezes
reset IE to remove add-ons and go back to factory defaults – freezes
proxy server settings are off.
If you can even point me in a new direction I’d appreciate the help,
Thanks,
Ryan
Next up, lets look at Ryan’s problem:
Hi Ryan,
The good news is that your internet is working at least! I have a few suggestions for you (assuming tinyproxy is gone and proxy settings are fixed):
1) Open up command prompt (open
run
(windows key + r) -> type inipconfig
. See what comes up. You should see various settings. What you are looking for are numbers, such as192.168.0.1
,255.255.255.0
, as well as various other things.2) Once you have done that, type in
ping tonysgeektips.wordpress.com
. If you get an error, or nothing comes up, you have an internet connection problem. I would recommend taking a look at that. Restart your router if you’re on wireless.3) Reinstall Firefox, and see what happens.
The first two instructions will see whether the problem is with the browser. If you are pinging successfully, then it is a browser problem.
Please respond with your results. But do not post the results of your ipconfig, as that information is invaluable to hackers (MAC address, domain provider, IP address…its like a dream come true for hackers).
~Jeff
This was such a lifesaver! I have spents hours, trying to get rid of this thing! I was finally able to get everything off of my system, but could not access the Internet. You quickly answered my question, and I am now back online and (timidly) surfing! Thank you, thank you, thank you!
My system has been down since Friday and a wonderful friend directed me to you yesterday…thank God for friends! As I’ve worked to clear up the mess I created, I’ve followed every step of your process and ran into a little bump in the road: I’m not finding anything in the Windows directory.. once I uncheck “Hide protected operating system files” and click OK, then I see is a “Systems” folder and it’s empty…what have I done????? I’m not able to access an internet browser at all, so am having to run back and forth between computers to try to fix this mess. Any additional help you can provide will be greatly appreciated.
Wow, where to begin! I woke up this morning with a whole slew of comments to moderate! I will do my best to try and answer them in the order received.
First of all, lets discuss Matt’s problem:
Hi Matt, thanks for posting.
First, lets talk about Bolivar. As Viruses are constantly being updated in some cases, it may change form from computer to computer. You may not have it on your computer. It may have taken a different form/name, however.
After doing a little searching around. I found that Billgatesloh.exe is an undesirable program. Clever name. I don’t know much about it however, so I can’t give you any solid advice on that one. If I were you, I would do the following (with the standard liability disclaimer that I gave in the post):
1) Set a system restore point.
2) Run process explorer (download here from Microsoft: technet.microsoft.com/en-us/sysinternals/bb896653.aspx
3) Find the Billgatesloh.exe process. See which directory its running out of. Write it down.
Please post back with the directory it was running out of.
As for good virus scanning programs, I run McAfee, and it works ok. It didn’t catch Koobface on the infected computer, though. Other ones that I have heard of are: AVG and Avast. I have no experience with either, but have heard that they’re good.
~Jeff
Last (for now), but not least, lets turn to Kim’s problem:
Hi Kim, thanks for posting.
First of all, if the
windows
directory was empty, you wouldn’t be starting your computer, and definitely not checking to see if there was anything in it. You must not be looking in the right place. I want you to do the following:1) Open
run
2) Type
cmd
3) Type
cd c:\windows
// this assumes that your primary drive is the “c” drive (standard for most PCs)4) Type
DIR
What you most likely see is a slew of files and folders. Your Windows directory isn’t empty.
Regarding your second post, I cannot speak for the efficacy, worth, or usefulness of the scan you used. However, from what you reported, it appears that either your computer is really messed up (from more that Koobface), the scan is hyper-active, or Koobface is a lot worse than everybody is saying it is (unlikely, as surely somebody would have figured it out by now…).
However, I’m going to give you the same advice I would normally give someone in your situation. Please note that if any of the following work, you don’t need to continue following the instructions.:
1) Open command prompt (
run
-> typecmd
2) Type
ipconfig
. You should see a slew of information. What you are looking for are numbers, such as 192.168.0.1, 255.255.255.0, as well as various other things.3) Type
ping tonysgeektips.wordpress.com
. It should respond successfully. If the request times out, or you get an error, the problem is probably with your internet connection. Reset your router if you are on wireless, and check to see if other computers can use the same connection.4) Restart the computer in safe mode (reboot, press F8 repeatedly after it begins to boot the computer. A menu will come up, select “Safe Mode”). Try to use the internet. If you can, switch back to normal mode (reboot, select normal startup if the menu reappears…no need to press F8 this time).
5) Try running Internet Explorer in No Add-ons Mode. This will run the browser in the most basic state possible. To access it, from the start menu go:
All Programs -> Accessories -> System Tools -> Internet Explorer (No Add-ons)
. If I am not mistaken, this is the version of IE that Safe-mode uses, so that may produce results.6) Clear your IE Temporary internet files, and cookies. From the IE menu select Tools -> Internet Options -> General tab -> Under browsing history select Delete… -> Delete the following: Temporary Internet Files, and Cookies. This may help clean up some of the residual junk that Koobface left. Please note that you should do this weekly (at least the files).
7) Empty your recycle bin…hey, its worth a shot 😉
Please let me know what happens!
~Jeff
It’s me again…I was finally able to get through the entire process, but still cannot access the internet. I was advised to run a malware program and it detected 140 (yikes) infected files…BUT when the scan is complete and I click to remove the files, the computer locks up. The infected files are Trojan files (?); HKEY Registry files (?); AVRLABS (?) and more…..
Can I be helped?!
Thank you for providing the information to remove Koobface. Your instructions were easy to follow and dead on, although, I didn’t have anything relating to a “Bolivar” file. Very much appreciated!
I’m baaack! Okay, I got to step 2, typed ipconfig; the curser moves to the next line, flashes and that’s it…5 minutes, no change. You won’t find a much more basic person than me when it comes to computer knowledge (or lack thereof) so I can’t thank you enough for attempting to help out here…I’m feeling like you hit the nail on the head with my computer being way messed up! The other computer in the house (the one I’m using now) is running fine on the internet.
Anything else I can do?
Hi Kim,
Work through the rest of the steps.
~Jeff
Thanks Jeff, as soon as I get an ip address from the router (watching the progress in the taskbar) I’m not able to run ipconfig or ping out to anywhere. In safe mode the ipconfig comes up fine. I thought he might have zlog in addition to koobface, but going through the fixes for that has also gotten me nowhere. I may have to get him to start fresh.
Thanks
Ryan
Hi Ryan,
Give safe-mode a shot, trying all the standard ipconfig, ping, IE in no add-ons mode stuff that I’ve been talking about. In addition, try pinging your router (typically 192.168.0.1). Also, double check your proxy settings again. I shooting in the dark here, as I don’t have the machine right in front of me.
I’m not sure about “zlog” (the real name is “zlob”, if its the one I think you’re talking about), as I’ve never gotten to play around with it. I’d like the chance (not on my machine, of course :-p ), maybe I should just open up a PC repair shop…
Anyways, back to the subject. If I were you, from what I’ve heard about your friends machine, it sounds like even if you are able to fix it, the machine may need a wipe anyway, for all you know he may have a gazillion (just love that number…) problems on it. To get zlob and Koobface is pretty sad, and shows signs of a lack of any security-consciousness (no offense to your friend, everyone starts somewhere 🙂 ). I wouldn’t throw the towel in just yet though…
Let me know what happens.
~Jeff
Many thanks, Jeff. Facebook has nothing helpful — they just say “use an AV program”. Norton includes koobface in its list of known viruses, but nevertheless fails to remove it.
My startup list did not include anything with “bolivar”, but it did have a “FlashUpdate” or something similar, and disabling that prevented the problem from recurring on reboot.
I am jetlagged and sleep deprived, but sent your instructions to my afflicted daughter. Worked like a charm, now I can sleep knowing her internet based business will continue. Thanks so much for your work and kindness sharing it with us!!
THANK YOU THANK YOU THANK YOU!!!!
Everything else I was able to find said “download this to fix it” – which I couldn’t do because I was on my cell phone web because *my browser was not working you morons!* How was I supposed to download a program if I couldn’t get on the internet with my computer? 😛
Anyway, my mom found these instructions for me and they were top notch!
A few things for others:
I have mcafee, and it seemed to have cleaned up a lot (but not all). I wasn’t able to find the tinyproxy in the processes at all, or anything relating to “bolivar” anything. However, I just kept going, and I DID find the tinyproxy folder, the fmark2.dat file and the f49f4d98.dat file and also another one called f49f4daa.dat.
Thank you SO much, my computer is back online and all is well! THANK GOD because I run a home business which makes photo cards and this happened right smack dab in the middle of christmas card season, I was *freaking out* and my customers have been waiting while I tried to fix this (with no way for me to contact them to let them know what is going on!!)
Thank you thank you thank you. See, people with computer knowledge like this should be using their powers for good like you do, instead of making stupid viruses that are nothing but a huge pain in the a***.
THANKS!
Jeff,
I see you’ve been busy but I’m back. I am once again being redirected on websites using IE. I ran the same google search test on Firefox v3 and it works fine. I know you said you may have some ideas?
Oh, and and re-did all your steps and nothing new found anywhere.
Just when I thought it was safe to go back into the water…
Jeff,
Some new info (as I’m still at this thing). I decided to download Malwarebytes Anti-Malware and ran it with some interesting results- here is the log:
12/10/2008 12:11:24 AM
mbam-log-2008-12-10 (00-11-24).txt
Scan type: Quick Scan
Objects scanned: 63980
Time elapsed: 9 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6a26574a-dd6d-4382-8c76-0df06c478d3a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6a26574a-dd6d-4382-8c76-0df06c478d3a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6a26574a-dd6d-4382-8c76-0df06c478d3a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{cf5c6a80-c938-478c-bc8b-8d7b00788154} (Rogue.Installer) -> Not selected for removal.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Not selected for removal.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\351631\351631.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\bitsadmin.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\glanyard.APPLICATIONS\results.txt (Malware.Trace) -> Quarantined and deleted successfully.
I did not remove 2 of the items found as I was not sure they are harmful…any thoughts? Trojan.BHO is a bit worrysome after reading about it.
(PS – not sure if this whole thread needs to be posted but wondering if others are still infected and don’t know it.
Gregg
Hello again, Gregg. Thanks for stopping by.
One thing I would do about the files you’re curious about is check to see when they were created. If they were created about the same time you got the virus, that may be a good hint.
Thanks for the tip about posting the thread. I’m definitely considering it. Its amazing how much traffic this solution has generated my website, I should rename my blog to “Come and get Koobface fixed here”, or something like that. :p
~Jeff
Jeff –
You are the bomb! After being infected last week w/koobface, I proceeded to my local software store & purchased upon their recommendation, Kaspersky Int Securtity 2009. I had always relied on AVG, Norton, Zone Alarm, just to name a few of the freebee’s out there. Even after Kaspersky found & deleted this worm it kept coming back, just like cancer. If I hadn’t found your information here, I would have thrown this system into the street.
I was at the end of my plug so to speak and I did not follow your directions exactly. I run Mozilla/Firefox & I did not change any proxy settings prior to doing this. I am by no means technically inclined or a computer geek, so if I can do this anyone can.
I went directly to task mgr processes & found “tinyproxy” & ended task. NOTE: even after ending & re-checking processes it kept showing up until I found the “tinyproxy” file & deleting it. I had to end the process at least 3 times before I deleted the file. I did not have any of the other .exe files or processes that are associated w/koobface listed. My start up list did not include anything with “bolivar” or any others mentioned.
After rebooting, I did get the server-proxy error. All I did was check off auto detect in options & connection was immediate.
I cross my fingers, as I can finally say good riddance to koobface!
THANK YOU!!!!!
Thanks. Your instructions totally worked. Much appreciated.
[…] a site that tells you how to fix your […]
Thanks for the info. I did everything you suggested, but I cannot delete tinyproxy. I also found a file 351631.dll which was created at the same time I downloaded the virus. I cannot delete that one either. It is located in windows/system32 in its own folder. any suggestions?
Hi Wayne,
Please respond with the error message you get when you try to delete tinyproxy or the other folder.
thanks,
~Jeff
I have a dual boot system, so my XP is infected, my Vista isn’t, using file names you posted i found em and nuked em from Vista no probs! Just have to restart XP now and do some ‘spring cleaning’ to make sure its all gone. I got rid of TinyProxy and Bolivar 29 AND Bolivar30 (is it normal to get 2 of em?)
Will let u guys know if the dual boot ‘Nuke the virus from the other Hard Drive’ method works 😛
Also i use Panda Internet Security, which was simply shut off by the virus.
OK, Nuking the files from Vista worked great, back into XP, got rid of Bolivar30.exe but now my IE doesn’t work, or my BT Browser (tried it as a backup). Vista works fine though, any ideas on what’s wrong and/or how to fix it?
The help so far on this site has been great! Nice one! If i had a Xmas card list u’d be on it!
Take a look at the proxy settings.
Merry Christmas,
~Jeff
oh, sorry, forgot, following your instructions i didn’t find f49f4d98.dat, but did see f49f4daa.dat. also created at the same date as fmark2.dat was fm123.dat, do these need to go also? (already deleted fmark2.dat)
Thank you VERY much! after spending quite a bit of fustrating time working on this your instructions worked perfectly.
Thank you Jeff
Iwas prompted by a Norton scan detecting koobface.
I followed all your steps and I only found the fmark2.dat file, no bolivar exe etc but it was enough to prevent the Norton scan saying I had koobface. My AVG Security V8 hadn’t detected anything but I wonder who was right?
Best wishes
[…] a client, your great-grandma, or your dog have been infected, you might want to take a look at the fix I posted back on December 4 the last time it broke out like this. As always, the contributors here […]
hey,
thanks for your great site and informations.
I’m using firefox and windows XP.
i’ve tryied to follow all your procedings but yet i have problems with this thing! Some operations didn’t worked or were done in other ways (for finding or deleting for instance..) i think now to end it i have to locate the dll files but i don’t know how…
hope you would have time to answer me…
thanks you
Hello,
Thank you for contacting Tony’s Geek Tips.
Before I begin providing my opinion on how you might try to fix this problem, let me mention that this post was for an older version of the virus, which, although more than likely quite similar, will probably have differences. I’m more than happy to help you, of course. That’s why we’re here.
After reviewing the information you provided, there are a few more questions I would like to ask (most of which I covered in my post). At that point, I will offer my suggestions.
1. What are your specific symptoms?
2. Are there any processes running in your system that look like they may be related (e.g. boliver28.exe, tinyproxy.exe, etc.)?
3. Are there any startup items that look like they may be related (e.g. bolvar28)?
4. In your
windows
directory, as well as yourwindows\system32
directory, are there any .dll or .exe files that look like they have something to do with it (look in my post for examples)?5. Is your browser configured to use a proxy (other than normal, if you normally use one – see post for details)?
6. Have you cleared your temporary internet files, cookies, cache, etc.?
This information will provide useful information to aid in solving your problems. Please do not publicly post information that could personally identify you, your computer’s information, etc (I know, yada yada legal stuff…).
Thanks,
Jack
Hello Jack- I hope you can help me. About a week ago my PC-cillin quarantined a koobface virus (and a few since then). For the past week I have been getting redirected on my google searches, and have a ton of pop-ups all day long- the most annoying being an apparent free virus scan from Norton 360.
I have unchecked use a proxy server under tools, but I do not see tinyproxy or bolvar running in my task manager or anything that looks like it except for tmproxy which I think is part of PC-cillin. I have emptied my temporary files.
please help me! thanks for your time
Hi Bert,
Sorry about the delay in responding to you. I missed your comment. Please let me know if you are still having problems and I will be happy to assist you.
Jack
Hi Jack,
I got a facebook email saying check ‘d*****.*e’ I have got several of these messages and have worked out that when you go on them, it looks like facebook but is acctually a phishing website that steals your password. They have been on my account and sent email to all of my friends saying look at d*****.*e
Is there any chance that I could have got Koobface or anything similar in this process. Some of the other sites are:
p***b***.*e
d***s***.*e
r**b***y.*e
Thanks alot
Charlie
Hi Charlie,
Thanks for contacting Tony’s Geek Tips.
I’ve got a friend who had this same thing happen to her. I think that this wave was simply a phishing scam, but obviously could have more to it. As far as I know, she changed her FB password and was fine. I haven’t asked her about it for a few weeks, however.
Here is my opinion of your situation. As long as you didn’t download anything, you should be safe on the virus side. There is always the risk that something could have forced itself onto your computer however, so I suggest going through your system processes to check for anything fishy (google is your friend). Also, there might have been a browser cookie added to your browser. Also, run a good anti-virus software as well as Spybot S&D.
It should go without saying that you need to change your Facebook password, clear everything in your browser (cookies, cache, temporary internet files, etc.), etc. The more you clean, the better. Also, I would suggest that you change all of your passwords (on a different computer perhaps?), as who knows what sort of browser cookie was put on your system.
Please understand that what we offer on Tony’s Geek Tips is only our opinion. What you do with your computer is always your choice, and we cannot be held liable for any damages caused by following our suggestions.
I hope that this helps!
God Bless,
Jack Chapa
tonysgeektips.com
Check us out on Twitter and Facebook!
Hi there,
Not to sure if any1 will reply to this but I’m hoping for the best. I had a look at the step by step remove for the virus but I but there was one problem, I didn’t have and of the files or processes you told us to delete.
Which you would think that mean my computer is virus free, well its not. All I can say is that I know i got it from Facebook, it was a link in a message and once I clicked it, it was to late. I didn’t download no flash player update or nothing, My computer was just infected from then on.
That was last week, I have done 9 virus scans with different programs,( AVG, McAfee, Avlast, malwarebytes and ad-ware) and none of them find anything.
Dose any1 know if this is a new virus or what?
It still seems to work like a worm, cause it is using all the CPU and freezing, and once it then shuts itself down and i try to turn in on again it dosen’t BOOT like normal,something is happening i don’t know what but, and i have to kill the power and turn it on again for windows to load.
I have no idea what to do, so any help will be great
thanks
Leo
Hi Leo,
Thanks for contacting Tony’s Geek Tips. I’d like to personally invite you to visit our brand new website, tonysgeektips.com. This is now our primary website, and is where we spend most of time monitoring and posting. I’m glad I checked this site tonight, though, and I’ll see if I have some ideas that may be able help you. For the remainder of this troubleshooting conversation, however, feel free to continue using this page.
Before I begin, let me explain that everything that I say is only my opinion, and I (and anyone affiliated with me and/or Tony’s Geek Tips) cannot be held liable for any damages, problems, or otherwise. I will do my best to help you, however.
Please be aware that this article is for a version of the Koobface virus that was initially discovered in December of last year. Since then, there have been other viruses that have spread via Facebook, so what I write about in this article may or may not be the type and/or version of the virus/problem that you have.
From what you described, it definitely sounds like you have something on your computer that is slowing it down. I would strongly recommend backing up all of your data before doing anything, as in your troubleshooting efforts, or through the virus, you may lose some or all of your data. After that, the first thing that I would suggest you do in your situation is run Spybot S&D. You may have already run this, as you mentioned that you have already run a good deal of security software.
Let me know what it turns up, or if you have already run anything like it. Also, please provide me with any other symptoms that you may have (apart from slowing and/or freezing).
If you need to contact me directly, you may do at jack@tonysgeektips.com.
Thanks,
Jack
i think i got the koobface virus. i was thinkin about back up of all my files, and then reformate the computer. i don’t have much on my laptop, just few pic n few files here n there.
i wanted to reformate my computer anyway. so does reformating would this fix my problem.
thanks
[…] Did some googling. Looks like it could possibly be the Koobface virus. Here is the link. Update on Koobface Virus Tony’s Geek Tips […]
It didn’t work. I dont have any of those – Tinyproxy/bolivar/fmark, etc.
I may be doomed 😦
Can you help?
Hello,
My computer has been infected with Koobface. However, I tried to look for tinyproxy.exe after clicking the Process tab after pressing Ctrl+Alt+Delete. Are there any other .exe to remove that are related to Koobface??
Regards,
Selina