To read this article on our new website, please go to http://tonysgeektips.com/?p=227
And you thought it was over!
As it turns out, this virus does, as I suspected, infect your system!
You may have noticed slower browsing, Google search redirects, etc. Well, you have Koobface to thank for that. When you installed that “
flash_update.exe” (or equivalent, see previous post) file, it opened up a whole can of worms (pun intended) for your system.
Never fear though, I will walk you through eliminating the Koobface (and company…) virus from your system. I spent many hours today pouring over forums, my mom’s own infected system, and peering into the realm of my own knowledge (a scary place!), I was able to discover the answer.
It turns out that this isn’t the first time this virus has come up. It has made several appearances over its history, in a slightly different form every time. As you can imagine, this made it difficult for me to find relevant information!
In the end though, I was able to come up with a solution. Basically, what the virus does is install a bunch of files onto your computer. Amongst these files is a proxy (named
tinyproxy). For the illiterate here, a proxy manages your connectivity to the internet…are we seeing a potential problem here?
In addition to that, it sticks a few .BAT files into your
\%system%/folder (usually “
But wait, there’s more! In older strains of the virus, this would have been enough to solve the problem. But in this new strain, the “developers” (if we can even call them that, I prefer “black-hats”) got smarter. They went and created a startup service as well (named something like
Bolivar28…the number might be slightly different on yours)! This service reinstalls the virus on boot-up after you delete it! Smart, but I’m smarter.
Ok, so how do you solve the problem? I will be happy to provide the solution for only 3 easy payments of…ok, I won’t go there π
Alright, here we go:
- First of all, make sure you’re an administrator. If you’re not sure whether you are, go to
Users. Make sure your user is listed as an administrator. If your PC has only one user, or you are on the primary account, you more than likely have administrator privileges.
- Now, set a system restore point just in case everything goes south (it could happen). Note, don’t actually do a system restore, just set a restore point.
- Next you are going to want to configure your proxy settings. This will stop
tinyproxyfrom managing your internet access, at least until you reboot…we’ll fix that in a minute. Here are instructions for both Internet Explorer and Firefox:
IE: From the menu select
Internet Options -> “
Connections” Tab ->
Lan Settings -> Uncheck “
use a proxy server” or reconfigure your proxy settings if you were using one previously (not standard for home networks).
Firefox: From the menu select
Advanced Tab ->
Network Tab ->
Settings under “
Connection” -> Select “
No Proxy“, or, if you were using a proxy previously, reconfigure your settings to how you had them previously.
- Next, we are going to start attacking the virus itself. First of all, we are going to stop it from running, and prevent it from restarting on boot-up. Here’s how to do it:
- Open up Windows Task Manager (
- Go to the
- Right click on the process named “
tinyproxy.exe” and select “
- Windows will yell at you, end the process anyway (when ending processes, make sure you know what you’re doing, you could accidentally end a needed one. This one, however, we need to kill)
- Close task manager (Click on the “x” in the upper right…ok, that was lame :P)
To stop the startup service:
run(Window key + r …the Windows key is the one next to alt in the bottom left of the keyboard)
- Go to the “
- Find and uncheck “
Bolivar28“. Again the number after “Bolivar” might be different, but everything I saw was in the “20”s (like 24, 26, 28, etc.).
- Click “Ok”. Again, Windows will scream at you, but that’s all right. Just make sure you select “Restart Later” (or equivalent), from the dialog. We’re not done yet!
- Still with me? The next thing we’re going to do is delete the virus itself (yay!).
To delete the virus:
- Go to the program files directory (usually
- Look for the “
- Delete it (right click, select delete). (This is why we had to stop the process earlier…otherwise you wouldn’t be able to delete the folder…and the evil therein…muahaha)
- I don’t know much about this, but I have also heard that there might be another directory named “
ProtectService“. From what I’ve heard, you should also delete that one. I didn’t have that directory however.
- Ok, that took out
tinyproxy,but there are still a few files in your windows directory that it would be prudent to delete:
- Go to your Windows directory (usually “
- From the menu select “
- Select “
- Select the “
- Under “
Hidden files and folders“, select “
show hidden files and folders“
- Uncheck “
Hide protected operating system files“. Windows will yell at you, I know. You should set it back to normal later :p
- Click OK
- Scroll down, look for, and delete files with the following names:
kenny**.exe(didn’t have the last one, but other places said it wasn’t good…)
- Reboot. That should do it. If, upon rebooting, you get an “error message” saying “
Error installing flash update. Please contact support“, you’re not done yet! Either you have a new/different strain of the virus than I did, or you didn’t follow I all my instructions correctly.
- Upon rebooting, you more than likely will have to fix your proxy settings again. Not sure why, but I did.
Well, there you have it. This worked for me, I hope it works for you.
Please feel free to comment with any questions.
What would an article be without a disclaimer?: