Win32/koobface.gen-Bad Bug-Voila! Problem fixed.

[WizeOne]

I've got it good now. First I kept getting these anti-virus solicitations, then all my Google searches were redirected, then pages began to open at a snails pace. Now I cannot even get on the internet although my Outlook express still works.

After the internet would not hook up, I downloaded FireFox on a thumb drive, on another computer, then ran it on the affected one. It will not access the internet either.

I ran MS OneCare and it identified a problem but did not remedy it. Malwarebytes would always find a few things but not get to the root. TrendMicro would not run as it could not 'transfer' data. I tried various other recommendations to no avail. I finally updated Malwarebytes and it seems to have found something substantial. When I rebooted, that is when I lost the internet connect. MS blames it on my firewall which is turned off.

I went to System Restore (never really looked at it b4) it is set to maximum megabytes but only had one restore point which was yesterday. I tried that restore as I had internet yesterday, even though I was obviously afflicted. Yesterday's restore point did nothing. I then undid it.

I am now typing from my poor old overloaded PII 400.

Any help would be appreciated as I have online payments (as well as other activities) that I need to do from the affected computer.

 

[Bob_VT]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

It's ugly

http://www.removal-instructions.com/removeKoobface.html

 

[WizeOne]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

Thanks Bob. I downloaded the detection .exe to my external harddrive, then transfered it to the affected computer (which works in all respects, except internet) and tried to install it. I get a message which says that the .exe program is not a valid win32 application.

I would try to run it, for test purposes, on my old standby computer that I am using, but it is totally out of hardrive space.

 

[jjacobs007]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

win32 sucks,dont even look at them.norton anti virus should help u out.

 

[Bob_VT]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

Well the best part of that link is the set of manual removal instructions...... it's not for a beginner and if you have a local friend who is comfortable doing a "manual" removal....it may be the best answer.

 

[The_Kid]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

Here's a shorted version of the manual removal that may get you up and running.

1 - Kill these processes with task manager:
fbtre6.exe
mstre6.exe

2 - Delete these registry values: Start, Run, type regedit.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\?systray? = ?c:\windows\mstre6.exe?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\?systray? = ?C:\Windows\fbtre6.exe?
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

3 - Delete these files:
C:\\Windows\fbtre6.exe
C:\\Windows\fmark2.dat

 

[WizeOne]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

Don't have any of those .exe's or .dat files, TK, at least none that a search found.

Maybe the updated Malwarebytes scan got rid of them but it was after that that I lost the internet connection. As I stated, I can still use Outlook Express but IE Explorer draws a 'cannot connect' or website unavailable message.

Are there any settings I can check to remedy that? As I mentioned when I get the cannont connect message and check the connection diagnosis, it blames it on firewall settings and it is not even turned on.

Also, any idea why I would only have one Restore Date? And that date was just one day before I lost the internet. I thought Restore gave you a string of dates going back, at least, a few days.

 

[tx1961whaler]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

Just went through a virus problem yesterday. Problem was, AVG nor McAfee could find it. This was even with a boot CD. Whatever it was blocked any attempt to go to any security sites. Clever beast.
Luckily I run full Ghost backups M-W-F. Restored back to Friday, and was good to go! Still took hours to run scans, chkdsk, etc prior to restoring.

 

[Bob_VT]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

Don't have any of those .exe's or .dat files, TK, at least none that a search found.

Maybe the updated Malwarebytes scan got rid of them but it was after that that I lost the internet connection. As I stated, I can still use Outlook Express but IE Explorer draws a 'cannot connect' or website unavailable message.

Are there any settings I can check to remedy that? As I mentioned when I get the cannont connect message and check the connection diagnosis, it blames it on firewall settings and it is not even turned on.

Also, any idea why I would only have one Restore Date? And that date was just one day before I lost the internet. I thought Restore gave you a string of dates going back, at least, a few days.

Last time I did a big repair for a friend..... most of the files were hidden and I had to re-search the system and made sure it showed hidden files. The idiots who designed there virus programs tend to be very sneaky.

 

[MrBigStuff]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

Just went through a virus problem yesterday. Problem was, AVG nor McAfee could find it. This was even with a boot CD. Whatever it was blocked any attempt to go to any security sites. Clever beast.
Luckily I run full Ghost backups M-W-F. Restored back to Friday, and was good to go! Still took hours to run scans, chkdsk, etc prior to restoring.

That sounds exactly like the description of Conficker.

 

[v1_0]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

Try downloading hijack this from either spywarewarrior.com or from your favorite download site. Scan the afflicted computer, transfer to your good one, then upload to the spywarewarrior forums. Usually someone will respond and walk you through the fix. They may even have some sticky post or so that walks you through it.

You could also go to sysinternals.com - there are a bunch of utilities that you can use to poke around your system. Some will allow you to see and kill process that are running (and trace them to their executables), some will show you what starts up automatically on your system. There are delete utilities for 'in use' files (locks them from a normal delete) that delete the file on startup. There is a rootkit detector.

I haven't had the pleasure of this bug - so have no hands-on experience with it, but those are the things I would start with.

Somewhere out there, there is a "ip stack" fix that might fix your problem. It's possible that the koobface mucked up your ip stack....

-V

 

[The_Kid]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

Search may not find them if they are hidden, or in system folders. Open My Computer. Click Tools, and select Folder options. On the View tab select Show hidden files and folders and just below that un-check Hide Protected operating system files. Click OK at the warning. Do another search but make sure that under More Advanced options in search the top 3 options are checked.

You may be able to get IE running by resetting it back to the factory defaults. In IE pick tools then Internet options, or you can get to Internet options through Control panel. At the bottom of the Advanced tab is a reset button. It will remove all cookies, cache files any add ins like browser helper objects, and active X apps.

I don't know why there is only one system restore, unless it wasn't turned on until the other day. Some repair utilities will enable it so there's a restore point prior to trying to fix problems.

 

[v1_0]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

Just went through a virus problem yesterday. Problem was, AVG nor McAfee could find it. .

The issue is that virus scans aren't *preventative*. They lag behind the virus! The lifecycle is: someone puts out a 'new' virus/malware. New is relative - most often it is just a rewrite on some existing bug. There are few people that go through the effort to find a new exploit/way of spreading/hiding the bug. Since virus scanners are signature based - that is they look for patterns (rather than behaviors) - if you change the signature of an existing virus it will not be detected.

After a while the 'new' virus is noticed and reported. The virus scanner people also drive around and try to catch viruses on their own. Once a new virus is sampled - the virus detection people reverse engineer the virus to figure out its 'signature'. They package that into the virus data file that downloads as an updated virus definition - now the virus scanner on your PC recognizes the virus.

There's the old 'shield and sword' conflict going on. Viruses are getting more complex - adding techniques to disguise their 'signatures', so the lag time between being 'discovered' and 'getting into a virus definition file' is increasing. The malware people are also actively trying to prevent updates of virus definition files, prevent downloading of 'fix' programs, etc.

-V

 

[Bart Sr.]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

The reason you have no other restore points is the virus overrode them so you can't fix it so easily.

 

[tx1961whaler]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

That sounds exactly like the description of Conficker.

That's what I thought, too. But I have had the MS patch that Conficker A-E were exploiting since it came out. Also AVG and McAfee both claim to remove it. No luck with either one. Might be a new variant. Anyway, all is well now, since I'm paranoid about doing backups.

 

[WizeOne]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

The problem is resolved. I am online and back up to normal page load speeds. Thanks for all the suggestions and support. In the end I took TK's advice and reset IE to it's defaults. That's what got me back on the internet via IE Explorer. My recently downloaded FireFox still would not hook up so I blew it out. I will try to re-install it so I have it as a standby.

In the end, I think it was running the updated Malwarebytes that got rid of the problem. It's been a trusty tool.

 

[v1_0]

Re: Win32/koobface.gen-Bad Bug

Re: Win32/koobface.gen-Bad Bug

In the end, I think it was running the updated Malwarebytes that got rid of the problem. It's been a trusty tool.

Yup, I've added this to my list of "must have's". It used to be that spybot & adaware covered it all. Now I've got the malwarebytes, rootkit detector (sysinternals.com), and hijack this in the 'standard package'.

Round that out with AVG, Comodo, and SpywareBlaster for standard scans - and the entire sysinternals package for when I feel I need to poke about.

-V

 

[The_Kid]

Re: Win32/koobface.gen-Bad Bug-Voila! Problem fixed.

WizeOne, glad you're up and running again!!!!

I support about 125 PC's and 8 servers at work, so I run into problems fairly often. The worst one I had took two full days to fix. Nothing would get rid of the Trojans. I ended up having to boot off of a USB flash drive and delete them at a DOS level.

 

[dolluper]

Re: Win32/koobface.gen-Bad Bug-Voila! Problem fixed.

Glad you fixed her ...ifin I was here sooner this would have helped.....good thing to run this scanner it leaves a report and quick link on your desktop .....so you can always run it in safe mode F8 with networking option link below
conficker will be removed with this and free ....takes 30 seconds
http://qscan.bitdefender.com/