Video Screencast Help

Cannot get rid of koobface

Created: 27 Jul 2009 • Updated: 21 May 2010 | 10 comments

Hello all,
I've been trying for days, with no avail, to get rid of the koobface virus on my computer.  I've run symantec several times, somtimes it comes up clean sometimes it finds the bugs but never has it found what  keeps downloading it back onto my computer.

I've run symantec several times. Sometimes it finds the virus and its other processes and sometimes it doesn't. I thought i got rid of everything on my computer when i shut it down a few days ago but when i started it up this morning it was back. I've once again run symantec and deleted everything i could but i think my anti virus is missing something. I believe there is a file on my computer that goes undetected and keeps re-downloading this virus. Can someone please help? Idk what to do anymore :(

Comments 10 CommentsJump to latest comment

Beppe's picture

Hi,

which one of these risk do you have?

HTTP W32 Koobface File Download
HTTP W32 Koobface Activity
W32.Koobface.B
W32.Koobface.A

Check it in your security and risk logs.

Regards,

Regards,

Giuseppe

kavin's picture

I would suggest you to call the support & run the ESUG loadpoint & they will help you to submit some suspected files.

P_K_'s picture

Please try the follow the instruction given below

http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99&tabid=3

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

Abhishek Pradhan's picture

Run the TrendMicro HijackThis tool to find out which BHO's (Browser Helper Objects) are still being loaded by the threat. Once those have been identified, use the HijackThis console to remove them completely.

ESUG will only help to identify standard locations where the files are loaded, and not ALL the new places where such nasty stuff loads itself apart from the standard load points.

HTH

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

ben_cSEPticons_secured's picture

Update virus definition file, then run Fullscan @ safemode.

ben_cSEPticons_secured's picture

and also try removing add-ons of your browser... clear temp files, cookies, history from Tools>Internet Options...

Remove any unknown startup programs using msconfig, click Start, run, then type the command : MSCONFIG. Startup Tab..

Thomas K's picture

@ Scala, Can you give us an update on your issue?

Are you finding W32.Koobface.C on your system?

See removal instructions -
http://www.symantec.com/security_response/writeup....

Thanks,
Thomas

slug64's picture

I have exactly the same problem as Scala, but I am finding your answers a bit too technical for me. Windows told me that it is Net-worm.Win32.koobface.bjo ?

Please help!
Rachel

Grant_Hall's picture

hi Rachel,

Is would probably be best if you made your own thread for this. That way you are able to post screenshots, log files and things of that nature. Only the thread owner can do this, and only the thread owner can mark the answer solved. If you don't own the thread you can't give the points back to the people that helped you. But regardless I will try to shed a little light on this.

1. Was it a Symantec product that located this virus?
The reason I ask this is because our naming convention for this virus is a little different than what you posted. It looks more like Kaspersky's which calls them something like this: Net-Worm.Win32.Koobface.b [Kaspersky] Personally I don't care what product you are using, I will try to help you regardless, but if it is not a symantec product then I am affraid our answers to your questions might be confusing considering you are not using our product. But maybe I am wrong and we switched our naming convention.

2. Second a little history on this virus
This virus is one that attacks social networking sites. Even the name itself is a switch around from the work FACEBOOK which becomes KOOBFACE. Currently it is making its way through twitter. What it does is it hijacks your twitter profile, and uses it to spread malware to your followers or friends. In reality it is relatively harmless and just malware. The most I have ever heard of it doing is posting tiny url's to your friends page to links of erotic sites or illegal software ect ect. Regardless you should still get rid of this as soon as possible.

3. How to get rid of it.
Well if you are running a symantec product then these are the usual steps to follow. First boot your computer in safe mode. Usually this can be done by pressing F8 right when you start your computer up. Make sure system restore is off and run a full system scan. It should tell you whether it was deleted or quarentined or something else. Try this and report back to let us know how it goes. If it doesn't find anything or can't get rid of it we can suggest other options.

Cheers
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

Thomas K's picture

@ slug64, Try to remove using these instructions.

http://www.symantec.com/security_response/writeup....

You may also find this KB helpful.

The 5 Steps of Virus Troubleshooting - http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007011014341948

Thomas