Thursday, November 11, 2010

Exterminating the Koobface Worm


Watch out for a fresh round of the Koobface worm on Facebook. You'll get a message from someone you trust that offers a link to a youtube video. It sends you to a fake youtube site.

A popup opens saying you need the latest version of Flash Player to play the video. DO NOT CLICK ON THE FAKE FLASH PLAYER LINK.

Do that and you won't get infected.  If you did click on the fake Flash Player link, you have the Koobface worm.  Here's how I cleaned it off my computer.  You can also watch a Youtube video that tells how to get rid of it.  I got to it done quickly before it brutalized my system, so all I had to do was run Malwarebyte's Anti-Malware software.  If you have had it for a while, watch the video for some extra steps you might need to take.

I cleaned it off my computer within hours. If it stays any time at all, it will harvest your name and some private info. If it stays long enough it will harvest your passwords and send it to the hacker.

Here's what I did. 

  1. Go to  and download the TDSS Rootkit removal tool.  It comes as a zip file.  Save it on your desktop.  Extract the file to your desktop.  Don't put the TDSS Killer program in a folder on the desktop.  Just extract it to the desktop. 
  2. Run the tool, clean and repair following the prompts and then restart the computer.
  3. Go to and download the Norman Malware Cleanter and place it on your desktop.
  4. Run Norman Malware Cleaner and clean any installed malware from your computer.  Follow the cleaning prompts and then reboot your computer.
  5. Go to 
  6. Download "Malwarebyte's Anti-Malware program (it's free). 
  7. Install Anti-Malware, check for and download the latest updates and run the full scan. It will take a while. When it's done it will list the infected files. 
  8. Leave the boxes checked and click on the repair link. 
  9. Now go away for 15-20 minutes (don't mess with it). The program may appear to freeze. Just cut off the power and reboot when you come back. 
  10. Rerun the Anti-Malware software. A scan should show you free of the worm. Check the last log file and it will show what was found and deleted.
  11. First time you open your Firefox browser, don't go anywhere.  Click on Tools > Options > Advanced > Network > Settings.  Then change the settings to "No Proxy" and you should be okay. This worm hijacks the proxy settings on your computer.  If you don't do this, it will still redirect you to a bogus website and make your life miserable.
  12. The first time you open your I.E. browser, click on Tools > Internet Options > Connections > LAN settings.  Uncheck the "Proxy Server" option and check "Automatically check settings".  I had to close I.E. the first time because it wouldn't let me select Internet Options, but the second time I opened it, I was able to fix it.  Don't know why - possibly because I hadn't used IE since I contracted the Koobface worm.  (Doesn't that sound just like something you'd pick up on a trip to a bordertown restaurant). 
Anyway, this ought to get you back up and running and keep your system clean. 


They have some very knowledgeable folk on the site who can talk you through a thorough cleanup. You may encounter recommendations to use a program called "Combofix" on other websites. Do not use this program without getting help from the Bleeping Computer folks. It fools around with key parts of the computer's operating system and if you don't know what you are doing, you can get really screwed up.

You'll need to set up an Account on "Bleeping Computer" and post a topic for your specific problem. There is a list of preparatory steps you'll have to take to get ready and the process may take a little time to work through. It's either that or pay some computer tech several hundred bucks to wipe and rebuild your hard drive and you still may lose data in the process.

One more note. If you try to search "Koobface Worm Removal" you will get links to a lot of sites that will actually give you the Koobface worm. Make sure you have a tool like "Web of Trust" or your anti-malware software running to warn you about untrustworthy sites. Try the above process and "Bleeping Computer" before you go stepping into that minefield. Doing a Google search to correct a "google redirect" virus that you have on your computer is asking for a trip through the looking glass.

One more note.  If you try to search "Koobface Worm Removal" you will get links to a lot of sites that will actually give you the Koobface worm.  Try the above process before you go stepping into that minefield.

Hackers who do this are thugs and bullies and no better than the punks who used to give them wedgies back in junior high school. I personally think we should catch them and hang them publicly in the town square -- by the back of their Fruit-of-the-Looms! Just let 'em dangle there for a while! Then we should put them all on a deserted island somewhere well north of the tropics where it gets really cold in the winter. Leave them no computers or electricity - nothing but farm tools and bags of turnip seeds.

Good luck.