Remnents of w32.Koobface.B and slow browsers/google redirect side effect

Posted on 2008-11-04
Last Modified: 2013-12-08
I have a PC that seems to have been infected with the w32.Koobface.B virus.  Research seems to point to this coming from Facebook.  Norton Antivirus has removed it for the last 4 days in a row.  I've verified common files related to Koobface are not present, deleted cookies and temp internet files, ran Ad-Aware in Safe Mode, and the following still happens:  a) Norton still finds it and states it has removed the attack, b) web browsers are much slower than normal (both Firefox and IE), and c) I still experience a google redirect on any searches (this seems to be hit or miss - i.e. when searching on "w32.Koobface.B removal" it redirects, but when searching on "baseball" or "cnn" it does not).  I've attached the log file from HiJack This run in normal mode (not safe mode).  Any advice or assistance on how to proceed would be greatly appreciated.
Question by:Terri_Budde
    LVL 3

    Expert Comment


    The problem is that the AV do remove the viral component, but there are other that download it back. Instead of removing them by hand I sugest that you use the down below programs

    Use SpyBot/AdAware to remove them


    Examples of omponents that appear in the attached log
    c:\windows\mstre8.exe (does the Google redirect)
    C:\Program Files\tinyproxy\tinyproxy.exe

    O4 - HKLM\..\Run: [sysftray2] C:\windows\bolivar23.exe
    O4 - HKLM\..\Run: [systray] c:\windows\mstre8.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=

    LVL 47

    Accepted Solution

    O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe
    Also fix the above entry,
    C:\Program Files\tinyproxy <-- it's important that you delete this folder.
    If problem presists, run Malberbytes or Combofix.
    Download Malwarebytes' Anti-Malware to your desktop. check for Updates before scanning.

    Download ComboFix to your Desktop, from either of these locations:

    You must download it to and run it from your Desktop
    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    LVL 47

    Expert Comment


    Also In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings
     uncheck "use a proxy server" or reconfigure the Proxy server again IF you set previously.

    C:\Program Files\tinyproxy <-- you would need to delete this folder in safe mode as the service is active in normal mode.
    LVL 47

    Expert Comment


    Fixing the service in hijackthis only disables it, alternatively you can stop and delete the service using the sc command.

    Delete this service -->  "Protected Storage (ProtectedStorage) "
    there's a space after the service name before the end quote.

    Also bear in mind that "Protected Storage" is a legit service name, so the bad service you're looking for is this one(the whole line) --> "Protected Storage (ProtectedStorage) "

    Go to Start Menu > Run > type


    Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line(including quotes):

    sc stop  "Protected Storage (ProtectedStorage) "
    sc delete "Protected Storage (ProtectedStorage) "


    DO NOT delete this one, it is legit --> ProtectedStorage
    but DELETE this one, it is bad  --> Protected Storage (ProtectedStorage)

    Author Comment

    Unchecked "use proxy server" in IE and Firefox settings, booted in safe mode and deleted "tinyproxy" folder from program files, rebooted in normal mode, entered command prompt and stopped and deleted "Protected Storage (ProtectedStorage) " (with space).  Then ran ComboFix.  Then scanned with HiJack This again, and the lines that were in question in the responses above were no longer there, and thus, nothing to fix.  Attached are the ComboFix Log as well as the 2nd scan of HiJack This.  Tested both browsers, and speed seems to be returned to normal, as well as no redirect on any searches in Google.  Thanks alot!  Please let me know if the attached log files look alright.

    Author Closing Comment

    Thanks for all the help!
    LVL 47

    Expert Comment


    Your version of java is very vulnerable to infections, specially vundo infection--> j2re1.4.2_13

    I would suggest installing the later or latest version.
    Updating Java:
    Go to Start > Control Panel > Add/Remove programs.
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    Select and click Remove.

    Then Download and install the newest version from here:

    To uninstall combofix;
    Go to Start > Run and copy and paste next command in the field:

    ComboFix /u

    The procedure will delete the following:
    ComboFix and its associated files and folders.
    VundoFix backups, if present
    The C:\Deckard folder, if present
    The C:_OtMoveIt folder, if present
    Reset the clock settings.
    Hide file extensions, if required.
    Hide System/Hidden files, if required.
    Tt will reset system Restore and set a new, clean Restore Point.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Now-a-days, indirectly, postal services have been replaced by email services. Yes, whenever we hear the word "email" a lot of people only think of gmail. Some people still think that email and gmail are one and the same thing :-). Let's see some …
    Internet is a big network which is formed by connecting multiple small networks.It is a platform for all the users which are connected to it.Internet act as platform in different fields. Such as: Internet  as a collaboration platform. Internet  as…
    Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
    How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now