Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Remnents of w32.Koobface.B and slow browsers/google redirect side effect

Posted on 2008-11-04
Medium Priority
Last Modified: 2013-12-08
I have a PC that seems to have been infected with the w32.Koobface.B virus.  Research seems to point to this coming from Facebook.  Norton Antivirus has removed it for the last 4 days in a row.  I've verified common files related to Koobface are not present, deleted cookies and temp internet files, ran Ad-Aware in Safe Mode, and the following still happens:  a) Norton still finds it and states it has removed the attack, b) web browsers are much slower than normal (both Firefox and IE), and c) I still experience a google redirect on any searches (this seems to be hit or miss - i.e. when searching on "w32.Koobface.B removal" it redirects, but when searching on "baseball" or "cnn" it does not).  I've attached the log file from HiJack This run in normal mode (not safe mode).  Any advice or assistance on how to proceed would be greatly appreciated.
Question by:Terri_Budde
  • 4
  • 2

Expert Comment

ID: 22880347

The problem is that the AV do remove the viral component, but there are other that download it back. Instead of removing them by hand I sugest that you use the down below programs

Use SpyBot/AdAware to remove them
(spyBot) http://www.safer-networking.org/en/download/
(AdAware) http://www.lavasoft.com/products/ad_aware_free.php


Examples of omponents that appear in the attached log
c:\windows\mstre8.exe (does the Google redirect)
C:\Program Files\tinyproxy\tinyproxy.exe

O4 - HKLM\..\Run: [sysftray2] C:\windows\bolivar23.exe
O4 - HKLM\..\Run: [systray] c:\windows\mstre8.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=

LVL 47

Accepted Solution

rpggamergirl earned 500 total points
ID: 22880454
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe
Also fix the above entry,
C:\Program Files\tinyproxy <-- it's important that you delete this folder.
If problem presists, run Malberbytes or Combofix.
Download Malwarebytes' Anti-Malware to your desktop. check for Updates before scanning.

Download ComboFix to your Desktop, from either of these locations:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
LVL 47

Expert Comment

ID: 22880529

Also In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings
 uncheck "use a proxy server" or reconfigure the Proxy server again IF you set previously.

C:\Program Files\tinyproxy <-- you would need to delete this folder in safe mode as the service is active in normal mode.
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

LVL 47

Expert Comment

ID: 22880829

Fixing the service in hijackthis only disables it, alternatively you can stop and delete the service using the sc command.

Delete this service -->  "Protected Storage (ProtectedStorage) "
there's a space after the service name before the end quote.

Also bear in mind that "Protected Storage" is a legit service name, so the bad service you're looking for is this one(the whole line) --> "Protected Storage (ProtectedStorage) " 

Go to Start Menu > Run > type


Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line(including quotes):

sc stop  "Protected Storage (ProtectedStorage) "
sc delete "Protected Storage (ProtectedStorage) " 


DO NOT delete this one, it is legit --> ProtectedStorage
but DELETE this one, it is bad  --> Protected Storage (ProtectedStorage)

Author Comment

ID: 22882241
Unchecked "use proxy server" in IE and Firefox settings, booted in safe mode and deleted "tinyproxy" folder from program files, rebooted in normal mode, entered command prompt and stopped and deleted "Protected Storage (ProtectedStorage) " (with space).  Then ran ComboFix.  Then scanned with HiJack This again, and the lines that were in question in the responses above were no longer there, and thus, nothing to fix.  Attached are the ComboFix Log as well as the 2nd scan of HiJack This.  Tested both browsers, and speed seems to be returned to normal, as well as no redirect on any searches in Google.  Thanks alot!  Please let me know if the attached log files look alright.

Author Closing Comment

ID: 31513259
Thanks for all the help!
LVL 47

Expert Comment

ID: 22937244

Your version of java is very vulnerable to infections, specially vundo infection--> j2re1.4.2_13

I would suggest installing the later or latest version.
Updating Java:
Go to Start > Control Panel > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click Remove.

Then Download and install the newest version from here:

To uninstall combofix;
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Tt will reset system Restore and set a new, clean Restore Point.


Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question