Koobface worm infects computers via messages thats spreads through Facebook, Twitter, Myspace and other social networks. The contents of the SPAM message is:
Saw thhat vvideo yesterdday… How coulld you do succh a thingg?
Sweet!! Yourr ass loooks greaat on thiss video!!
WWow! Is tthat reeally you in thaat videeo?
Funny vide0 with me 🙂
HHolly sshit! Are you rreally in thiss viideo?
Hollyy shhit! You are on hiidden cameera!
The message also contains a link. After clicking on this link a site opens that asking user to download an adobe flash update, which in reality is an installer of koobface worm. Koobface includes a bot-like component that could install other malicious programs at a later time.
Symptoms in a HijackThis Log
O4 – HKLM\..\Run: [sysldtray] c:\windows\ld15.exe
O4 – HKLM\..\Run: [pp] c:\windows\pp12.exe
O4 – HKLM\..\Run: [sysfbtray] c:\windows\freddy80.exe
O4 – HKLM\..\Run: [sysfbtray] c:\windows\freddy75.exe
O4 – HKLM\..\Run: [sysmstray] c:\windows\mstre24.exe
O4 – HKLM\..\Run: [Captcha7] rundll “C:\Program Files\captcha.dll”,captcha
Use the following instructions to remove Koobface worm (Uninstall instructions)
Step 1.
Download Avenger from here and unzip to your desktop.
Run Avenger, copy,then paste the following text in Input script Box:
Drivers to delete:
podmenadrv
podmena
sfxdrv
sfx
fioo32
fio32
Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | sysldtray
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | pp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | sysfbtray
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | sysmstray
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Captcha7
Files to delete:
%WinDir%\ld16.exe
%WinDir%\ld15.exe
%WinDir%\ld14.exe
%WinDir%\pp14.exe
%WinDir%\pp13.exe
%WinDir%\pp12.exe
%WinDir%\pp11.exe
%WinDir%\pp10.exe
%WinDir%\bill107.exe
%WinDir%\bill105.exe
%WinDir%\bill104.exe
%WinDir%\bill103.exe
%WinDir%\freddy101.exe
%WinDir%\freddy100.exe
%WinDir%\freddy84.exe
%WinDir%\freddy82.exe
%WinDir%\freddy81.exe
%WinDir%\freddy80.exe
%WinDir%\freddy79.exe
%WinDir%\freddy78.exe
%WinDir%\freddy77.exe
%WinDir%\freddy76.exe
%WinDir%\freddy75.exe
%WinDir%\freddy74.exe
%WinDir%\freddy73.exe
%WinDir%\mstre26.exe
%WinDir%\mstre25.exe
%WinDir%\mstre24.exe
%WinDir%\mstre23.exe
%WinDir%\mstre22.exe
%ProgramFiles%\sfx\sfx.sys
%ProgramFiles%\podmena\podmena.sys
%ProgramFiles%\captcha.dll
%WinDir%\system32\drivers\fio32.sys
%WinDir%\system32\fio32.dll
You will be asked Are you sure you want to execute the current script?. Click Yes. You will now be asked “First step completed — The Avenger has been successfully set up to run on next boot. Reboot now?”. Click Yes.
Your PC will now be rebooted.
Step 2.
Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded you will see window similar to the one below.
Malwarebytes Anti-Malware Window
Select Perform Quick Scan, then click Scan, it will start scanning your computer. This procedure can take some time, so please be patient.
When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items similar as shown below. Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure that everything is checked, and click Remove Selected for start removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.
Koobface worm creates the following files and folders
%WinDir%\ld16.exe
%WinDir%\ld15.exe
%WinDir%\ld14.exe
%WinDir%\pp13.exe
%WinDir%\pp12.exe
%WinDir%\pp11.exe
%WinDir%\pp10.exe
%WinDir%\bill105.exe
%WinDir%\bill104.exe
%WinDir%\bill103.exe
%WinDir%\freddy100.exe
%WinDir%\freddy77.exe
%WinDir%\freddy76.exe
%WinDir%\freddy75.exe
%WinDir%\freddy74.exe
%WinDir%\freddy73.exe
%WinDir%\mstre24.exe
%WinDir%\mstre23.exe
%WinDir%\mstre22.exe
%WinDir%\system32\drivers\fio32.sys
%WinDir%\system32\fio32.dll
c:\program files\sfx\sfx.sys
c:\program files\podmena\podmena.sys
%WinDir%\system32\drivers\fio32.sys
%WinDir%\system32\fio32.dll
Koobface worm creates the following registry keys and values
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmstray
Thanx for this but i removed the virus using mcafee total protection…… m still surprised dat how was i able to get fooled by this virus
Lord this was freaking annoying. I had to do it manually. Hopefully it STAYS off now…
God bless you for this help! Allah be praised! Buddha be rubbed! After several days of absolutely annoying popups and trying to get rid of them with Microsoft downloads and McAfee, I used these instructions and so far things look fine. You might add two more lines of code to paste in %WinDir%\freddy78.exe and %WinDir%\freddy79.exe. I think the thing has mutated after the Nov. instructions posted here because mine had freddy79 in it. THANK YOU!!!!!!
I just used this , thank you , so far so good,
bad thing is, I already have malaware installed,
when I saw I had something wrong, I scanned and it didn’t pick it up. Mine was freddie81.exe
January 23 2010
didn’t have my malware updated, got it now.
i have koobface bill103.exe and it doesnt allow me to download anything so i cant download avenger from that link..
Click Start -> Run -> type regedit and hit enter.
Registry editor opens.
Navigate to the following keys by expanding the + at left of each key at left:
HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows
CurrentVersion
Run
In right part of window, right click to sysfbtray and select Delete. Confirm it. Close regedit.
Reboot computer.
Try download Avenger once again.
avenger pretyy much removed it all thanks
When i run avenger and paste then run it, it says a valid script must begin with a command directive…what am i missing here?
Chris, the script should have “Drivers to delete:” as first line.
Thank you!
Hey great post!!!
My boss somehow downloaded this worm yesterday.
She was having popups and could not log onto websites.
I pulled up task manager (vista no SPs).
Saw that bill103.exe was running…knew something was wrong and terminated it.
That was the tip of the iceberg…as you all know.
long story short…1 day later.
I ran through the process above (it is actually a Koobface variant). I deleted all file related. however…it is still on the system and i couldn’t update malwarebytes since the worm blocked it… I downloaded microsoft’s malicious software tool removal tool to a thumbdrive and ran it…it picked up one file that was missed by malwarebytes (koobface.gen!) quarantined and deleted. I then added SP1 for vista (just because it needed to be updated) and updated IE7 to 8 (I tried mozilla but it would not work at all). I rebooted between all scans and installs. I disabled all add ons for IE8 and cleared histories. I then opened malwarebytes again and was able to update it. once it was updated i rebooted. ran the entire process again above. This worm is replicating itself into new forms now it seems. malwarebytes picked up 9 new threats. q’d and deleted. ran microsoft mal tool removal again (to be safe) no results. ran malwarebytes again (no results). can’t be too safe. ipconfig’d to turnoff network connection (run cmd promtp as administrator, ipconfig /release). opened IE8. clicked on advanced and reset to factory defaults. enabled add ons. made sure certain security features that we need we enabled. saved. closed IE8. rebooted. opened IE8 and went to one of the sites that we need to log on to with secured info (bank info ..scary to think about it…). it works.
Couple things…Advanced SystemCare may have actually screwed the process up…I tried to see if that would clean registry/spyware and although it did it seemed to screw up everything but registry entries were all the same. my suggestion is don’t try a registry cleaner or Advanced System Care during process.
I also manually checked the registry through regedit…and had to delete systray entry.
Thank you all esp whoever posted this!!!
it doesnt allow me to start avenger. And the command “Click Start -> Run -> type regedit and hit enter.
Registry editor opens.” doesn’t work. What to do?
Katarina, try rename Avenger before running. Use any random name (asd125 for example).
Downloaded MBAM and did the Avenger steps. Still cannot log in to websites. Help?
Mallory, open a new topic in our Spyware removal forum. I will check your PC.
I picked up the Koobface virus from Facebook. When i try 2 execute the removal i get an error message that says “Error:Could not open RunOnce key to register cleanup. Aborting execution!(error 0:the operation completed successfully.)” and i never get to the point of rebooting. Also, I am using Windows 7. Is this the right procedure for removal? Please help. Thank you.
Dan, probably your computer is infected with a trojan that blocks Malwarebytes. Please open a new topic in our Spyware removal forum. I will check your PC.
and to remove all the virus with malwarebyte, should you purchase???????????????
Ok got it removed, you guys are great, thanks so much.
I did all that but still i cant reach the facebook webside from my laptop ;s how do i know that the virus has been removed?and how i can i get to facebook again ? pls help!