PDA

View Full Version : Koobface facebook worm -



Gobe1
08-06-2009, 10:04 AM
Hi, i have a families pc that supposedly had this worm.
When it booted it said windows needed to be activated, so i clicked yes and it came up that windows was already activated, then click ok and it goes back to login.. so this keep repeating and you couldnt login.
So i booted in to safemode and restored back to before the worm was downloaded and then it let me login..? (wow i was very surprised this worked)
I uninstalled all programs not required, installed avast and malware bytes and trojan remover, then rebooted (cautiously) and it logged in again. Sweet...
Then i turned off windows restore (bad move as i find out later) then updated all the avast etc then scanned the pc.
Avast found nothing
Trojan remover found nothing
Malware Bytes found 12 items, 4 of which were koobface (ahah) and then required to be rebooted to finish removing these items.
I rebooted on which had the same "need to activate cycle" :crying

Now i had no restore point to go back to... damn

SO is there a way to patch the activation cycle??

Has anyone else had to tackle this worm? What did you do to get it successfully?

BTW i formatted the machine as there was nothing that need to be saved (luckily) but i still would have liked to repair this just to say i could.:cool:

Blam
08-06-2009, 10:09 AM
So does safe mode work?

ZapperBoy10647
08-06-2009, 10:11 AM
i would suggest you put that harddrive in a clean PC and then run the programs on that drive.... External harddrive enclosures are $40 - $60 though, ill edit my post with some links.... btw what is it 3.5 ide or sata?

Speedy Gonzales
08-06-2009, 10:12 AM
Did you select all options under utilities in TR?

Gobe1
08-06-2009, 10:12 AM
Yeah it did, so i shouldnt have been so lazy eh
I was dissapointed in avast actually to tell the truth
Online it says you just need to have an uptodate virus scanner and firewall and do an online scan to remove it... yeah right (new tui ad):thumbs:

Drives were normal 3.5 ide, i was doing it over the weeked for gratis so spending money on it when there was nothing to be saved would have been a waste, but i could have whacked it in to my pc but didnt want to compromised my stuff (too much to lose)

ZapperBoy10647
08-06-2009, 10:14 AM
I know there hardrives, im asking which one he has...
P.S which region do you live in?!?

Gobe1
08-06-2009, 10:15 AM
Did you select all options under utilities in TR?

Nope TR picked up nothing, another dissapointment
all options, theres an "all options?", damn again

Speedy Gonzales
08-06-2009, 10:16 AM
Yup didnt read it properly which is why I changed my post :p

Gobe1
08-06-2009, 10:17 AM
Im in New Plymouth

ZapperBoy10647
08-06-2009, 10:20 AM
http://www.playtech.co.nz/product.php?action=showdetail&id=6628
http://pconlineshop.co.nz.219.88.240.130.orcon.net.nz/pcshop/product_info.php?cPath=10_84&products_id=10335&RBTid=c0468fff0db8cd33342c48c19fa4336e
http://www.computerlounge.co.nz/components/componentview.asp?partid=7279

Heres a few links for HDD enclosures

Playtech + pconline shop you have to pay freight for, computerlounge you dont have to.

EDIT: Heres some more links

http://www.techmaster.co.nz/catalog/product_info.php?products_id=284
http://www.techmaster.co.nz/catalog/product_info.php?products_id=283

Gobe1
08-06-2009, 10:22 AM
Im wondering if something like this might have helped now

http://support.microsoft.com/kb/312295

Alows a regedit to manually remopve the script for activation, has anyone tried this?

Gobe1
08-06-2009, 10:24 AM
Thanks Zapperboy, i will check them out

Edit:
Thanks everyone, i tried a search on here for koobface and found nothing so at least people will be able to find a little help.
If you have defeated this worm chuck in your method for future readers..

Cheers

Blam
08-06-2009, 10:30 AM
Don't bother with enclosures. Slave it or get a USB to SATA/IDE adapter from trademe for around 25.

Scan with Eset online scanner

Blam

Speedy Gonzales
08-06-2009, 10:41 AM
You HAVE to disable system restore, with something like this. Depending on which variant it was (if there's more than 1), this (http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99&tabid=3) may have helped

If its been fixed now, I would change ALL passwords, esp if this PC was used for online banking

Gobe1
08-06-2009, 10:51 AM
Thanks Speedy, i didnt think of the passwords, i have just let my nephew know. Cheers