How To Remove Koobface Virus

Updated on May 4, 2016

Koobface is the latest virus that has attacked the social networking phenomenon. Top social networking websites like facebook and myspace are the places where this thing has done nothing but mischief.

The virus originated in early December and is reported to have infected several computers using the facbook platform. Although such a virus has been reported earlier in myspace but this new thing is using different methods to seek into the users PC and spread malware into the computer.

What Is Koobface?

Although famous as virus, the Koobface is actually a worm. A worm is a malware that sneaks into your computer and replicates itself throughout the PC. The difference between a virus and a worm is that, virus attaches it self to the file whereas a worm actually replaces it. A worm can even send automated emails to other PC's trying to infect them using yours.

So Koobface is a worm and attacks a computer by downloading some .exe files into your computer. The main thing is to identify the threat at this point before it is too late.

Possible Koobface emails

How Koobface Infects a Computer?

Basically if you are using facebook you should watch for automated email messages that display either an insulting message or something very tempting about you. Messages like, "you look funny in this video" or "you look so stupid in this pic" can be used to persuade someone to click on the link attached, this called 'Social Engineering'. Once the user clicks on them it takes you to a video which doesn't play and they ask you to download certain codecs which can be a 'flash_player.exe' file.

If this file is downloaded, your computer becomes open to Koobface malware. It downloads a file 'tinyproxy.exe' which hijacks your PC. It can even alter search results from Google, Yahoo etc and redirect you to websites selling malicious softwares.

Koobface video snapshot
Koobface video snapshot

How To Remove Koobface Automatically?

Here I will discuss two method of removing Koobface. First lets discuss the automatic method. The facebook security page has posted about this but there is no genuine way of removing this malware. They have only asked people to change their password in order to protect user security.

The best automatic method to remove this thing is of course to get a good malware remover which can automatically detect and remove it. If you have already bought a good spyware you can find the removal instructions from the support page. But it can be removed automatically if your software is updated.

The major problem is that the Koobface worm is constantly changing itself, so make sure you have the latest version of the mlaware installed.

If you don't have a anti-malware software, you can download one here. It has been so far the best free spyware remover that I have found.

How To Remove Koobface Manually?

Although it is highly recommended that Koobface or any other parasite should be removed using an automated software but still if you want to do it manually here is the procedure but before attempting anything, make sure you backup your computer:

Using The Add\Remove Program Tool:

This is not a 100% removal method because most of the malware don't really appear in the list but if they are you can do this:

  • Go to Add\Remove utility.
  • Look up for the Koobface malware to remove and uninstall it.

But it is noted that Koobface restores it self on rebooting. So here is a better method:

By Removing Registry Files

Here are the steps:

  • Search for "koobface" in Mycomputer using find utility.
  • Note down Koobface file path somewhere.
  • Press Ctrl+Alt+Del to open 'Task Manager'
  • End the "Koobface" processes.

The following processes must be ended:

  1. %SYSTEMROOT%\bolivar28.exe
  2. che07.exe
  3. bolivar28.exe
  4. %WinDir%\system32\nScan\ekrn.exe
  5. %WinDir%\system32\nScan\ecls.exe
  6. %WinDir%\system32\splm\ncsjapi32.exe
  7. %WinDir%\bolivar28.exe
  8. C:\Windows\fbtre6.exe

Now you need to change 'Registry Files', here is what to do:

  • Type 'regedit' in Run and press Enter.
  • The Registry Editor will appear, locate the above mentioned process files and delete them.
  • Locate "Koobface" registry entries and delete them, they are as the follows:
  1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B\StubPath: "%WinDir% \System32\splm\ncsjapi32.exe"
  2. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
  3. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Intelli Mouse Pro Version 2.0B: "%WinDir% \System32\splm\ncsjapi32.exe"
  4. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: "2"
  5. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
  6. HKEY_USERS\Software\Microsoft\Windows\nScan32\ExecuteDate: "14\8\2008"
  7. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "c:\windows\mstre6.exe"
  8. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "C:\Windows\fbtre6.exe"
  9. HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

Now you have to unregister dll file as follows:

  • Go to start and type in 'cmd' to open comman prompt.
  • First locate the following dll files using 'dir' command.
  1. %WinDir%\system32\nScan\ekrnEmon.dll
  2. %WinDir%\system32\nScan\ekrnScan.dll
  3. %WinDir%\system32\nScan\ekrnEpfw.dll
  4. %WinDir%\system32\nScan\ekrnAmon.dll
  5. %WinDir%\system32\splm\lmfunit32.dll
  6. %WinDir%\system32\splm\mcaserv32.dll
  7. %WinDir%\system32\splm\kbdsapi.dll
  • Now change the current directory using 'cd' command leave a space after 'cd' and then the path of dll file, which you have located above. Press enter after this.
  • Now unregister dll file by typing "directory path+'regsvr32/u'+dll file name". Press enter, the file will be unregistered.

I would once again recommend that you do it automatically since there is risk of damaging the computer as important files may be deleted or changed.

Questions & Answers


      0 of 8192 characters used
      Post Comment

      • profile image

        Compter Service Asheboro 20 months ago

        Thank you very much for sharing the trick.

      • profile image

        sj 20 months ago

        huh, thank you! you're a computer savior!i suddenly got this blue notice from operating care system that my computer was koobface infected, and I have no idea how to deal with the worm.. you definitely helped me!

      • profile image

        mika 6 years ago

        I have one.. I cant post status! chat and do other things in FB.., gosh! Don't know what to do!

      • profile image

        Night-Wolf 6 years ago

        It is easier just to Reformat the hard drive and be done

      • profile image

        aashka jain 6 years ago

        it has over loaded things which make me unhappy

      • profile image

        rifa 6 years ago

        thnkz for the info,,

        my pc is infected by this.. bleh.. n im backing up files.. so thank you.. i learned stuff i didn't knew :)

      • profile image

        jomarthegreat 6 years ago

        the files you have listed here may not be present on computers of other users. koobface is a worm. and a worm replaces legitimate and original files from infected computers. so naming file names may not prove to be helpful as each computer differs in content from another, files names will be replicated / replaced by the worm which in turn would give them another different filename... ad inifinitum.

      • profile image

        Anmol Mehta 6 years ago

        tell me the best anty virus name to remove koobface plz

      • profile image

        Diana 6 years ago

        I have tried every virus software in the book- it blocks them all. Downloaded Malaware on another computer -renamed it and opened it on infected computer and it stopped the scan. When I try safe mode I just get a whole bunch of!!!!!!!!

      • profile image

        Beyond  6 years ago

        People I got koobface from facebook and I got malwarebytes toke care of it pain free, I diffenetly recoment it

      • Debby Bruck profile image

        Debby Bruck 6 years ago

        This was super to let folks know about the worm. I just saw a message posted on FaceBook and started to research. Guess what?! Your hubpages came up on google search. So, great going on this hubpages. This was the message I saw:

        "Virus spreading like wildfire on Fb and My Space! It is a trojan worm called koobface. It will steal your info, invade your system and shut it down! DO NOT open the link Barack Obama Clinton Scandal! If SmartGirl15 requests you as a friend, don't accept it ;it is a virus. If somebody on your list adds her, you get the virus too! Please copy and paste to your wall. Confirmed on MSNBC and SNOPES..please share"

        I found this info: Koobface worm is distributed on social networks, usually on MySpace and Facebook. It embeds itself on victim’s profile and displays links to malicious websites. The websites promote video codec which is actually the Koobface worm. Those sources might also install the worm without notifying visitors.

        Koobface is also known as W32/Koobface, W32/Koobface.AZ, W32.Koobface and Boface. Once it gets on a machine, it checks if there are cookies of social networks. If it finds the cookies, it infects victim’s profile. If Koobface worm can’t find evidence of social networking websites, it simply erases itself.

        Koobface also loads pop-ups that look like MS Windows error messages. The pop-up contains the following text: “Error installing Codec. Please contact support.”

      • profile image

        Mini 7 years ago

        could ccleaner can remove it?

      • profile image

        Kyle 7 years ago

        I got the koobface virus and it just crashes as soon as u turn on a program so mine must b an updated version too any advice?

      • profile image

        Corey 7 years ago

        I got the koobface, and it must be an updated version, cuz it won't even let me log on to my computer. It freezes it at the load page before the login page.

      • profile image

        Mark Wolf 7 years ago

        Yes it does have the ability to infect a mac. I have one and I just noticed it infected my email program. Not fun.

        I just found a virus scanning program for mac and it found the worm.koobface and I am working on removing it. Hopefully it works. I dont know about any other files that it might of created though. The program I used was ClamXav. Good luck!

      • profile image

        hellooooooooooo 7 years ago

        thank you this is good info just incase i get it =)

      • profile image 7 years ago from bear, de, 19701

        good info. I won't miss. thanks

      • profile image

        denis 7 years ago

        Thanks for putting all those removal instructions together and sharing it with people. Good job. Denis

      • profile image

        Chris 7 years ago

        I recommend malwarebytes as well. Takes care of it really quick and painlessly.

      • profile image

        dwan98 8 years ago

        check your cookie file you should have a good one to try to remove. look for ch52 or ch62 good luck getting these gone

      • ashakhan profile image

        ashakhan 8 years ago from india


      • profile image

        Marty Luther 8 years ago

        Got a simple solution for this problem. Boot into safe mode (pressing F8 during boot) and start your computer in safemode with networking. Download malwarebytes (the free version works great)... google it.. install and run this in safemode. Will remove this stupid virus quickly and easily. Hope this helps

      • profile image

        8 years ago

        Microsoft Security Essentials is free and it catches and removes the koobface

      • profile image

        sean brown 8 years ago

        I was getting multiple porn pop up all the time....didn't know what to mcafee said the system is clean....i would have had to format my machine until i came across this site recommended by a friend who works for dell.....says they use all these tools as they are tried & tested to be clean & effective....give it a .....saved me the hassle of reformatting the system.

      • profile image

        Jordan 8 years ago

        ive tried to remove koobface manually using the registry but can anyone help me in tellin me if the automatic removal tools work because im worried if i download them it will just be another virus...?

      • profile image

        Natalie 8 years ago

        I have McAfee and i got this virus during the time it was expired, I went and tried to view a video that someone commented on, I didn't know it was sent from me until a lot of my friends told me. I updated my McAfee and ran a scan, It says it has removed this virus that's how I got it's name, but I keep getting people sayng they are sill receiving these videos from me. What can I do to fix this?

      • profile image

        jonharules 8 years ago

        My computer has been infected last week and it started dimming my monitor after every 5 minutes and if I don't enter the enter the catchpahrase phrase, it will continually dim my monitor and I can't resume working on my tasks until I enter the words.

        I sort of panicked and even worried that it has already replicated itself because until now I'm seeing unknown files that I can't access and it must have replicated itself and went to my drives c and d (my date drive which is d contains all my drivers). I'm afraid that if I will backup it, it will still contain the attributes of the worm. I also uninstalled avast! home edition because it failed to stop the worm. So I downloaded Norton, but since you said it alters the search results, I must have been directed to a rogue software. What should I do to make sure my laptop is really safe? Norton stopped it, but does it really end there?

        @ Kate: I don't think Koobface has the ability to infect Mac users

      • javanx3d profile image

        javanx3d 8 years ago from Memphis, TN

        Great article and instructions! @Dave I like your blog's recommendation as well to avoid the manual removal if you're not savvy with registry mods!



      • medarj profile image

        medarj 8 years ago

        Thank you, nice hub !!

      • profile image

        Kate  8 years ago

        What about on a Mac? because i think I've got it.. now how do I get rid of it?????

      • mdvaldosta profile image

        Joe 9 years ago from Valdosta, GA

        That looks nasty.

      • HelpingGuy profile image

        HelpingGuy 9 years ago

        Nice info. hassam.

        If any one of you don't know much about "Koobface worm", just check.

      • Trsmd profile image

        Trsmd 9 years ago from India

        this is a special virus for Facebook.. you have provided good info..