How To Remove Koobface Virus

Koobface is the latest virus that has attacked the social networking phenomenon. Top social networking websites like facebook and myspace are the places where this thing has done nothing but mischief.

The virus originated in early December and is reported to have infected several computers using the facbook platform. Although such a virus has been reported earlier in myspace but this new thing is using different methods to seek into the users PC and spread malware into the computer.

What Is Koobface?

Although famous as virus, the Koobface is actually a worm. A worm is a malware that sneaks into your computer and replicates itself throughout the PC. The difference between a virus and a worm is that, virus attaches it self to the file whereas a worm actually replaces it. A worm can even send automated emails to other PC's trying to infect them using yours.

So Koobface is a worm and attacks a computer by downloading some .exe files into your computer. The main thing is to identify the threat at this point before it is too late.

Possible Koobface emails

How Koobface Infects a Computer?

Basically if you are using facebook you should watch for automated email messages that display either an insulting message or something very tempting about you. Messages like, "you look funny in this video" or "you look so stupid in this pic" can be used to persuade someone to click on the link attached, this called 'Social Engineering'. Once the user clicks on them it takes you to a video which doesn't play and they ask you to download certain codecs which can be a 'flash_player.exe' file.

If this file is downloaded, your computer becomes open to Koobface malware. It downloads a file 'tinyproxy.exe' which hijacks your PC. It can even alter search results from Google, Yahoo etc and redirect you to websites selling malicious softwares.

Koobface video snapshot
Koobface video snapshot

How To Remove Koobface Automatically?

Here I will discuss two method of removing Koobface. First lets discuss the automatic method. The facebook security page has posted about this but there is no genuine way of removing this malware. They have only asked people to change their password in order to protect user security.

The best automatic method to remove this thing is of course to get a good malware remover which can automatically detect and remove it. If you have already bought a good spyware you can find the removal instructions from the support page. But it can be removed automatically if your software is updated.

The major problem is that the Koobface worm is constantly changing itself, so make sure you have the latest version of the mlaware installed.

If you don't have a anti-malware software, you can download one here. It has been so far the best free spyware remover that I have found.

How To Remove Koobface Manually?

Although it is highly recommended that Koobface or any other parasite should be removed using an automated software but still if you want to do it manually here is the procedure but before attempting anything, make sure you backup your computer:

Using The Add\Remove Program Tool:

This is not a 100% removal method because most of the malware don't really appear in the list but if they are you can do this:

  • Go to Add\Remove utility.
  • Look up for the Koobface malware to remove and uninstall it.

But it is noted that Koobface restores it self on rebooting. So here is a better method:

By Removing Registry Files

Here are the steps:

  • Search for "koobface" in Mycomputer using find utility.
  • Note down Koobface file path somewhere.
  • Press Ctrl+Alt+Del to open 'Task Manager'
  • End the "Koobface" processes.

The following processes must be ended:

  1. %SYSTEMROOT%\bolivar28.exe
  2. che07.exe
  3. bolivar28.exe
  4. %WinDir%\system32\nScan\ekrn.exe
  5. %WinDir%\system32\nScan\ecls.exe
  6. %WinDir%\system32\splm\ncsjapi32.exe
  7. %WinDir%\bolivar28.exe
  8. C:\Windows\fbtre6.exe

Now you need to change 'Registry Files', here is what to do:

  • Type 'regedit' in Run and press Enter.
  • The Registry Editor will appear, locate the above mentioned process files and delete them.
  • Locate "Koobface" registry entries and delete them, they are as the follows:
  1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B\StubPath: "%WinDir% \System32\splm\ncsjapi32.exe"
  2. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
  3. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Intelli Mouse Pro Version 2.0B: "%WinDir% \System32\splm\ncsjapi32.exe"
  4. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: "2"
  5. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
  6. HKEY_USERS\Software\Microsoft\Windows\nScan32\ExecuteDate: "14\8\2008"
  7. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "c:\windows\mstre6.exe"
  8. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "C:\Windows\fbtre6.exe"
  9. HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

Now you have to unregister dll file as follows:

  • Go to start and type in 'cmd' to open comman prompt.
  • First locate the following dll files using 'dir' command.
  1. %WinDir%\system32\nScan\ekrnEmon.dll
  2. %WinDir%\system32\nScan\ekrnScan.dll
  3. %WinDir%\system32\nScan\ekrnEpfw.dll
  4. %WinDir%\system32\nScan\ekrnAmon.dll
  5. %WinDir%\system32\splm\lmfunit32.dll
  6. %WinDir%\system32\splm\mcaserv32.dll
  7. %WinDir%\system32\splm\kbdsapi.dll
  • Now change the current directory using 'cd' command leave a space after 'cd' and then the path of dll file, which you have located above. Press enter after this.
  • Now unregister dll file by typing "directory path+'regsvr32/u'+dll file name". Press enter, the file will be unregistered.

I would once again recommend that you do it automatically since there is risk of damaging the computer as important files may be deleted or changed.

Comments 31 comments

Trsmd profile image

Trsmd 7 years ago from India

this is a special virus for Facebook.. you have provided good info..

HelpingGuy profile image

HelpingGuy 7 years ago

Nice info. hassam.

If any one of you don't know much about "Koobface worm", just check.

mdvaldosta profile image

mdvaldosta 7 years ago from Valdosta, GA

That looks nasty.

Kate  7 years ago

What about on a Mac? because i think I've got it.. now how do I get rid of it?????

medarj profile image

medarj 7 years ago

Thank you, nice hub !!

javanx3d profile image

javanx3d 7 years ago from Memphis, TN

Great article and instructions! @Dave I like your blog's recommendation as well to avoid the manual removal if you're not savvy with registry mods!



jonharules 7 years ago

My computer has been infected last week and it started dimming my monitor after every 5 minutes and if I don't enter the enter the catchpahrase phrase, it will continually dim my monitor and I can't resume working on my tasks until I enter the words.

I sort of panicked and even worried that it has already replicated itself because until now I'm seeing unknown files that I can't access and it must have replicated itself and went to my drives c and d (my date drive which is d contains all my drivers). I'm afraid that if I will backup it, it will still contain the attributes of the worm. I also uninstalled avast! home edition because it failed to stop the worm. So I downloaded Norton, but since you said it alters the search results, I must have been directed to a rogue software. What should I do to make sure my laptop is really safe? Norton stopped it, but does it really end there?

@ Kate: I don't think Koobface has the ability to infect Mac users

Natalie 6 years ago

I have McAfee and i got this virus during the time it was expired, I went and tried to view a video that someone commented on, I didn't know it was sent from me until a lot of my friends told me. I updated my McAfee and ran a scan, It says it has removed this virus that's how I got it's name, but I keep getting people sayng they are sill receiving these videos from me. What can I do to fix this?

Jordan 6 years ago

ive tried to remove koobface manually using the registry but can anyone help me in tellin me if the automatic removal tools work because im worried if i download them it will just be another virus...?

sean brown 6 years ago

I was getting multiple porn pop up all the time....didn't know what to mcafee said the system is clean....i would have had to format my machine until i came across this site recommended by a friend who works for dell.....says they use all these tools as they are tried & tested to be clean & effective....give it a .....saved me the hassle of reformatting the system.

6 years ago

Microsoft Security Essentials is free and it catches and removes the koobface

Marty Luther 6 years ago

Got a simple solution for this problem. Boot into safe mode (pressing F8 during boot) and start your computer in safemode with networking. Download malwarebytes (the free version works great)... google it.. install and run this in safemode. Will remove this stupid virus quickly and easily. Hope this helps

ashakhan profile image

ashakhan 6 years ago from india


dwan98 6 years ago

check your cookie file you should have a good one to try to remove. look for ch52 or ch62 good luck getting these gone

Chris 6 years ago

I recommend malwarebytes as well. Takes care of it really quick and painlessly.

denis 6 years ago

Thanks for putting all those removal instructions together and sharing it with people. Good job. Denis 6 years ago from bear, de, 19701

good info. I won't miss. thanks

hellooooooooooo 5 years ago

thank you this is good info just incase i get it =)

Mark Wolf 5 years ago

Yes it does have the ability to infect a mac. I have one and I just noticed it infected my email program. Not fun.

I just found a virus scanning program for mac and it found the worm.koobface and I am working on removing it. Hopefully it works. I dont know about any other files that it might of created though. The program I used was ClamXav. Good luck!

Corey 5 years ago

I got the koobface, and it must be an updated version, cuz it won't even let me log on to my computer. It freezes it at the load page before the login page.

Kyle 5 years ago

I got the koobface virus and it just crashes as soon as u turn on a program so mine must b an updated version too any advice?

Mini 5 years ago

could ccleaner can remove it?

Debby Bruck profile image

Debby Bruck 5 years ago

This was super to let folks know about the worm. I just saw a message posted on FaceBook and started to research. Guess what?! Your hubpages came up on google search. So, great going on this hubpages. This was the message I saw:

"Virus spreading like wildfire on Fb and My Space! It is a trojan worm called koobface. It will steal your info, invade your system and shut it down! DO NOT open the link Barack Obama Clinton Scandal! If SmartGirl15 requests you as a friend, don't accept it ;it is a virus. If somebody on your list adds her, you get the virus too! Please copy and paste to your wall. Confirmed on MSNBC and SNOPES..please share"

I found this info: Koobface worm is distributed on social networks, usually on MySpace and Facebook. It embeds itself on victim’s profile and displays links to malicious websites. The websites promote video codec which is actually the Koobface worm. Those sources might also install the worm without notifying visitors.

Koobface is also known as W32/Koobface, W32/Koobface.AZ, W32.Koobface and Boface. Once it gets on a machine, it checks if there are cookies of social networks. If it finds the cookies, it infects victim’s profile. If Koobface worm can’t find evidence of social networking websites, it simply erases itself.

Koobface also loads pop-ups that look like MS Windows error messages. The pop-up contains the following text: “Error installing Codec. Please contact support.”

Beyond  5 years ago

People I got koobface from facebook and I got malwarebytes toke care of it pain free, I diffenetly recoment it

Diana 5 years ago

I have tried every virus software in the book- it blocks them all. Downloaded Malaware on another computer -renamed it and opened it on infected computer and it stopped the scan. When I try safe mode I just get a whole bunch of!!!!!!!!

Anmol Mehta 5 years ago

tell me the best anty virus name to remove koobface plz

jomarthegreat 5 years ago

the files you have listed here may not be present on computers of other users. koobface is a worm. and a worm replaces legitimate and original files from infected computers. so naming file names may not prove to be helpful as each computer differs in content from another, files names will be replicated / replaced by the worm which in turn would give them another different filename... ad inifinitum.

rifa 5 years ago

thnkz for the info,,

my pc is infected by this.. bleh.. n im backing up files.. so thank you.. i learned stuff i didn't knew :)

aashka jain 4 years ago

it has over loaded things which make me unhappy

Night-Wolf 4 years ago

It is easier just to Reformat the hard drive and be done

mika 4 years ago

I have one.. I cant post status! chat and do other things in FB.., gosh! Don't know what to do!

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.

    Click to Rate This Article