Posts Comments

Koobface | Remove Koobface

By admin on March 8, 2010 Leave a Comment

Koobface is a worm that usually manifests itself on social networking websites such as Facebook and MySpace. Once a user’s Facebook or MySpace profile gets infected with Koobface, links to various websites are displayed on the profile. If anyone clicks on these links they lead to websites which promote a fake video codec. They will seem to be installing said codec, but in fact they install Koobface on the user’s computer. If Koobface does not find cookies related to social networking websites on the user’s computer, it will simply delete itself. Koobface is also known by the names Boface, W32/Koobface and W32.Koobface.

As soon as you see such links to malicious websites displayed on your Facebook or MySpace profile and you ascertain that it is due to Koobface, you should take immediate steps to remove it. In order to remove Koobface, you need to stop its processes, unregister its DLLs, delete its files and folders and remove its registry entries. Additionally, in order to make sure that the entire removal process has been properly completed it is recommended to scan the entire PC using genuine software such as Spyware Doctor with Antivirus.

Because this threat mutates all the time you should run a full scan using Spyware Doctor with Antivirus first to pickup all the traces.  From there you can either register the software and remove Koobface or you can write down the traces and manually remove it.

If you find this threat too hard to remove or you just want a pro to remove it for you then we recommend http://www.pcninja.com.  This remote computer repair company can fully remove Koobface from your computer along with all other viruses and spyware.

File Removal Procedures

The first step you need to take in order to delete Koobface is to stop the following processes:

•    fbtre6.exe
•    mstre6.exe
•    freddy35.exe
•    websrvx.exe
•    captcha6.exe
•    kaka.exe
•    bolivar28.exe
•    Ld12.exe
•    %WinDir% \system32\splm\ncsjapi32.exe
•    %WinDir%\system32\nScan\ecls.exe
•    %WinDir%\system32\nScan\ekrn.exe
•    %WinDir%\validate.inf

The next step in Koobface removal is to unregister the following DLL files:

•    %WinDir%\system32\nScan\ekrnAmon.dll
•    %WinDir%\system32\nScan\ekrnEmon.dll
•    %WinDir%\system32\nScan\ekrnEpfw.dll
•    %WinDir%\system32\nScan\ekrnScan.dll
•    %WinDir% \system32\splm\kbdsapi.dll
•    %WinDir% \system32\splm\lmfunit32.dll
•    %WinDir% \system32\splm\mcaserv32.dll

To complete file removal, delete the following files and folders:

•    fbtre6.exe
•    mstre6.exe
•    freddy35.exe
•    websrvx.exe
•    captcha6.exe
•    kaka.exe
•    Ld12.exe
•    bolivar28.exe
•    %WinDir% \system32\splm\kbdsapi.dll
•    %WinDir% \system32\splm\lmfunit32.dll
•    %WinDir% \system32\splm\mcaserv32.dll
•    %WinDir% \system32\splm\ncsjapi32.exe
•    %WinDir%\system32\nScan\ecls.exe
•    %WinDir%\system32\nScan\ekrn.exe
•    %WinDir%\system32\nScan\ekrnAmon.dll
•    %WinDir%\system32\nScan\ekrnEmon.dll
•    %WinDir%\system32\nScan\ekrnEpfw.dll
•    %WinDir%\system32\nScan\ekrnScan.dll
•    %WinDir%\system32\nScan\em000_32.dat
•    %WinDir%\system32\nScan\em001_32.dat
•    %WinDir%\validate.inf

Registry Removal Procedures

After file removal has been completed, it is necessary to delete the following registry entries as well in order to completely remove Koobface:

•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "c:\windows\mstre6.exe"
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "C:\Windows\fbtre6.exe"
•    HKEY_CURRENT_USER\AppEvents\Schemes\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B\StubPath: "%WinDir% \System32\splm\ncsjapi32.exe"
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
•    HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: "2"
•    HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Intelli Mouse Pro Version 2.0B: "%WinDir% \System32\splm\ncsjapi32.exe"
•    HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
•    HKEY_USERS\Software\Microsoft\Windows\nScan32\ExecuteDate: "14\8\2008"Apps\Explorer\Navigating

Outside Resources:

http://en.wikipedia.org/wiki/Koobface

http://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99

Filed Under: Virus Removal Tagged With: , , , , , , ,

Speak Your Mind

*

RemoveVirus.org cannot be held liable for any damages that may occur from using our community virus removal guides. Viruses cause damage and unless you know what you are doing you may loose your data. We strongly suggest you backup your data before you attempt to remove any virus. Each product or service is a trademark of their respective company. We do make a commission off of each product we recommend. This is how removevirus.org is able to keep writing our virus removal guides. All Free based antivirus scanners recommended on this site are limited. This means they may not be fully functional and limited in use. A free trial scan allows you to see if that security client can pick up the virus you are infected with.