How To Remove the Koobface Virus

Alex Forgue
Categories : Smb security ,Computing
Tags : Computing smb security topics phishing

Page content

Whats Is It?

Koobface is a virus that mainly attacks facebook, but has been know to attack sites like Myspace, Twitter, Friendster, Hi5, and Bebo. When the virus gets into the users computer it will start sending itself to other users form your Facbook or other social networking site account you use. After doing this, the worm will then steal credit cards, bank acocunts, and other sensitive data. If you look at koob face you’ll see facebook, koob is book backwords, and the face part is easy.

How Does It Spread?

The main question is “How does it spread?” The worm spreads itself by sending messages from the users account to all their friends. The message usually includes a subject like, “You look stupid in this vid” or “I got you a camera”. The link to the video will then bring you to a third party site and it will say you need to update to the latest Adobe Flash Player, and it will ask you to download it, most people will without thinking. Once the worm is installed its called to action.

How Do I Remove It?

The hardest part about Koobface is that it is a polymorphism worm. This means that it will keep changing itself to stay undetected. The best way to remove is use a updated malware cleaner. If you go to the following, there are scanners recommended by Facebook to scan for this worm or any other virus online. This page can be found here. If you don’t want to use a automated program that will remove it for you, even though this is highly recommended, follow these steps.

To remove it manually follow these steps:

1. Click start on the taskbar, and then click “My Computer.”

2. Hit F3 and select “All Files and Folders and search “Koobface.”

3. Copy the file path of Koobface.

4. Open “Task Manager” this can be done by eithering holding Ctrl+Alt+Del or clicking “Start” and then “Run” and type “taskmgr.exe”

5. You must disable Koobface’s process first.

6. Next you must disable the other following processes

1. %SYSTEMROOT%\bolivar28.exe

2. bolivar28.exe

3. che07.exe

4. %WinDir%\system32\nScan\ecls.exe

5. %WinDir%\system32\nScan\ekrn.exe

6. %WinDir%\system32\splm\ncsjapi32.exe

7. %WinDir%\bolivar28.exe

8. C:\Windows\fbtre6.exe

Now that this is done, it is time to go into the registry and remove this worm.

1. Click “Start” “Run” and type “Regedit”

2. Locate and delete these registry files

1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B\StubPath: “%WinDir% \System32\splm\ncsjapi32.exe

2. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: “%WinDir% \System32\splm\ncsjapi32.exe”

3. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: “2”

4. HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Intelli Mouse Pro Version 2.0B: “%WinDir% \System32\splm\ncsjapi32.exe”

5. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: “%WinDir% \System32\splm\ncsjapi32.exe”

6. HKEY_USERS\Software\Microsoft\Windows\nScan32\ExecuteDate: “14\8\2008”

7. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\“systray” = “C:\Windows\fbtre6.exe”

HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

9. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\“systray” = “c:\windows\mstre6.exe”

Now we must unregister these dll files in Command Prompt.

1. Click “Start”, “Run”, and type “cmd”

2. Now locate and the following dll files by typing dir and then the following:

1. %WinDir%\system32\nScan\ekrnScan.dll

2. %WinDir%\system32\nScan\ekrnEpfw.dll

3. %WinDir%\system32\nScan\ekrnEmon.dll

4. %WinDir%\system32\splm\lmfunit32.dll

5. %WinDir%\system32\splm\kbdsapi.dll

6. %WinDir%\system32\nScan\ekrnAmon.dll

7. %WinDir%\system32\splm\mcaserv32.dll

now that you have the paths for those now we can change it type “cd” then a space and type the dll path for all of those, and hit eneter and now unregister them.

Now unregister each and by using the following format “path+‘regsvr32/u’+dll name”

Thats it!, I hope you use a anti-malware software because doing this can harm your computer.