Severity scale:  

Remove Koobface (Virus Removal Guide) - 2021 update

removal by Ugnius Kiguolis - -   Also known as Boface | Type: Worms

Koobface is a multi-platform worm-type computer virus that has a lineup of various functions, including data-stealing

Koobface worm infection

Koobface is a relatively old cyber infection that targets Windows, Mac OS X, and Linux platforms.[1] Operating as a worm, this malware is capable of intercepting traffic,[2] inducing ads, stealing sensitive information, downloading secondary payloads, and many other malicious activities.

Koobface is also a worm that is capable of spreading via social media and email networks, in particular, Facebook, Twitter, Skype, Gmail Yahoo Mail, and others. As soon as the infection is populated, it checks if there are cookies of social networks[3]. If it locates them, it infects the victim’s profile[4].

If Koobface virus can’t find evidence of social networking websites, it merely erases itself and then loads pop-ups that look like MS Windows error messages. The pop-ups contain the following details: “Error installing Codec. Please contact support.” The threat is flagged by different vendors as W32/Koobface, W32/Koobface.AZ, W32.Koobface and Boface.

Questions about Koobface

Additionally, the name of this computer worm is often used by technical support scams and other phishing attempts, such as Windows Detected Koobface InfectionYour System is infected with 3 viruses, and others. If you noticed notifications that note the infection of this virus on Google Chrome or another browser, make sure you scan your device with security software as all these claims are most likely fake. Nevertheless, you will have to remove Koobface as soon as possible if the infection is real – check the bottom section to find out how.

Name Koobface
Type Worm, torjan
Platforms Windows, Mac OS X, and Linux
Infiltration Networking websites and services, such as Skype, Facebook, Twitter, etc.
Capabilities Installing additional payloads, stealing confidential data, injecting advertisements int o browsers, redirects, blocking access to certain sites, stealing license keys, modifying system files, intercepting internet traffic, etc.
Also known as W32/Koobface, W32/Koobface.AZ, W32.Koobface and Boface
Termination Use powerful anti-malware software
Recovery To restore system files to normal, scan your device with ReimageIntego

If computer user actively uses social media networks, Koobface detects particular cookies and collects victim's login information of all social media websites that he or she visits. Then it sends messages to people on the victim's friend list, asking to view a video.

This message includes a malicious hyperlink. If people click on this hyperlink, they are going to be redirected to a harmful website, which states that an update of Flash is required in order to review the content. The download links include flash_player.exe file. If the person allows installing the update, he/she gives access for an installer of Koobface. It means that this .exe file is going to silently download and install Koobface infection files.

Koobface hacking worm[5] allows the cyber-criminals to track and record sensitive data about the victim, for example, it can see what passwords do you enter on particular websites, what are your logins and it can even find out credit card info and banking information! Be aware because it can lead to a financial loss. In addition to that, this malicious worm can display vague ads convincing you to install fake anti-virus programs. Do not install any software promoted by Koobface virus hoax – most likely you will infect your computer even more.

Koobface wormKoobface worm is a sophisticated cyber infection that can spread via networks and inflict major financial damage to victims

For Koobface removal, you should employ reputable security software and terminate all the malicious files from your computer. Additionally, to recover from virus damage, make sure you scan your computer with ReimageIntego – it can fix all the infected system files and make the machine operate normally again.

Beware of tech support scammers who claim that your computer has been infected with KoobFace malware. Technical support scammers make victims install a malicious program that displays pop-up messages via the user's default web browser, stating that the system has been compromised.

Such malicious programs can display a lock screen and prevent the user from accessing the PC or pose as a phony Windows Update. All of these deceptive programs are designed to showcase the technical support number that the user supposedly needs to call in order to get help from “certified technicians.” If your computer is telling you that the system is infected with Koobface, and urges you to contact the tech support team, better scan the system for malware. We also strongly recommend reading this article – Tech Support Scam virus.

Distribution of the Koobface

Koobface is usually spread via social engineering. It means that it is spread via social media messages. If your friend has sent you a link that looks suspicious (looks unfamiliar and contains a lot of random symbols), you should double-ask your friend if he/she really sent that. Such spam usually includes such and similar lines:

  • “I saw your silly face in that movie, check it!”;
  • “Why do you look so stupid? xD See yourself”;
  • “You look just awesome in this new movie”;
  • “My friend caught you on hidden cam.”

If you can remember clicking any of these messages, make sure that you double check your computer for Koobface malware. Also, you should scan your computer with the powerful anti-spyware if you have been tricked into downloading a fake version of Flash Player, which was disguised as “flash_player.exe”.

Koobface scamCrooks are often using Koorface's name in order scam users and make them install bogus software or pay for fake tech support services

Otherwise, Koobface can try to overtake your HTTP traffic, steal your personal information and infect your PC system with additional malware. If you think that you are infected, please, scan your computer with ReimageIntego. You can find more about removal below.

The gang behind Koobface malware shows off their earnings online

While the majority of cyber criminals tend to stay underground and not brag about the money[6] they earn in illegal ways, criminals behind virus behave in an entirely different way. According to research, cyber criminals who have created Koobface project have earned thousands of US dollars daily – up to $10,000 a day.

These criminals were so proud of themselves and loved money so much so that they all have set their phones to deliver a message telling how much money has been earned in the previous 24 hours every morning. Bad actors have also been spotted swaggering on social media and posting pictures next to money piles and Porsches.

Do not let scammers take advantage of you and protect your computer in advance to avoid malware attack. Please, do not click on suspicious-looking links while browsing social media websites and do not open links sent by your friends that point to a video that has nothing to do with you. 

Koobface prevention tips:

  1. Do not browse unreliable websites. If you have opened a website which asks to update your Flash Player, and you know that it was possible to open other videos before, you should know that the site is suspicious. Close it immediately.
  2. If you have at least the smallest suspicion that your friend did not send the suspicious message with a hyperlink, ask him or her twice.
  3. Keep an anti-malware program on your computer to prevent infectious computer threats; we recommend ReimageIntego.

Koobface elimination guide

You can check if you have this infection by opening the Task Manager and looking for such processes: freddy79.exe, fbtre6.exe, mstre6.exe, ld08.exe, Ld12.exe. You must remove this malicious threat from your computer and stop the spread of it. You can perform Koobface removal manually, and we have provided the instructions on how to do it below this article.

Nonetheless, we strongly advise you to remove Koobface worm automatically by employing a reputable security tool, such as SpyHunter 5Combo Cleaner or Malwarebytes. After termination, perform a scan with ReimageIntego to fix virus damage and change your social media/banking passwords to ensure that the cyber-criminals will not use them again.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Koobface, follow these steps:

Remove Koobface using Safe Mode with Networking

Start your computer in Safe Mode with Networking and then run a strong malware removal tool to fetch all components of Koobface Trojan. Do not try to remove this dangerous virus manually, please – this way, you can delete only part of malicious components and leaveremains on the system, which would keep the computer vulnerable to further virus attacks. Mac users should use Mac-compatible anti-malware software, for example, Webroot.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Koobface

    Log in to your infected account and start the browser. Download ReimageIntego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Koobface removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Koobface using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Koobface. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with ReimageIntego and make sure that Koobface removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Koobface and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions

Removal guides in other languages

  1. Guest says:
    July 27th, 2009 at 2:07 pm

    I also had to remove a file “freddy51” from the C drive as well.

  2. rodi says:
    July 27th, 2009 at 11:07 pm

    Thanks, although this file has other anmes as well. Previously it was freddy46, freddy49. Now, it's freddy51. Later it could be freddy52, freddy53 and etc.

  3. Guest says:
    August 17th, 2009 at 6:08 pm

    Removed Koobface using AVG, but still can Not connect to the Net using Internet Explorer even after changing the LAN Settings to automaic detect settings from Use a Proxy server. Please help

  4. Guest says:
    September 17th, 2009 at 5:09 pm

    yah it's freddy64 now

  5. Guest says:
    December 30th, 2009 at 10:12 am

    it's freddy79. i was able to manually stop the processes, found the registry entries and deleted them but “freddy79” remains in C:Windows. If anyone has suggestions on getting it deleted, please post. It will no longer let you delete the file.

  6. rodi says:
    December 31st, 2009 at 12:12 am

    Thank you, we added freddy79 to the list too. Just download an automatic removal tool and run a system scan. I'm afraid that manual removal won't work for you.

  7. Guest says:
    January 5th, 2010 at 11:01 am

    i hate this stupid virus

  8. Guest says:
    January 28th, 2010 at 4:01 am

    I just cleaned this from a friend's laptop last night. It was up to freddy81.

  9. Guest says:
    March 16th, 2010 at 5:03 am

    im finding bills now, is that bad?

  10. Guest says:
    March 21st, 2010 at 10:03 am

    I don't find the fbtre6.exe, I find fbtre19.exe. Should I remove it?

  11. Guest says:
    March 24th, 2010 at 5:03 pm

    Found it on mine as bill104.exe? Or is that another one?

  12. Guest says:
    April 3rd, 2010 at 5:04 am

    Found as bill 106.exe

  13. Guest says:
    April 6th, 2010 at 2:04 pm

    Koobface is nasty. It blocked me from many Internet sites by preventing DNS translation. I couldn't update my antivirus program (Avast). Ultimately I was able to rid myself of this beastie by running Microsoft's Malicious Software Removal tool (MRT.exe).

  14. Guest says:
    April 10th, 2010 at 4:04 pm

    dies this affect mac users also? if so, how do i manually remove it on a mac? thanks

  15. callum-MS-FB says:
    May 4th, 2010 at 1:05 am

    ok just get avg or norton or a good anti virus and it will detect it and remove it

  16. Guest says:
    June 11th, 2010 at 4:06 pm

    Avira (free) gets rid of Koobface

  17. Guest says:
    July 29th, 2010 at 5:07 pm

    uhh, i found a bill something, but deleted it as soon as i found it (i run in safemode so i know what processz arnt suppose to be there) but i cant find it anywhere on my laptop, any help on where bill105 would be in the registry?

  18. Akio says:
    August 23rd, 2011 at 9:08 am

    hey guys after i infected with koobface my Google Chrome cant login facebook and any google related sites. Is it also koobfaces effect??

  19. counterstrike says:
    November 10th, 2015 at 10:49 am

    Yeah it can! Try to retrieve your account by answering the security questions or send the password reset link to your e-mail. BUT FIRSTLY REMOVE KOOBFACE!!! otherwise this worm will see your new passowrds as well

  20. Saleem says:
    November 19th, 2011 at 10:56 am

    Avira gets rid of koobface.

  21. boka choda says:
    July 6th, 2012 at 6:42 pm

    koob face amar computer chude deache

  22. alicia says:
    November 10th, 2015 at 10:47 am

    SpyHunter worked very well, thank you!!!!! This malicious threat is gone for good, god damn it! need to change my passwords now

  23. RoyBiggie says:
    November 10th, 2015 at 10:50 am

    manual removal instructions aint gonna work that well, it is better to remove it automatically ;] you should get anti-malware app, dude

  24. George Kinal says:
    December 15th, 2015 at 11:47 pm

    Great. Article says koobface can infect Macs BUT it says bloody well NOTHING at all about how to do so.

  25. Freddie says:
    February 22nd, 2016 at 8:45 pm

    What about other computers on the same network

  26. Freddie says:
    February 22nd, 2016 at 8:51 pm

    What about other computers on the same network

  27. Allison says:
    April 27th, 2016 at 6:02 pm

    Free scan yes, remove the virus, need to pay, I cant afford it. So unless you can afford to buy something, i wouldnt get this.

Your opinion regarding Koobface