Click on screenshot to zoom
Danger level 9
Type: Worms
Common infection symptoms:
  • Installs itself without permissions
  • Connects to the internet without permission
  • Shows commercial adverts
  • Slow internet connection
  • Annoying Pop-up's
  • Slow Computer
Other mutations known as:

Trojan.Proxy.Koobface

Brace yourself for a break-down of one of the more dangerous PC parasites available on the World Wide Web, namely: Trojan.Proxy.Koobface.

This malicious application, Trojan.Proxy.Koobface, also referred to as: Win32/Koobface, or Worm.Koobface, is a form of malicious software, a worm to be exact, which may tend to perform all sorts of dubious actions on an infiltrated system, so as to compromise the victims’ privacy and cause major disruptions to the system in question.

Technically speaking, Trojan.Proxy.Koobface is regarded by experts as a computer worm variant that tends to replicate itself through PC networks and contaminates all their poorly protected nodes.

Once embedded within a computer system, Trojan.Proxy.Koobface will integrate itself in the compromised system and in doing so may result in some of the processes being compromised.

Some of the corrupt activities Trojan.Proxy.Koobface may perform are as follows:

• Trojan.Proxy.Koobface may steal personal data (including financial credentials like credit card details),
• Trojan.Proxy.Koobface may trigger misleading alerts
• Trojan.Proxy.Koobface may issue fake scanners
• Trojan.Proxy.Koobface may send weird messages to Facebook or MySpace contacts

To recap, Trojan.Proxy.Koobface is a computer worm that was ultimately designed to gather sensitive information from the victim’s computer system, such as credit card numbers, personal identity information, etc.

This dubious infection tends to targets the users of social networking websites, for example: Facebook and MySpace. Trojan.Proxy.Koobface spreads by delivering Facebook messages to people that are 'friends' of the infected user.

The messages contain innocuous subject headers the likes of: "Paris Hilton Tosses Dwarf on the Street", "LOL", and "My friend catched [sic] you on hidden cam".

Upon receipt, the message will redirect the recipients to a third-party website, unaffiliated with the social networking website, where they are then prompted to download what is purported to be an update of the Adobe Flash player.

Should the unsuspecting user choose to download the file, they will in effect only be ensuring the infiltration and ultimate infection of their computer with Trojan.Proxy.Koobface.

Once integrated within a computer system, Trojan.Proxy.Koobface then commandeers their surfing activities and directs users to contaminated websites (all of which are obviously in close association with Trojan.Proxy.Koobface) when they attempt to access search engines from Google, Yahoo, MSN and Live.com.

Trojan.Proxy.Koobface works by adding links to social networking profiles, while posing as a video codec. Once a user clicks a link and installs the “video codec,” they are actually downloading Trojan.Proxy.Koobface.

Trojan.Proxy.Koobface launches and searches your PC for social networking site cookies, and uses these cookies to modify your profiles with Koobface links.

Have you noticed?

* Slow computer performance: It just takes one parasite like Trojan.Proxy.Koobface to slow your computer dramatically. If your PC takes longer than usual to reboot, or if your Internet connection is unusually slow, you may be infected with Trojan.Proxy.Koobface

* New desktop shortcuts or switched homepage: Badware like Trojan.Proxy.Koobface may change your Internet settings to redirect your homepage to another site. Badware can even add desktop shortcuts to your PC.

* Annoying pop-ups: Badware can bombard your computer with popup ads, even when you’re not online. Through these pop-ups, you may be tricked into downloading more spyware.

Should you be experiencing these key symptoms? You may be infected with the Trojan.Proxy.Koobface, and removal should be implemented ASAP!

You may find that a manual removal is the best way to rid a PC system of this thereat, however one needs to be sure they know their way around the registry files of a computer system, before attempting a manual removal process.

In order to manually remove this parasite, you should follow the following steps:

• Kill processes:
fbtre6.exe mstre6.exe

• Delete the following registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "c:\windows\mstre6.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "C:\Windows\fbtre6.exe"
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating

• Delete the following files:
C:\\Windows\\fbtre6.exe C:\\Windows\\fmark2.dat

Should you feel you are not tech savvy enough to manually remove this parasite, the best way to ensure your system is safe, and in order to avoid any unneeded risks of damage to your computer system, is to make use of a reliable and legitimate anti-spyware application, to remove Trojan.Proxy.Koobface and all its components from the infected computer system.

Download Spyware Removal Tool to Remove* Trojan.Proxy.Koobface
  • Quick & tested solution for Trojan.Proxy.Koobface removal.
  • 100% Free Scan for Windows
disclaimer

How to manually remove Trojan.Proxy.Koobface

Files associated with Trojan.Proxy.Koobface infection:

winygbori.exe
winuowrd.exe
winqciwcs.exe
winohfuu.exe
winaiyowt.exe
efnh.exe
cubusy.exe
AntiViraAv.exe
winlwbn.exe
vwCfAqEryg.exe
oops.exe
nxmacwsero.exe
axoncrwesm.exe
setup.exe
~TMF74D.tmp
syitm.exe
sy5tm.exe
psyjo3.exe
lsvb.exe
lsq.exe
jwkd.exe
jwjqa.exe
ju7bd.exe
games.exe
dfe.exe
xt096xni.exe
r2sq6vfu.exe
j94x5zah.exe
bojokx71.exe
458bzfs8.exe
3o0m4t0l.exe
wqrlkqg4.exe
services.exe
sssvcs.exe
mdms.exe
winlogon.exe
vsbntlo.exe
qir53ryq.exe
amtoojv8.exe
drqyy.exe
87rfnpp5.exe
gcw17f6l.exe
68sfnszt.exe
91j003xd.exe
alcrmvh.exe
ywkvx057.exe
o6ko.sys
awbtz6lp.exe
799.exe
311.exe
218.exe
ls888.exe
1.tmp
imod3.dll
ibodu.dll
IcnOvrly.dll
esribd.exe
pqlmq.exe
sysrest32.exe
igob8kze.exe
svchost.exe
yuevy.exe
rlls.dll
vzpncvee.exe
vse432.exe
hblPk.exe
.ttBD.tmp
dll32.exe
nfra.exe
sysdll.exe
owner.exe
SYS32DLL.exe
nfr[1].exe

Trojan.Proxy.Koobface DLL's to remove:

imod3.dll
ibodu.dll
IcnOvrly.dll
rlls.dll

Trojan.Proxy.Koobface processes to kill:

winygbori.exe
winuowrd.exe
winqciwcs.exe
winohfuu.exe
winaiyowt.exe
efnh.exe
cubusy.exe
AntiViraAv.exe
winlwbn.exe
vwCfAqEryg.exe
oops.exe
nxmacwsero.exe
axoncrwesm.exe
setup.exe
syitm.exe
sy5tm.exe
psyjo3.exe
lsvb.exe
lsq.exe
jwkd.exe
jwjqa.exe
ju7bd.exe
games.exe
dfe.exe
xt096xni.exe
r2sq6vfu.exe
j94x5zah.exe
bojokx71.exe
458bzfs8.exe
3o0m4t0l.exe
wqrlkqg4.exe
services.exe
sssvcs.exe
mdms.exe
winlogon.exe
vsbntlo.exe
qir53ryq.exe
amtoojv8.exe
drqyy.exe
87rfnpp5.exe
gcw17f6l.exe
68sfnszt.exe
91j003xd.exe
alcrmvh.exe
ywkvx057.exe
awbtz6lp.exe
799.exe
311.exe
218.exe
ls888.exe
esribd.exe
pqlmq.exe
sysrest32.exe
igob8kze.exe
svchost.exe
yuevy.exe
vzpncvee.exe
vse432.exe
hblPk.exe
dll32.exe
nfra.exe
sysdll.exe
owner.exe
SYS32DLL.exe
nfr[1].exe

Remove Trojan.Proxy.Koobface registry entries:

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ 12CFG214-K641-24SF-N85P
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ 12CFG515-K641-55SF-N66P
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ 12CFG914-K641-26SF-N32P
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ nfra
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINLOGON\NOTIFY\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\ibodu
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINLOGON\NOTIFY\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\imod3
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINLOGON\USERINIT\ userinit
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ 68sfnszt
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ 87rfnpp5
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ 91j003xd
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Advanced DHTML Enable
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ alcrmvh
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ awbtz6lp
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ gcw17f6l
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ HP Toolbox
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ igob8kze
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Microsoft (R) Windows Protocol Deployment Manager
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ sysrest32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ vzpncvee
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ ywkvx057
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Advanced DHTML Enable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\o6ko
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Security Service
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\WINSOCK2\PARAMETERS\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catal
RUNNING PROGRAM\.ttBD.tmp
RUNNING PROGRAM\dll32.exe
RUNNING PROGRAM\explorer.exe
RUNNING PROGRAM\SYS32DLL.exe
Disclaimer

Comments

  1. wilf Jun 27, 2009

    i have a virus called owner.exe i have downloaded the program that was suggeseted

    Download Trojan.Proxy.Koobface infection scanner *

    it did not even find the virus so i will remove the version i downloaded

    cheers

  2. Alan B. Barley Sep 3, 2010

    Good detail explantion, however removal instructions are out of date. You should mention that the creators of this virus/worm are constantly making changes to avoid detection & removal. PC users should look for most current removal info before making registry changes.

Post comment — WE NEED YOUR OPINION!

Comment:
Name:
Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.