We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

how do I remove this malware?

245

Comments

  • tweeter
    tweeter Posts: 3,958 Forumite
    Part of the Furniture
    I've found the folks on here are up to fixing most malware exploits.
    Peel back your baby's eyelid to find no nationality or religious identity mark there. Peer at your baby's eyes for them to reflect back just people-throw away your flags and religious symbols...



  • spaceboy
    spaceboy Posts: 1,933 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    I'm not sure exactly what caused it. I usually use Firefox with adblock, and yesterday I decided to try Chrome, I tried downloading it but it wouldnt install (unknown installer error) so I downloaded it from somewhere else (here: http://pack.google.com/intl/en-gb/pack_installer.html ). I went to the Netphoria messageboards and saw lots of adverts for the first time (as I usually have adblock) and I think it happened around that time I'm not precisely sure.
  • spaceboy
    spaceboy Posts: 1,933 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    Will it have stolen any passwords already or will MSE have stopped it?
  • fiddiwebb
    fiddiwebb Posts: 1,806 Forumite
    You might have to run combofix but only under supervision from a qualified helper.
  • closed
    closed Posts: 10,886 Forumite
    where is it finding them, system restore area? Scan in safe mode.
    !!
    > . !!!! ----> .
  • spaceboy
    spaceboy Posts: 1,933 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    closed wrote: »
    where is it finding them, system restore area? Scan in safe mode.

    I'm not scanning in safe mode, should I stop and start again in safe mode?
  • closed
    closed Posts: 10,886 Forumite
    Where are the infections - full path and filenames?

    If they are resident (ie running), then safe mode scan may prevent them from running
    !!
    > . !!!! ----> .
  • 23n1th
    23n1th Posts: 1,523 Forumite
    Hopefully not but as you say MSE keeps finding it again so it sounds like theres something on there thats hiding from the security software and re-downloading those infections. Rootkits are nasty and you'll need an expert to get rid of one for good.

    Donnie is right though it is possible for a rootkit to survive a format and clean install
  • spaceboy
    spaceboy Posts: 1,933 Forumite
    Part of the Furniture 1,000 Posts Combo Breaker
    Malwarebytes' Anti-Malware 1.46
    https://www.malwarebytes.org

    Database version: 4658

    Windows 6.1.7600
    Internet Explorer 9.0.7930.16406

    20/09/2010 21:59:10
    mbam-log-2010-09-20 (21-59-10).txt

    Scan type: Full scan (C:\|D:\|F:\|H:\|I:\|J:\|)
    Objects scanned: 286385
    Time elapsed: 42 minute(s), 38 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 2
    Registry Keys Infected: 2
    Registry Values Infected: 3
    Registry Data Items Infected: 0
    Folders Infected: 5
    Files Infected: 18

    Memory Processes Infected:
    C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe (Rogue.MalwareRemovalBot) -> No action taken.

    Memory Modules Infected:
    C:\Users\bert5\AppData\Local\oricohotuce.dll (Trojan.Hiloti) -> No action taken.
    C:\Users\bert5\AppData\Local\KBDInine.dll (Trojan.Hiloti.Gen) -> No action taken.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\Installer\UpgradeCodes\50e90ec4ec063d44bb935a0d02415732 (Rogue.MalwareBot) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ybewiq (Trojan.Hiloti) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\erupolalocup (Trojan.Hiloti.Gen) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{1aff904b-5a58-7969-3a1e-e98650b6088d} (Spyware.Zbot) -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Users\bert5\AppData\Roaming\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> No action taken.
    C:\Users\bert5\AppData\Roaming\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> No action taken.
    C:\Users\bert5\AppData\Roaming\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> No action taken.
    C:\Program Files\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> No action taken.
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> No action taken.

    Files Infected:
    C:\Users\bert5\AppData\Local\oricohotuce.dll (Trojan.Hiloti) -> No action taken.
    C:\Users\bert5\AppData\Local\KBDInine.dll (Trojan.Hiloti.Gen) -> No action taken.
    C:\Users\bert5\AppData\Roaming\Cukoys\ugvi.exe (Spyware.Zbot) -> No action taken.
    C:\Users\bert5\AppData\Local\Mozilla\Firefox\Profiles\qsetuup7.default\Cache\0D1036A2d01 (Rogue.Installer) -> No action taken.
    C:\Users\bert5\AppData\Local\Temp\QZKMduzBhb.exe (Trojan.Hiloti.Gen) -> No action taken.
    C:\Users\bert5\AppData\Local\Temp\7zS3DFA.tmp\MSIStart.exe (Rogue.SpywareStop) -> No action taken.
    C:\Users\bert5\AppData\Roaming\MalwareRemovalBot\rs.dat (Rogue.MalwareRemovalBot) -> No action taken.
    C:\Users\bert5\AppData\Roaming\MalwareRemovalBot\Log\2010 Sep 20 - 08_42_52 PM_012.log (Rogue.MalwareRemovalBot) -> No action taken.
    C:\Users\bert5\AppData\Roaming\MalwareRemovalBot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> No action taken.
    C:\Program Files\MalwareRemovalBot\DataBase.ref (Rogue.MalwareRemovalBot) -> No action taken.
    C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe (Rogue.MalwareRemovalBot) -> No action taken.
    C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.url (Rogue.MalwareRemovalBot) -> No action taken.
    C:\Program Files\MalwareRemovalBot\vistaCPtasks.xml (Rogue.MalwareRemovalBot) -> No action taken.
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MalwareRemovalBot\MalwareRemovalBot on the Web.lnk (Rogue.MalwareRemovalBot) -> No action taken.
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MalwareRemovalBot\MalwareRemovalBot.lnk (Rogue.MalwareRemovalBot) -> No action taken.
    C:\Users\Public\Desktop\MalwareRemovalBot.lnk (Rogue.MalwareRemovalBot) -> No action taken.
    C:\Users\bert5\AppData\Local\Temp\0.8086159129933578.exe (Trojan.Dropper) -> No action taken.
    C:\Windows\Tasks\MalwareRemovalBot Scheduled Scan.job (Rogue.MalwareRemovalBot) -> No action taken.
  • 23n1th
    23n1th Posts: 1,523 Forumite
    Ok update MBAM, scan again and remove these things this time.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 352.1K Banking & Borrowing
  • 253.5K Reduce Debt & Boost Income
  • 454.2K Spending & Discounts
  • 245.1K Work, Benefits & Business
  • 600.7K Mortgages, Homes & Bills
  • 177.4K Life & Family
  • 258.9K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.2K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture