malwarebot

[kempvonreg]

Had malwarebot on my system, and have now cleared it with malwarebytes software. Avast did not alert me about this rogue malware. Please advise.

[DavidR]

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

If you still have a copy of the file:
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

[bob3160]

Had malwarebot on my system, and have now cleared it with malwarebytes software. Avast did not alert me about this rogue malware. Please advise.

No single program is ever going to catch everything. This is just one of the reasons why many of us on this forum advocated using
layered protection.
In your case, Malwarebytes did it's job. Many times it will be avast!.
Just remember that the attack is always written before the cure.
The only way to protect yourself totally from internet attacks is to never use the internet.  :'(

[kempvonreg]

Hallo Thank you for your reply- I am a new user.

Tha malwarebot was uninstalled. ATF cleaner was run and malwarebytes was installed, and run.Which found and cleared 40 items! So nothing remains of the rogue programme to forward . Apologies.

[Mr.Agent]

If you feel that some malware left you can do a boot time scan with Avast! and another scan with your other scanner

Mr.Agent

[DavidR]

Hallo Thank you for your reply- I am a new user.

Tha malwarebot was uninstalled. ATF cleaner was run and malwarebytes was installed, and run.Which found and cleared 40 items! So nothing remains of the rogue programme to forward . Apologies.

Whilst there may be no remnants of the rogue, what would remain is the MBAM log which gives details of the detections, file names, locations and importantly malware name. When you open MBAM click on the Logs tab.

[kempvonreg]

MBAM file contents: hope this is okay? many thanks

Malwarebytes' Anti-Malware 1.36
Database version: 2099
Windows 5.1.2600 Service Pack 3

09/05/2009 17:17:22
mbam-log-2009-05-09 (17-17-22).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 107410
Time elapsed: 19 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 32
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39 (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39 (Rogue.MalwareRemovalBot) -> Files: 648 -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\112.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\124.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\132.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\138.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\143.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\145.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\146.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\147.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\149.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\151.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\152.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\153.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\154.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\181.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\182.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\183.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\189.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\193.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\194.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\323.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\326.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\328.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\332.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\334.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\335.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Quarantine\30-04-2009-19-14-39\336.qit (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Config.Msi\1548ce0.rbf (Rogue.SpyCleaner) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Log\2009 May 09 - 10_36_36 AM_203.log (Rogue.MalwareRemovalBot) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\MalwareRemovalBot\Log\2009 May 09 - 10_44_27 AM_843.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

[DavidR]

So did someone install this thinking that it was a legitimate MalwareRemovalBot tool/application as it is strange for it to be found in the Administrator area ?

Edit: See http://www.mywot.com/en/scorecard/malwareremovalbot.com as that gives you a good idea that this is a scam/rogue.

[kempvonreg]

yes - the program was installed under the mistaken impression it was genuine *Malwarebytes Anti-Malware*; MalwareBot has gone to some trouble to emulate MBAM right down to a spoof imitation icon. It is a con trick - money was also paid for this spoof software / malware ~ hopefully money may be recouped at some stage

[DavidR]

Yes, there are very many such scams and you really have to be careful and do your research before paying out any money. My concern would be how I paid for it as if they are the scum I think they are I would be concerned with fraudulent use of the details given.

So I think you should contact your credit card or other payment agency and report this and have them monitor activity on the card, etc. You should change any associated passwords.