Remove CoreBot Malware

This article aims to help users remove Corebot Malware from their respective system. The Corebot Malware was first analyzed by IBM Security X-Force researchers.

Remove CoreBot Malware

CoreBot Malware is a relatively new addition to the malware scene and also one that is extremely dangerous. CoreBot is essentially a data stealer that combines elements of a rootkit software. IBM has done some extensive research on analyzing the properties of the malware and I’ll try to summarize them below.

Modus operandi of CoreBot

When your PC is infected CoreBot hacks into the Svchost.exe process, which is vital for the functioning of windows. Once it has injected itself into it CoreBot begins to inject it’s secondary modules in all kinds of folders it believes contain valuable data. Your internet browser’s files are a prime target for the malware. CoreBot is capable of sniffing out all kind of log-in credentials including Email passwords, financial data, log-in information into bank accounts and more. This data is send back to the developer of the malware via a system of bot (zombie) networks that are capable self-destruction in case of detection and they hide the location of the hacker. Reverse feedback  to the malware is also possible as evidenced by IBM. Both the main and secondary modules of CoreBot are open for modification. Also because CoreBot has effectively root control over your system it is also capable of installing both updates for itself and entire new malwarees on demand by it’s creator.

Methods of infection

According to IBM CoreBot is aimed to target both home computers and corporate machines. It typically uses the help of other software to install itself – a”dropper”, which is another malware that could in turn be a Trojan or some form of Adware malware. Another typical method is through Email bombing, where the malware will send itself through the mail boxes of people who have become victims to email data theft. CoreBot uses the vulnerabilities of the exposed mailboxes to send mails to all their contacts. Very often it is some bogus work-related email with general description and an attached executable file that contains the malware.


Once it has set up itself properly the CoreBot malware has nearly unlimited access to your computer files and is also capable of recording all types of data on your hard drive and sending it as data dumps back to whoever deleted the malware. It is even more dangerous when the infected computer is part of a network – the malware can spread like wildfire and infect every single computer on the network. IBM also reports extended capabilities including replacement of .dll files and the capability to download and install on its own even more dangerous ransomware malwarees. We strongly advise you to transfer your most valuable data to offline carriers like DVD or FLASH drives until you remove the malware. Also immediately change all passwords for important online sites like online banking, PayPal etc.

Preventing yourself from becoming infected with malwares like CoreBot in the future

The safest advice there is is to install some good  anti-malware or anti-malware program that you should use to scan all files before you open them. In addition you should restrain yourself from downloading any kind of files from unsafe locations – torrent sites, online storage, warez and all other kinds of shady sites. Be mindful that malwarees are almost always executable files and never download&install such files you received by email even if you know the sender. It is possible for an infected mailbox to spread the malware on its own without the owner even realizing what is happening.

Remove CoreBot Malware


Our first step here is a reboot in Safe Mode. If you already know how to do it, just skip this and proceed to Step 2. If you do not know how to do it, continue reading:

For Windows 98, XP, Millenium and 7 Users:

Restart your computer. To be sure you don’t miss the time when you need to press it, just spam F8 as soon as the PC starts booting. In the new menu, choose Safe Mode With Networking.

Proceed to Step 2.

For W. 8 and 8.1 Users:

Click the Start button ,then Control Panel —> System and Security —> Administrative Tools —> System Configuration.Administrator permission required


Then check the Safe Boot option and click OK.  Click  Restart in the new pop-up.

Proceed to Step 2.

For Windows 10 Users:

  1. Open the Start menu.
  2. Click the power button icon in the right corner of the new Start menu to show the power options menu.
  3. Press and hold down the SHIFT key on the keyboard and click the Restart option while still holding down the SHIFT key.

Windows 10 will perform the reboot. Next do the following:

Click the Troubleshoot icon, then Advanced options —> Startup Settings. Click Restart.
After the reboot click on Enter Safe Mode With Networking (Fifth Option).

Continue with Step 2.

 STEP 2:

To remove parasite, you may have to meddle with system files and registries. Making a mistake and deleting the wrong thing may damage your system.
Avoid this by using SpyHunter - a professional Parasite removal tool.

Keep in mind, SpyHunter’s malware detection tool is free. To remove the infection, you'll need to purchase its full version. More information about SpyHunter and steps to uninstall.

Hold the Windows Key and R and copy + paste the following, then click OK:

notepad %windir%/system32/Drivers/etc/hosts

A .txt file will open – don’t touch anything there. If you are hacked and someone has access to your PC, there will be a bunch of other IPs connected to you at the bottom. This is what a hosts file looks like:

hosts_opt (1)

If there are a bunch of strange IPs connecting to you below “Localhost” you may be hacked, and it’s best to ask us in the comments for directions.

Now hold the windows Key and R again but type %temp% in the field and hit enter. Delete everything in that directory.

 STEP 3:

Right click on each of the malware processes separately and select Open File Location. Also, End the process after you open the folder. Just to make sure we don’t delete any programs you mistakenly took for a malware, copy the folders somewhere, then delete the directories you were sent to. There’s a good chance CoreBot is hiding somewhere in here.


This is perhaps the most important and difficult step, so be extremely careful. Doing this can damage your PC significantly if you make a big mistake. If you are not feeling comfortable, we advise you to download a professional CoreBot remover. Additionally, accounts connected to your credit cards, or important information, may be exposed to the virus.



Take a look at the following things:

Type msconfig in the search field and hit enter: you will be transported to a new window. 


Go in the Startup tab and Uncheck anything that has “Unknown” as Manufacturer.

Type Regedit in the windows search field and press Enter.

Once inside, press CTRL and F together and type the malware’s Name. Right click and delete any entries you find with a similar name. If you can’t find them this way, look in these directories, and delete the registries manually:

  • HKEY_CURRENT_USER—-Software—–Random numbers
    HKEY_CURRENT_USER—-Software—Microsoft—-Windows—CurrentVersion—Run– Random
    HKEY_CURRENT_USER—-Software—Microsoft—Internet Explorer—-Main—- Random


If these things fail to help you find the CoreBot Malware you need to resort to a professional scanner – obviously this is a malware that was created to steal your credentials and credit cards – meaning the people who created it spent a lot of resources to make it as dangerous as possible..