Backdoor.SpyNet.M & Trojan.PWS & Winbooter/svchost.exe Malwarebytes Protection DISABLED by ATTACKER

xSkylight · August 24, 2010

I woke up this afternoon to find that my little brother took advantage of an overnight game download I had going on and decided to do things of his own on my computer. I know my infection is not from the game, 'cause I've downloaded that very game multiple times before, A.V.A from ijji's Web site is SAFE. So that's not it... whatever my little brother did has killed my system. I have WAY too much on this PC to wipe it clean.

I'm a paying user [i have e-mail with receipt if you need], and I update the databases at least once or twice a day. At the time of this post, I am working with database version 4470.

When I boot my PC, I see a quick flash of a command prompt type thing that I've never seen before when booting, followed by another one... which I am betting money are the malware. They execute BEFORE Malwarebytes' can boot, and even with a full scan and removal [7 times], they keep popping up.

I keep getting these hits on the full scans:

09:01:12 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M ALLOW

09:08:16 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\msconfig.exe Trojan.PWS QUARANTINE

12:08:33 IssenGoesW7 DETECTION C:\Users\ISSENGOESW7\AppData\Roaming\WINBOOTERR\svchost.exe Backdoor.SpyNet.M QUARANTINE

Removing them does NOTHING, as they just seem to replicate. ***NOTE THE "ALLOW" on the first one*** Now, I have 9 files in quarantine, instead of 3.

2 identical registery keys:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Current Version\Run\hkcu (Data: C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe)

2 identical folders:

C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr

5 files, 4 of which are identical:

C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe (four of these)

C:\Users\ISSENGOESW7\AppData\Roaming\WINBOOTERR\svchost.exe

Only difference I see is the capitals, but whatever.

Also, here is the protection log for yesterday:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

00:36:15 IssenGoesW7 MESSAGE Protection started successfully

00:36:19 IssenGoesW7 MESSAGE IP Protection started successfully

04:51:59 IssenGoesW7 MESSAGE Protection started successfully

04:52:03 IssenGoesW7 MESSAGE IP Protection started successfully

05:18:20 IssenGoesW7 IP-BLOCK 93.190.140.147

05:23:32 IssenGoesW7 IP-BLOCK 64.120.141.98

05:24:06 IssenGoesW7 MESSAGE IP Protection stopped

05:24:58 IssenGoesW7 MESSAGE Database updated successfully

15:52:21 IssenGoesW7 MESSAGE Protection started successfully

15:52:24 IssenGoesW7 MESSAGE IP Protection started successfully

16:04:36 IssenGoesW7 IP-BLOCK 94.96.111.39

16:07:40 IssenGoesW7 IP-BLOCK 121.11.255.13

16:07:56 IssenGoesW7 IP-BLOCK 94.96.93.14

16:08:36 IssenGoesW7 IP-BLOCK 89.28.81.135

16:17:26 IssenGoesW7 IP-BLOCK 121.10.120.182

16:22:22 IssenGoesW7 IP-BLOCK 89.28.52.42

16:22:22 IssenGoesW7 IP-BLOCK 60.172.213.238

16:43:07 IssenGoesW7 IP-BLOCK 188.65.50.87

16:53:25 IssenGoesW7 IP-BLOCK 89.28.69.116

16:54:05 IssenGoesW7 IP-BLOCK 121.13.72.70

16:54:21 IssenGoesW7 IP-BLOCK 188.130.177.3

18:53:23 IssenGoesW7 MESSAGE Protection started successfully

18:53:26 IssenGoesW7 MESSAGE IP Protection started successfully

18:54:54 IssenGoesW7 IP-BLOCK 94.96.25.192

18:56:22 IssenGoesW7 IP-BLOCK 89.28.6.89

19:08:33 IssenGoesW7 IP-BLOCK 94.96.129.200

19:08:57 IssenGoesW7 IP-BLOCK 58.241.100.225

21:45:47 IssenGoesW7 MESSAGE Protection started successfully

21:45:51 IssenGoesW7 MESSAGE IP Protection started successfully

21:51:36 IssenGoesW7 IP-BLOCK 209.62.9.34

21:52:00 IssenGoesW7 IP-BLOCK 209.62.9.34

21:52:41 IssenGoesW7 IP-BLOCK 213.174.136.83

21:52:49 IssenGoesW7 IP-BLOCK 213.174.136.83

23:08:47 IssenGoesW7 IP-BLOCK 58.240.246.13

23:22:41 IssenGoesW7 IP-BLOCK 58.240.246.1

23:22:57 IssenGoesW7 IP-BLOCK 58.240.246.1

23:26:11 IssenGoesW7 IP-BLOCK 89.28.8.132

23:26:19 IssenGoesW7 IP-BLOCK 122.224.5.157

23:38:32 IssenGoesW7 IP-BLOCK 95.211.10.3

23:39:44 IssenGoesW7 IP-BLOCK 222.70.147.26

23:40:17 IssenGoesW7 IP-BLOCK 58.240.246.5

23:40:41 IssenGoesW7 IP-BLOCK 83.128.101.204

23:40:41 IssenGoesW7 IP-BLOCK 94.96.158.238

23:45:29 IssenGoesW7 IP-BLOCK 58.240.246.1

23:45:37 IssenGoesW7 IP-BLOCK 58.240.246.1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here's the protection log for today:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

00:09:59 IssenGoesW7 MESSAGE Protection started successfully

00:10:02 IssenGoesW7 MESSAGE IP Protection started successfully

00:10:10 IssenGoesW7 IP-BLOCK 218.8.40.177

03:09:03 IssenGoesW7 MESSAGE Protection started successfully

03:09:07 IssenGoesW7 MESSAGE IP Protection started successfully

03:10:17 IssenGoesW7 MESSAGE IP Protection stopped

03:10:19 IssenGoesW7 MESSAGE Database updated successfully

03:10:20 IssenGoesW7 MESSAGE IP Protection started successfully

06:51:21 IssenGoesW7 IP-BLOCK 66.235.126.51

07:30:47 IssenGoesW7 IP-BLOCK 62.213.100.140

07:51:45 IssenGoesW7 IP-BLOCK 95.211.10.225

07:51:53 IssenGoesW7 IP-BLOCK 95.211.10.225

07:52:09 IssenGoesW7 IP-BLOCK 66.150.14.67

08:13:35 IssenGoesW7 IP-BLOCK 66.7.179.198

08:41:13 IssenGoesW7 MESSAGE Protection started successfully

08:41:17 IssenGoesW7 MESSAGE IP Protection started successfully

09:01:11 IssenGoesW7 IP-BLOCK 89.28.74.174

09:01:12 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M ALLOW

09:01:20 IssenGoesW7 IP-BLOCK 62.45.251.25

09:02:49 IssenGoesW7 IP-BLOCK 77.78.240.154

09:02:49 IssenGoesW7 IP-BLOCK 208.111.34.38

09:08:16 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\msconfig.exe Trojan.PWS QUARANTINE

09:08:16 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\msconfig.exe Trojan.PWS DENY

09:10:48 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Local\Temp\Rar$EX13.123\Hide My Ip.EXE Trojan.VBInject QUARANTINE

09:12:47 IssenGoesW7 IP-BLOCK 94.96.100.159

09:45:52 IssenGoesW7 IP-BLOCK 89.28.62.85

09:47:04 IssenGoesW7 IP-BLOCK 62.45.120.204

10:14:27 IssenGoesW7 IP-BLOCK 222.65.134.62

10:14:35 IssenGoesW7 IP-BLOCK 121.11.50.104

10:55:07 IssenGoesW7 IP-BLOCK 64.111.217.35

11:15:04 IssenGoesW7 ERROR IsValidLicenseKey failed with error code 13

11:15:04 IssenGoesW7 MESSAGE Protection stopped

11:20:40 IssenGoesW7 MESSAGE Protection started successfully

11:20:44 IssenGoesW7 MESSAGE IP Protection started successfully

11:26:21 IssenGoesW7 MESSAGE Protection started successfully

11:26:24 IssenGoesW7 MESSAGE IP Protection started successfully

11:33:45 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M QUARANTINE

11:41:01 IssenGoesW7 IP-BLOCK 208.91.207.10

11:41:01 IssenGoesW7 IP-BLOCK 213.174.142.175

11:44:23 IssenGoesW7 IP-BLOCK 209.62.9.34

11:44:31 IssenGoesW7 IP-BLOCK 209.62.9.34

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.231

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.232

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.231

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.228

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.226

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.232

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.227

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.229

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.227

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.225

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.233

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.228

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.230

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.226

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.234

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.227

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.225

11:52:35 IssenGoesW7 IP-BLOCK 88.208.33.94

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.226

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.225

12:03:16 IssenGoesW7 MESSAGE Protection started successfully

12:03:19 IssenGoesW7 MESSAGE IP Protection started successfully

12:08:33 IssenGoesW7 DETECTION C:\Users\ISSENGOESW7\AppData\Roaming\WINBOOTERR\svchost.exe Backdoor.SpyNet.M QUARANTINE

12:08:40 IssenGoesW7 DETECTION C:\Users\ISSENGOESW7\AppData\Roaming\WINBOOTERR\svchost.exe Backdoor.SpyNet.M DENY

12:32:04 IssenGoesW7 MESSAGE Protection started successfully

12:32:07 IssenGoesW7 MESSAGE IP Protection started successfully

12:40:06 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M QUARANTINE

12:40:11 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:17 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:22 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:27 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:32 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:37 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:42 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:47 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:52 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:57 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:41:02 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:41:08 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:41:13 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:44:14 IssenGoesW7 MESSAGE Protection started successfully

12:44:18 IssenGoesW7 MESSAGE IP Protection started successfully

12:45:03 IssenGoesW7 MESSAGE IP Protection stopped

12:45:06 IssenGoesW7 MESSAGE Database updated successfully

12:45:07 IssenGoesW7 MESSAGE IP Protection started successfully

13:00:25 IssenGoesW7 MESSAGE IP Protection stopped

13:00:25 IssenGoesW7 MESSAGE IP Protection started successfully

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you notice at 11:15:04, my module protection was magically disabled and I scrambled frantically to my e-mail and re-entered the key, and it was fine from there... but how can it DISABLE Malwarebytes?! Another thing that scares me is that they seem to be either attached to or trying to mimic svchost.exe and msconfig... I don't know much about this stuff, but that CAN'T be good.

Please help me...

[sorry for previously posting this in the wrong section... I think?]

Gammo · August 24, 2010

Hi,

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
Click me
If you can't disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Maurice Naggar · September 11, 2010

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Sign In

Backdoor.SpyNet.M & Trojan.PWS & Winbooter/svchost.exe Malwarebytes Protection DISABLED by ATTACKER

Recommended Posts

xSkylight

Link to post

Share on other sites

Gammo

Link to post

Share on other sites

Maurice Naggar

Link to post

Share on other sites

Recently Browsing 0 members

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information

Backdoor.SpyNet.M & Trojan.PWS & Winbooter/svchost.exe **Malwarebytes Protection DISABLED by ATTACKER**

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information

Backdoor.SpyNet.M & Trojan.PWS & Winbooter/svchost.exe Malwarebytes Protection DISABLED by ATTACKER