Jump to content

Backdoor.SpyNet.M & Trojan.PWS & Winbooter/svchost.exe **Malwarebytes Protection DISABLED by ATTACKER**


Recommended Posts

I woke up this afternoon to find that my little brother took advantage of an overnight game download I had going on and decided to do things of his own on my computer. I know my infection is not from the game, 'cause I've downloaded that very game multiple times before, A.V.A from ijji's Web site is SAFE. So that's not it... whatever my little brother did has killed my system. I have WAY too much on this PC to wipe it clean.

I'm a paying user [i have e-mail with receipt if you need], and I update the databases at least once or twice a day. At the time of this post, I am working with database version 4470.

When I boot my PC, I see a quick flash of a command prompt type thing that I've never seen before when booting, followed by another one... which I am betting money are the malware. They execute BEFORE Malwarebytes' can boot, and even with a full scan and removal [7 times], they keep popping up.

I keep getting these hits on the full scans:

09:01:12 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M ALLOW

09:08:16 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\msconfig.exe Trojan.PWS QUARANTINE

12:08:33 IssenGoesW7 DETECTION C:\Users\ISSENGOESW7\AppData\Roaming\WINBOOTERR\svchost.exe Backdoor.SpyNet.M QUARANTINE

Removing them does NOTHING, as they just seem to replicate. ***NOTE THE "ALLOW" on the first one*** Now, I have 9 files in quarantine, instead of 3.

2 identical registery keys:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Current Version\Run\hkcu (Data: C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe)

2 identical folders:

C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr

5 files, 4 of which are identical:

C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe (four of these)

C:\Users\ISSENGOESW7\AppData\Roaming\WINBOOTERR\svchost.exe

Only difference I see is the capitals, but whatever.

Also, here is the protection log for yesterday:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

00:36:15 IssenGoesW7 MESSAGE Protection started successfully

00:36:19 IssenGoesW7 MESSAGE IP Protection started successfully

04:51:59 IssenGoesW7 MESSAGE Protection started successfully

04:52:03 IssenGoesW7 MESSAGE IP Protection started successfully

05:18:20 IssenGoesW7 IP-BLOCK 93.190.140.147

05:23:32 IssenGoesW7 IP-BLOCK 64.120.141.98

05:24:06 IssenGoesW7 MESSAGE IP Protection stopped

05:24:58 IssenGoesW7 MESSAGE Database updated successfully

15:52:21 IssenGoesW7 MESSAGE Protection started successfully

15:52:24 IssenGoesW7 MESSAGE IP Protection started successfully

16:04:36 IssenGoesW7 IP-BLOCK 94.96.111.39

16:07:40 IssenGoesW7 IP-BLOCK 121.11.255.13

16:07:56 IssenGoesW7 IP-BLOCK 94.96.93.14

16:08:36 IssenGoesW7 IP-BLOCK 89.28.81.135

16:17:26 IssenGoesW7 IP-BLOCK 121.10.120.182

16:22:22 IssenGoesW7 IP-BLOCK 89.28.52.42

16:22:22 IssenGoesW7 IP-BLOCK 60.172.213.238

16:43:07 IssenGoesW7 IP-BLOCK 188.65.50.87

16:53:25 IssenGoesW7 IP-BLOCK 89.28.69.116

16:54:05 IssenGoesW7 IP-BLOCK 121.13.72.70

16:54:21 IssenGoesW7 IP-BLOCK 188.130.177.3

18:53:23 IssenGoesW7 MESSAGE Protection started successfully

18:53:26 IssenGoesW7 MESSAGE IP Protection started successfully

18:54:54 IssenGoesW7 IP-BLOCK 94.96.25.192

18:56:22 IssenGoesW7 IP-BLOCK 89.28.6.89

19:08:33 IssenGoesW7 IP-BLOCK 94.96.129.200

19:08:57 IssenGoesW7 IP-BLOCK 58.241.100.225

21:45:47 IssenGoesW7 MESSAGE Protection started successfully

21:45:51 IssenGoesW7 MESSAGE IP Protection started successfully

21:51:36 IssenGoesW7 IP-BLOCK 209.62.9.34

21:51:36 IssenGoesW7 IP-BLOCK 209.62.9.34

21:51:36 IssenGoesW7 IP-BLOCK 209.62.9.34

21:52:00 IssenGoesW7 IP-BLOCK 209.62.9.34

21:52:00 IssenGoesW7 IP-BLOCK 209.62.9.34

21:52:41 IssenGoesW7 IP-BLOCK 213.174.136.83

21:52:49 IssenGoesW7 IP-BLOCK 213.174.136.83

21:52:49 IssenGoesW7 IP-BLOCK 213.174.136.83

23:08:47 IssenGoesW7 IP-BLOCK 58.240.246.13

23:22:41 IssenGoesW7 IP-BLOCK 58.240.246.1

23:22:57 IssenGoesW7 IP-BLOCK 58.240.246.1

23:26:11 IssenGoesW7 IP-BLOCK 89.28.8.132

23:26:19 IssenGoesW7 IP-BLOCK 122.224.5.157

23:38:32 IssenGoesW7 IP-BLOCK 95.211.10.3

23:39:44 IssenGoesW7 IP-BLOCK 222.70.147.26

23:40:17 IssenGoesW7 IP-BLOCK 58.240.246.5

23:40:41 IssenGoesW7 IP-BLOCK 83.128.101.204

23:40:41 IssenGoesW7 IP-BLOCK 94.96.158.238

23:45:29 IssenGoesW7 IP-BLOCK 58.240.246.1

23:45:37 IssenGoesW7 IP-BLOCK 58.240.246.1

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here's the protection log for today:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

00:09:59 IssenGoesW7 MESSAGE Protection started successfully

00:10:02 IssenGoesW7 MESSAGE IP Protection started successfully

00:10:10 IssenGoesW7 IP-BLOCK 218.8.40.177

03:09:03 IssenGoesW7 MESSAGE Protection started successfully

03:09:07 IssenGoesW7 MESSAGE IP Protection started successfully

03:10:17 IssenGoesW7 MESSAGE IP Protection stopped

03:10:19 IssenGoesW7 MESSAGE Database updated successfully

03:10:20 IssenGoesW7 MESSAGE IP Protection started successfully

06:51:21 IssenGoesW7 IP-BLOCK 66.235.126.51

06:51:21 IssenGoesW7 IP-BLOCK 66.235.126.51

06:51:21 IssenGoesW7 IP-BLOCK 66.235.126.51

06:51:21 IssenGoesW7 IP-BLOCK 66.235.126.51

07:30:47 IssenGoesW7 IP-BLOCK 62.213.100.140

07:51:45 IssenGoesW7 IP-BLOCK 95.211.10.225

07:51:53 IssenGoesW7 IP-BLOCK 95.211.10.225

07:52:09 IssenGoesW7 IP-BLOCK 66.150.14.67

08:13:35 IssenGoesW7 IP-BLOCK 66.7.179.198

08:41:13 IssenGoesW7 MESSAGE Protection started successfully

08:41:17 IssenGoesW7 MESSAGE IP Protection started successfully

09:01:11 IssenGoesW7 IP-BLOCK 89.28.74.174

09:01:12 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M ALLOW

09:01:20 IssenGoesW7 IP-BLOCK 62.45.251.25

09:02:49 IssenGoesW7 IP-BLOCK 77.78.240.154

09:02:49 IssenGoesW7 IP-BLOCK 77.78.240.154

09:02:49 IssenGoesW7 IP-BLOCK 77.78.240.154

09:02:49 IssenGoesW7 IP-BLOCK 77.78.240.154

09:02:49 IssenGoesW7 IP-BLOCK 208.111.34.38

09:08:16 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\msconfig.exe Trojan.PWS QUARANTINE

09:08:16 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\msconfig.exe Trojan.PWS DENY

09:10:48 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Local\Temp\Rar$EX13.123\Hide My Ip.EXE Trojan.VBInject QUARANTINE

09:12:47 IssenGoesW7 IP-BLOCK 94.96.100.159

09:45:52 IssenGoesW7 IP-BLOCK 89.28.62.85

09:47:04 IssenGoesW7 IP-BLOCK 62.45.120.204

10:14:27 IssenGoesW7 IP-BLOCK 222.65.134.62

10:14:35 IssenGoesW7 IP-BLOCK 121.11.50.104

10:55:07 IssenGoesW7 IP-BLOCK 64.111.217.35

11:15:04 IssenGoesW7 ERROR IsValidLicenseKey failed with error code 13

11:15:04 IssenGoesW7 MESSAGE Protection stopped

11:20:40 IssenGoesW7 MESSAGE Protection started successfully

11:20:44 IssenGoesW7 MESSAGE IP Protection started successfully

11:26:21 IssenGoesW7 MESSAGE Protection started successfully

11:26:24 IssenGoesW7 MESSAGE IP Protection started successfully

11:33:45 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M QUARANTINE

11:41:01 IssenGoesW7 IP-BLOCK 208.91.207.10

11:41:01 IssenGoesW7 IP-BLOCK 213.174.142.175

11:41:01 IssenGoesW7 IP-BLOCK 213.174.142.175

11:41:01 IssenGoesW7 IP-BLOCK 213.174.142.175

11:41:01 IssenGoesW7 IP-BLOCK 213.174.142.175

11:41:01 IssenGoesW7 IP-BLOCK 213.174.142.175

11:41:01 IssenGoesW7 IP-BLOCK 213.174.142.175

11:41:01 IssenGoesW7 IP-BLOCK 213.174.142.175

11:41:01 IssenGoesW7 IP-BLOCK 213.174.142.175

11:41:01 IssenGoesW7 IP-BLOCK 213.174.142.175

11:44:23 IssenGoesW7 IP-BLOCK 209.62.9.34

11:44:23 IssenGoesW7 IP-BLOCK 209.62.9.34

11:44:31 IssenGoesW7 IP-BLOCK 209.62.9.34

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.231

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.231

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.231

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.231

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.232

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.232

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.232

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.232

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.231

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.231

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.231

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.228

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.228

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.226

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.226

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.232

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.232

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.232

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.227

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.229

11:52:34 IssenGoesW7 IP-BLOCK 213.174.149.227

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.225

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.225

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.233

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.228

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.230

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.226

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.234

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.227

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.225

11:52:35 IssenGoesW7 IP-BLOCK 88.208.33.94

11:52:35 IssenGoesW7 IP-BLOCK 88.208.33.94

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.226

11:52:35 IssenGoesW7 IP-BLOCK 213.174.149.225

12:03:16 IssenGoesW7 MESSAGE Protection started successfully

12:03:19 IssenGoesW7 MESSAGE IP Protection started successfully

12:08:33 IssenGoesW7 DETECTION C:\Users\ISSENGOESW7\AppData\Roaming\WINBOOTERR\svchost.exe Backdoor.SpyNet.M QUARANTINE

12:08:40 IssenGoesW7 DETECTION C:\Users\ISSENGOESW7\AppData\Roaming\WINBOOTERR\svchost.exe Backdoor.SpyNet.M DENY

12:32:04 IssenGoesW7 MESSAGE Protection started successfully

12:32:07 IssenGoesW7 MESSAGE IP Protection started successfully

12:40:06 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M QUARANTINE

12:40:11 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:17 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:22 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:27 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:32 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:37 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:42 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:47 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:52 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:40:57 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:41:02 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:41:08 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:41:13 IssenGoesW7 DETECTION C:\Users\IssenGoesW7\AppData\Roaming\Winbooterr\svchost.exe Backdoor.SpyNet.M DENY

12:44:14 IssenGoesW7 MESSAGE Protection started successfully

12:44:18 IssenGoesW7 MESSAGE IP Protection started successfully

12:45:03 IssenGoesW7 MESSAGE IP Protection stopped

12:45:06 IssenGoesW7 MESSAGE Database updated successfully

12:45:07 IssenGoesW7 MESSAGE IP Protection started successfully

13:00:25 IssenGoesW7 MESSAGE IP Protection stopped

13:00:25 IssenGoesW7 MESSAGE IP Protection started successfully

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you notice at 11:15:04, my module protection was magically disabled and I scrambled frantically to my e-mail and re-entered the key, and it was fine from there... but how can it DISABLE Malwarebytes?! Another thing that scares me is that they seem to be either attached to or trying to mimic svchost.exe and msconfig... I don't know much about this stuff, but that CAN'T be good.

Please help me...

post-50158-1282671526_thumb.png

Link to post
Share on other sites

Hi and Welcome -

As we do not work on Malware removal or diagnostics in the general forums please follow these directions -

Please print out, read and follow What do I do now? , skipping any steps you are unable to complete.

The next step is post a New Topic Here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that

you're alerted when someone has replied to your post - Please allow at least 48 hours for a reply as the experts can get busy at times -

Also add a brief note to the experts as to your problems -

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org or via This Link

Always use the ADD REPLY Tab at the bottom of the page when you reply -

Thank You - ;)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.