About to lose my business - can't remove this exploit. Thanks for looking.

C

cantgetrid-of-IT

New Member
Thread author
Jun 22, 2015
5
aswMBR version 1.0.1.2290 Copyright(c) 2014 AVAST Software
Run date: 2015-06-22 08:00:13
-----------------------------
08:00:13.618 OS Version: Windows x64 6.1.7601 Service Pack 1
08:00:13.618 Number of processors: 4 586 0x2505
08:00:13.618 ComputerName: xxxx-PC UserName: xxxx
08:00:16.740 Initialize success
08:00:16.756 VM: initialized successfully
08:00:16.756 VM: Intel CPU BiosDisabled
08:00:20.205 AVAST engine download error: 0
08:00:27.553 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
08:00:27.553 Disk 0 Vendor: TOSHIBA_THNSNF128GCSS FSLAN102 Size: 122104MB BusType: 11
08:00:27.568 Disk 0 MBR read successfully
08:00:27.568 Disk 0 MBR scan
08:00:27.568 Disk 0 Windows 7 default MBR code
08:00:27.568 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
08:00:27.584 Disk 0 default boot code
08:00:27.584 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 122002 MB offset 206848
08:00:27.600 Disk 0 scanning C:\Windows\system32\drivers
08:00:28.489 Service scanning
08:00:31.796 Modules scanning
08:00:32.295 Disk 0 trace - called modules:
08:00:32.295 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
08:00:32.295 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007d2b060]
08:00:32.311 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8007a161f0]
08:00:32.311 Disk 0 statistics 87355/0/0 @ 59.57 MB/s
08:00:32.311 Scan finished successfully
08:00:58.864 Disk 0 MBR has been saved successfully to "C:\Users\xxxx\Documents\MBR.dat"
08:00:58.864 The log file has been saved successfully to "C:\Users\xxxx\Documents\aswMBR.txt"

> Hitman Pro >Alert

Code: 
HitmanPro 3.7.9.242
www.hitmanpro.com

   Computer name . . . . : xxxx-PC
   Windows . . . . . . . : 6.1.1.7601.X64/4
   User name . . . . . . : xxxx-PC\xxxx
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (30 days left)

   Scan date . . . . . . : 2015-06-22 08:18:22
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 45s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 9

   Objects scanned . . . : 865,088
   Files scanned . . . . : 10,299
   Remnants scanned  . . : 95,423 files / 759,366 keys

Cookies _____________________________________________________________________

   C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default

\Cookies:ad.360yield.com
   C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default

\Cookies:ads.stickyadstv.com
   C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default

\Cookies:doubleclick.net
   C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default

\Cookies:microsoftsto.112.2o7.net
   C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default

\Cookies:network.realmedia.com
   C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Cookies:realmedia.com
   C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net
   C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com
   C:\Users\xxxx\AppData\Local\Google\Chrome\User Data\Default

\Cookies:smartadserver.com

> GMER

GMER 2.1.19357 - http://www.gmer.net
3rd party scan 2015-06-22 10:08:38
Windows 6.1.7601 Service Pack 1 x64
Running: fpu3jp22.exe


---- Services - GMER 2.1 ----

Service C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe (Emsisoft Protection Service/Emsisoft Ltd SIGNED)(2015-06-22 14:49:54) [AUTO] a2AntiMalware
Service C:\Windows\system32\DRIVERS\epp64.sys (Emsisoft Anti-Malware Platform Protection/Emsisoft GmbH SIGNED)(2015-06-22 14:49:58) [SYSTEM] epp64
Service C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (Google Installer/Google Inc. SIGNED)(2015-06-22 14:27:09) [AUTO] gupdate
Service C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (Google Installer/Google Inc. SIGNED)(2015-06-22 14:27:09) [MANUAL] gupdatem
Service C:\Windows\system32\drivers\hmpalert.sys (HitmanPro.Alert Support Driver/SurfRight B.V. SIGNED)(2015-06-22 15:16:35) [MANUAL] hmpalert
Service C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe (HitmanPro.Alert/SurfRight B.V. SIGNED)(2015-06-22 15:16:35) [AUTO] hmpalertsvc
Service C:\Windows\system32\drivers\hmpnet.sys (HitmanPro.Alert TDI Driver/SurfRight B.V. SIGNED)(2015-06-22 15:16:35) [MANUAL] hmpnet
Service C:\ProgramData\MobileBrServ\mbbservice.exe(2015-06-22 07:59:23) [AUTO] Servicio HILINK
Service C:\Program Files (x86)\SpyShelter Firewall\SpyShelter.sys (SpyShelter Driver/SpyShelter SIGNED)(2015-06-22 15:21:51) [SYSTEM] Spyshelter
Service C:\Program Files (x86)\SpyShelter Firewall\SpyshelterWFP.sys (SpyShelter Firewall Driver/SpyShelter SIGNED)(2015-06-22 15:21:53) [AUTO] SpyshelterFw
Service C:\Program Files (x86)\SpyShelter Firewall\SpyshelterKb.sys (SpyShelter Additional Driver/SpyShelter SIGNED)(2015-06-22 15:21:53) [SYSTEM] SpyshelterKb
Service C:\Program Files (x86)\SpyShelter Firewall\SpyShelterSrv.exe (SpyShelter Service/Datpol)(2015-06-22 15:21:53) [AUTO] SpyShelterSrv

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\a2AntiMalware@ImagePath C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe (Emsisoft Protection Service/Emsisoft Ltd SIGNED)(2015-06-22 14:49:54)
Reg HKLM\SYSTEM\CurrentControlSet\services\epp64@ImagePath C:\Windows\system32\DRIVERS\epp64.sys (Emsisoft Anti-Malware Platform Protection/Emsisoft GmbH SIGNED)(2015-06-22 14:49:58)
Reg HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\HitmanPro.Alert@EventMessageFile C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe (HitmanPro.Alert/SurfRight B.V. SIGNED)(2015-06-22 15:16:35)
Reg HKLM\SYSTEM\CurrentControlSet\services\gupdate@ImagePath C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (Google Installer/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SYSTEM\CurrentControlSet\services\hmpalert@ImagePath C:\Windows\system32\drivers\hmpalert.sys (HitmanPro.Alert Support Driver/SurfRight B.V. SIGNED)(2015-06-22 15:16:35)
Reg HKLM\SYSTEM\CurrentControlSet\services\hmpalertsvc@ImagePath C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe (HitmanPro.Alert/SurfRight B.V. SIGNED)(2015-06-22 15:16:35)
Reg HKLM\SYSTEM\CurrentControlSet\services\hmpnet@ImagePath C:\Windows\system32\drivers\hmpnet.sys (HitmanPro.Alert TDI Driver/SurfRight B.V. SIGNED)(2015-06-22 15:16:35)
Reg HKLM\SYSTEM\CurrentControlSet\services\Servicio HILINK@ImagePath C:\ProgramData\MobileBrServ\mbbservice.exe(2015-06-22 07:59:23)
Reg HKLM\SYSTEM\CurrentControlSet\services\Spyshelter@ImagePath C:\Program Files (x86)\SpyShelter Firewall\SpyShelter.sys (SpyShelter Driver/SpyShelter SIGNED)(2015-06-22 15:21:51)
Reg HKLM\SYSTEM\CurrentControlSet\services\SpyshelterFw@ImagePath C:\Program Files (x86)\SpyShelter Firewall\SpyshelterWFP.sys (SpyShelter Firewall Driver/SpyShelter SIGNED)(2015-06-22 15:21:53)
Reg HKLM\SYSTEM\CurrentControlSet\services\SpyshelterKb@ImagePath C:\Program Files (x86)\SpyShelter Firewall\SpyshelterKb.sys (SpyShelter Additional Driver/SpyShelter SIGNED)(2015-06-22 15:21:53)
Reg HKLM\SYSTEM\CurrentControlSet\services\SpyShelterSrv@ImagePath C:\Program Files (x86)\SpyShelter Firewall\SpyShelterSrv.exe (SpyShelter Service/Datpol)(2015-06-22 15:21:53)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe@ C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Chrome/Google Inc. SIGNED)(2015-06-22 14:31:11)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HitmanPro.Alert@DisplayIcon C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe (HitmanPro.Alert/SurfRight B.V. SIGNED)(2015-06-22 15:16:35)
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyshelterInternetSecurity_is1@UninstallString C:\Program Files (x86)\SpyShelter Firewall\unins000.exe(2015-06-22 15:21:51)
Reg HKLM\SOFTWARE\Classes\asquared.Scanner.Settings\shell\open\command@ C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\A2START.EXE (Emsisoft Security Center/Emsisoft Ltd SIGNED)(2015-06-22 14:49:54)
Reg HKLM\SOFTWARE\Classes\ChromeHTML\shell\open\command@ C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Chrome/Google Inc. SIGNED)(2015-06-22 14:31:11)
Reg HKLM\SOFTWARE\Classes\CLSID\{003EB908-0B86-44F8-86F0-B19A7022449C}\InprocHandler32@ C:\Program Files (x86)\Google\Update\1.3.26.9\psmachine_64.dll (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\CLSID\{030D32F7-BF26-40a2-AB44-A34E78908701}\InProcServer32@ C:\Windows\system32\SpyShelterShellExt.dll (SpyShelter Context Menu Dll/Datpol SIGNED)(2015-06-22 15:21:53)
Reg HKLM\SOFTWARE\Classes\CLSID\{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}\InProcServer32@ C:\Program Files (x86)\Google\Update\1.3.26.9\psmachine_64.dll (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\CLSID\{E3F21FC7-6D65-48E7-B62B-E9ED8200C764}\InProcServer32@ C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL (Emsisoft shell context menu library/Emsisoft GmbH SIGNED)(2015-06-22 14:49:55)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{003EB908-0B86-44F8-86F0-B19A7022449C}\InprocHandler32@ C:\Program Files (x86)\Google\Update\1.3.26.9\psmachine.dll (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{030D32F7-BF26-40a2-AB44-A34E78908701}\InProcServer32@ C:\Windows\system32\SpyShelterShellExt.dll (SpyShelter Context Menu Dll/Datpol SIGNED)(2015-06-22 15:21:53)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}@LocalizedString C:\Program Files (x86)\Google\Update\1.3.26.9\goopdate.dll (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\LocalServer32@ C:\Program Files (x86)\Google\Chrome\Application\43.0.2357.124\delegate_execute.exe (Google Chrome/Google Inc. SIGNED)(2015-06-22 14:31:11)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5E688170-BDC7-48AA-A339-5F74CFDBDC9C}\InProcServer32@ C:\Program Files (x86)\Google\Update\1.3.26.9\psmachine.dll (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}@LocalizedString C:\Program Files (x86)\Google\Update\1.3.26.9\goopdate.dll (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleUpdateBroker.exe (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}@LocalizedString C:\Program Files (x86)\Google\Update\1.3.26.9\goopdate.dll (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleUpdateBroker.exe (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}@LocalizedString C:\Program Files (x86)\Google\Update\1.3.26.9\goopdate.dll (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32@ C:\Program Files (x86)\Google\Update\1.3.26.9\psmachine.dll (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleUpdateBroker.exe (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{AB77609F-2178-4E6F-9C4B-44AC179D937A}\InProcServer32@ C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\A2CONTMENU.DLL (Emsisoft shell context menu library/Emsisoft GmbH SIGNED)(2015-06-22 14:49:55)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}@LocalizedString C:\Program Files (x86)\Google\Update\1.3.26.9\goopdate.dll (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32@ C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32@ C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Update/Google Inc. SIGNED)(2015-06-22 14:27:09)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@GoogleChromeAutoLaunch_1BD54B6120616C16E1978A704AAC9073 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Chrome/Google Inc. SIGNED)(2015-06-22 14:31:11)

---- EOF - GMER 2.1 ----
 
C

cantgetrid-of-IT

New Member
Thread author
Jun 22, 2015
5
Another symptom - I have MMC setup to disable all remote actions.
I get a hidden remote connection icon showing up in many folders that weren't there before and then show up.
 
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Hello,

  • We won't provide help for work/business/company computers. This forum is run by volunteers that spend their time free of charge trying to help people. We're not here to help someone earn money. If you're earning for life via infected PC or making a profit by fixing someone's PC, then you should hire someone to fix your issue.
 
C

cantgetrid-of-IT

New Member
Thread author
Jun 22, 2015
5
I am by no means an security expert...Nor an admin or anything similar. I am not sure what gave you the idea that I was.
Please reconsider.
 

Similar threads

F
    • Like
  • Locked
Service Host: Network List Service...Virus?
Replies
11
Views
2,361
Windows Malware Removal Help & Support
nasdaq
nasdaq
K
  • Locked
PowerShell/MaleficAms Powershell Infection Please Help
Replies
2
Views
2,505
Windows Malware Removal Help & Support
nasdaq
nasdaq
J
  • Locked
I need help with a Malware Spanish logs
Replies
2
Views
2,285
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top