Windows Server 2012 R2. Malwarebytes cleaned off a Ransomware attack & others. It also identified Malware Trojan.Agent.MNR on C:\windows\MSCORSWV.EXE. It says it cleans it, but after reboot the file, a Process, and a Process Module are found again. If I boot to SAFE mode and scan, they are not found. The NICs are teamed. No network connection available in Safe Mode with networking.
I did a server OS restore to the day before the RANSOMWARE attack. Reinstalled Malwarebytes - no ransomware found, but 11 items cleaned. BUT, the Trojan is still there. Cleans, comes back unless in safe mode.
Log after OS restore:
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 5/10/19
Scan Time: 1:26 PM
Log File: 2a5c0efc-7351-11e9-baa3-0cc47a2b86ee.json
-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.586
Update Package Version: 1.0.10498
License: Free
-System Information-
OS: Windows Server 2012 R2
CPU: x64
File System: NTFS
User: OHAVER\_ohcadmin
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 404611
Threats Detected: 11
Threats Quarantined: 10
Time Elapsed: 2 min, 1 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 1
Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498
Module: 1
Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498
Registry Key: 0
(No malicious items detected)
Registry Value: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 9
Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Removal Failed, [2696], [142279],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX0\MSCL.EXE, Quarantined, [1144], [357716],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX1\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX2\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX3\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX4\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX5\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX6\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498
PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX7\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498
Physical Sector: 0
(No malicious items detected)
WMI: 0
(No malicious items detected)
(end)
Log After reboot:
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 5/10/19
Scan Time: 1:37 PM
Log File: acd42abc-7352-11e9-8e2e-0cc47a2b86ee.json
-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.586
Update Package Version: 1.0.10498
License: Free
-System Information-
OS: Windows Server 2012 R2
CPU: x64
File System: NTFS
User: OHAVER\_ohcadmin
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 404620
Threats Detected: 3
Threats Quarantined: 3
Time Elapsed: 2 min, 7 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 1
Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498
Module: 1
Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498
Registry Key: 0
(No malicious items detected)
Registry Value: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 1
Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498
Physical Sector: 0
(No malicious items detected)
WMI: 0
(No malicious items detected)
(end)
Log in Safe Mode:
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 5/10/19
Scan Time: 2:10 PM
Log File: 3654f287-7357-11e9-8b80-000000000000.json
-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.586
Update Package Version: 1.0.10498
License: Free
-System Information-
OS: Windows Server 2012 R2
CPU: x64
File System: NTFS
User: OHAVER\_ohcadmin
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 404120
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 1 min, 36 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 0
(No malicious items detected)
Registry Value: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 0
(No malicious items detected)
Physical Sector: 0
(No malicious items detected)
WMI: 0
(No malicious items detected)
(end)
Thank you,
Arvis Holland