Arvis

Suddenly started getting notices about id.remoteutilities.com

Found the source - two services: Service Name Display Name Description Path to executable TrkWk Distributed Link Tracking ÔÚ¼ÆËã»úÄÚ NTFS ÎļþÖ®¼ä±£³ÖÁ´½Ó»òÔÚÍøÂçÓòÖеļÆËã»úÖ®¼ä±£³ÖÁ´½Ó¡£ C:\WINDOWS\SysWOW64\srvany.exe bmadmin Logical Disk Manager Service ÅäÖÃÓ²ÅÌÇý¶¯Æ÷ºÍ¾í¡£´Ë·þÎñֻΪÅäÖô¦ÀíÔËÐУ¬È»ºóÖÕÖ¹¡£ C:\Program Files (x86)\Common Files\inetinfo.exe

Windows Server 2012 R2. Malwarebytes cleaned off a Ransomware attack & others. It also identified Malware Trojan.Agent.MNR on C:\windows\MSCORSWV.EXE. It says it cleans it, but after reboot the file, a Process, and a Process Module are found again. If I boot to SAFE mode and scan, they are not found. The NICs are teamed. No network connection available in Safe Mode with networking. I did a server OS restore to the day before the RANSOMWARE attack. Reinstalled Malwarebytes - no ransomware found, but 11 items cleaned. BUT, the Trojan is still there. Cleans, comes back unless in safe mode. Log after OS restore: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/10/19 Scan Time: 1:26 PM Log File: 2a5c0efc-7351-11e9-baa3-0cc47a2b86ee.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.10498 License: Free -System Information- OS: Windows Server 2012 R2 CPU: x64 File System: NTFS User: OHAVER\_ohcadmin -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 404611 Threats Detected: 11 Threats Quarantined: 10 Time Elapsed: 2 min, 1 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498 Module: 1 Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498 Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 9 Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Removal Failed, [2696], [142279],1.0.10498 PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX0\MSCL.EXE, Quarantined, [1144], [357716],1.0.10498 PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX1\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498 PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX2\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498 PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX3\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498 PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX4\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498 PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX5\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498 PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX6\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498 PUP.Optional.BitCoinMiner, C:\WINDOWS\TEMP\RARSFX7\MSUPDATE.EXE, Quarantined, [1144], [357716],1.0.10498 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) Log After reboot: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/10/19 Scan Time: 1:37 PM Log File: acd42abc-7352-11e9-8e2e-0cc47a2b86ee.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.10498 License: Free -System Information- OS: Windows Server 2012 R2 CPU: x64 File System: NTFS User: OHAVER\_ohcadmin -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 404620 Threats Detected: 3 Threats Quarantined: 3 Time Elapsed: 2 min, 7 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 1 Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498 Module: 1 Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498 Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Trojan.Agent.MNR, C:\WINDOWS\MSCORSWV.EXE, Quarantined, [2696], [142279],1.0.10498 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) Log in Safe Mode: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/10/19 Scan Time: 2:10 PM Log File: 3654f287-7357-11e9-8b80-000000000000.json -Software Information- Version: 3.7.1.2839 Components Version: 1.0.586 Update Package Version: 1.0.10498 License: Free -System Information- OS: Windows Server 2012 R2 CPU: x64 File System: NTFS User: OHAVER\_ohcadmin -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 404120 Threats Detected: 0 Threats Quarantined: 0 Time Elapsed: 1 min, 36 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) Thank you, Arvis Holland