MSERT tool leaves infection (PShellCobStager)

Question

Hello, during the scan MSERT displaying that it has found infected files on Windows Server 2016.

When the scan is complete it states that no malware/virus were found. But while working in Windows, Windows Defender reports an infection (trojan PShellCobStager a.k.a. Win32/PShellPublicStager.A). Subsequently, running a Full scan in Windows Defender does not find any infection.

Based on answer on https://answers.microsoft.com/en-us/protect/forum/all/what-is-wrong-with-the-microsoft-safety-scanner/27c95df9-7d49-4d02-b734-bcb16495cfc3 I understand that the scanner found possible malware fragments, communicated with MAPS, but does not solve it as malware.

This is contrary to what Windows Defender constantly reports.

How to remove this infection?

Kind regards,
Lukas

Answer 1

This is likely the result of a persistent WMI attack.

Download Autoruns (https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns), and fire it up. Click the WMI tab, and check for something in there. It would look like an SQL query that would return a result if more than 300 seconds had passed since the last time the event fired. The command that it fires on the machine I found it on used Powershell to grab some trash off of Pastebin and execute it. Anywho, right-click > Delete. Scan your machine for any files that might be left over (if you're anything like me, you may have a crypto miner in your System32\config\systemprofile folder), and enjoy the sweet silence from Windows Defender.

Answer 2

Hi there,

There is no need to run MSERT in normal conditions unless you have any malware attack. To quote

The "Files Infected" count displayed on the Microsoft Safety Scanner, scan in progress screen, or any of their other security products for that matter, is actually just a preliminary status indicating that there are items that may contain malware. In many cases, these specific items have been found in the past to be related to malware, but they are all really just small fragments that have matched signatures but aren't yet truly confirmed as the specific malware that might include them.

You can also try the Windows Malicious Software Removal Tool (MSRT), and see what is the result here.

Windows Malicious Software Removal Tool 32-bit
https://www.microsoft.com/en-us/download/details.aspx?id=16

---

--If the reply is helpful, please Upvote and Accept it as an answer --

Answer 3

I have the same issue. Server 2016, fully updated, server was found to have Monero mining running on it (C:\Windows\System32\systemprofile) which I cleaned out.
I ran the MSERT tool and it did not find anything, yet, Defender reports these errors. Ill try the MSRT before trying Eset, BitDefender, Bullguard AV's

Answer 4

2 Limitless Technology: Hi, MSRT was included with Windows Updates and also found nothing.
However, I downloaded the latest version (x64 required for the system) and ran it with the / F switch, but again no result.
Regards, Lukas

Answer 5

Same with me, Im trying to find whats making the detected item reappear every 5 min, I rebooted as well after running the MSRT x64, I havent found any tasks in scheduler, nothing in registry startup, no services.
Installed ESET av, doing a full scan now.