MSERT tool leaves infection (PShellCobStager)

lukval 41 Reputation points
2022-01-31T09:39:24.31+00:00

Hello, during the scan MSERT displaying that it has found infected files on Windows Server 2016.

When the scan is complete it states that no malware/virus were found. But while working in Windows, Windows Defender reports an infection (trojan PShellCobStager a.k.a. Win32/PShellPublicStager.A). Subsequently, running a Full scan in Windows Defender does not find any infection.

Based on answer on https://answers.microsoft.com/en-us/protect/forum/all/what-is-wrong-with-the-microsoft-safety-scanner/27c95df9-7d49-4d02-b734-bcb16495cfc3 I understand that the scanner found possible malware fragments, communicated with MAPS, but does not solve it as malware.

This is contrary to what Windows Defender constantly reports.

3b2d7b80-0671-4b96-bf69-f99d4f734c57

How to remove this infection?

Kind regards,
Lukas

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,429 questions
0 comments No comments
{count} votes

8 answers

Sort by: Most helpful
  1. Chris Sappington 6 Reputation points
    2022-05-19T22:52:14.4+00:00

    This is likely the result of a persistent WMI attack.

    Download Autoruns (https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns), and fire it up. Click the WMI tab, and check for something in there. It would look like an SQL query that would return a result if more than 300 seconds had passed since the last time the event fired. The command that it fires on the machine I found it on used Powershell to grab some trash off of Pastebin and execute it. Anywho, right-click > Delete. Scan your machine for any files that might be left over (if you're anything like me, you may have a crypto miner in your System32\config\systemprofile folder), and enjoy the sweet silence from Windows Defender.

    1 person found this answer helpful.
    0 comments No comments

  2. Limitless Technology 39,496 Reputation points
    2022-02-01T09:27:41.077+00:00

    Hi there,

    There is no need to run MSERT in normal conditions unless you have any malware attack. To quote

    The "Files Infected" count displayed on the Microsoft Safety Scanner, scan in progress screen, or any of their other security products for that matter, is actually just a preliminary status indicating that there are items that may contain malware. In many cases, these specific items have been found in the past to be related to malware, but they are all really just small fragments that have matched signatures but aren't yet truly confirmed as the specific malware that might include them.

    You can also try the Windows Malicious Software Removal Tool (MSRT), and see what is the result here.

    Windows Malicious Software Removal Tool 32-bit
    https://www.microsoft.com/en-us/download/details.aspx?id=16


    --If the reply is helpful, please Upvote and Accept it as an answer --

    0 comments No comments

  3. David Bruce 1 Reputation point
    2022-02-02T05:20:19.733+00:00

    I have the same issue. Server 2016, fully updated, server was found to have Monero mining running on it (C:\Windows\System32\systemprofile) which I cleaned out.
    I ran the MSERT tool and it did not find anything, yet, Defender reports these errors. Ill try the MSRT before trying Eset, BitDefender, Bullguard AV's
    170404-image.png

    0 comments No comments

  4. lukval 41 Reputation points
    2022-02-02T10:35:40.623+00:00

    2 Limitless Technology: Hi, MSRT was included with Windows Updates and also found nothing.
    However, I downloaded the latest version (x64 required for the system) and ran it with the / F switch, but again no result.
    Regards, Lukas

    0 comments No comments

  5. David Bruce 1 Reputation point
    2022-02-02T12:16:34.57+00:00

    Same with me, Im trying to find whats making the detected item reappear every 5 min, I rebooted as well after running the MSRT x64, I havent found any tasks in scheduler, nothing in registry startup, no services.
    Installed ESET av, doing a full scan now.

    0 comments No comments