Virus on Windows Server 2012. How to cure?

S

serega_ba2020-04-21 00:23:21

Antivirus

serega_ba, 2020-04-21 00:23:21

The server is running ESET File Security. Catches network activity - i.e. the server is spamming some IPs.
How to recover from an infection?
KVRT also detects the left exe, deletes it, but they reappear.

The logs are:
04/16/2020 9:36:32 AM; HTTP filter; file; 178.20.208.37/server.exe;Win32/Farfli.CEN Trojan; connection is interrupted; NT SERVICE \ MSSQLSERVER; Event has occurred when trying to access the Internet in the following application: C: \ Windows \ System32 \ cscript.exe (4147B73B1224BF0D778D57B0D1391C6EE043FCFE) .; 72912F8B315C033A643DEAEEA62A519F3D2D328C ;2020/04/07 9:23:33 2020/04/16
9:36:32;HTTP filter;file; 178.20.208.37/server.exe;Win32/Farfli.CENTrojan, the connection is broken; NT SERVICE \ MSSQLSERVER; Event has occurred when trying to access the Internet in the following application: the C: \ the Windows \ the System32 \ cscript.exe (4147B73B1224BF0D778D57B0D1391C6EE043FCFE) .; 72912F8B315C033A643DEAEEA62A519F3D2D328C; 04.07.2020 9:23:33
17/04/2020 4 :43:54;HTTP filter;file; 178.20.208.37/server.exe;Win32/Farfli.CEN Trojan; connection is interrupted; NT SERVICE \ MSSQLSERVER; Event has occurred when trying to access the Internet in the following application: C: \ Windows \ System32 \ cscript.exe (4147B73B1224BF0D778D57B0D1391C6EE043FCFE) .; 72912F8B315C033A643DEAEEA62A519F3D2D328C ;2020/04/07 9:23:33 2020/04/17
4:43:54;HTTP filter;file; 178.20.208.37/server.exe;Win32/Farfli.CENTrojan, the connection is broken; NT SERVICE \ MSSQLSERVER; The event occurred when an attempt to access the Internet in the following application: the C: \ the Windows \ the System32 \ cscript.exe (4147B73B1224BF0D778D57B0D1391C6EE043FCFE) .; 72912F8B315C033A643DEAEEA62A519F3D2D328C; 07/04/2020 9:23:33
17.04.2020 18 :45:31;HTTP filter;file; 178.20.208.37/server.exe;Win32/Farfli.CEN Trojan; connection is interrupted; NT SERVICE \ MSSQLSERVER; Event has occurred when trying to access the Internet in the following application: C: \ Windows \ System32 \ cscript.exe (4147B73B1224BF0D778D57B0D1391C6EE043FCFE) .; 72912F8B315C033A643DEAEEA62A519F3D2D328C ;2020/04/07 9:23:33 2020/04/17
18:45:31;HTTP filter;file; 178.20.208.37/server.exe;Win32/Farfli.CENTrojan, the connection is broken; NT SERVICE \ MSSQLSERVER; The event occurred when an attempt to access the Internet in the following application: the C: \ the Windows \ the System32 \ cscript.exe (4147B73B1224BF0D778D57B0D1391C6EE043FCFE) .; 72912F8B315C033A643DEAEEA62A519F3D2D328C; 04.07.2020 9:23:33 20/4/2020
21 :28:04;HTTP filter;file; 178.20.208.37/server.exe;Win32/Farfli.CEN Trojan; connection is interrupted; NT SERVICE \ MSSQLSERVER; Event has occurred when trying to access the Internet in the following application: C: \ Windows \ System32 \ cscript.exe (4147B73B1224BF0D778D57B0D1391C6EE043FCFE) .; 72912F8B315C033A643DEAEEA62A519F3D2D328C ;2020/04/07 9:23:33 2020/04/20
21:28:04;HTTP filter;file; 178.20.208.37/server.exe;Win32/Farfli.CENTrojan;Connection Aborted;NT SERVICE\MSSQLSERVER;An event occurred while the following application tried to access the Internet: C:\Windows\System32\cscript.exe (4147B73B1224BF0D778D57B0D1391C6EE043FCFE).;72912F8B315C033A643DEAEEA62:A5319F3D2D328C

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

X

xmoonlight, 2020-04-21
@xmoonlight

Replace cscript.exe with your simple program, which outputs information to the text editor about the process that started it, with what arguments it did it, under which user.
And further - on a broad gull find.

K

klepiku, 2020-04-21
@klepiku

SFC /scannow
try
and tidy up in startup

D

Drno, 2020-04-21
@Drno

Startup check
Drweb cureit run, see what you find, manually delete these virus files Clean
out the appdata folder (more likely temp) from the virus