Virtual Machines with random appearance of malware

Amora R Jelo

Good day folks, and thank you to those who may be able to assist.


We have two Windows Physical Hosts: 1 x Windows Server 2012R2, and 1 x Windows Server 2008R2 (yes, I know, old).


The Windows Server 2012R2 has two virtual machines – one for AD and file share, the second is used for Exchange.


All servers and workstations use WebRoot for anti-virus.  All workstations on site are Windows 10, with one exception (the user had dallied for a long time on upgrading).


About 10 days ago, that one non-Windows 10 machine, which still runs Windows 7 machine was accidently left exposed on the RDP port to the Internet.  The user returned to find “SYSMAIN” logged in remotely.


This machine was immediately turned off, and removed from the network.


We performed an immediate scan of all physical and virtual servers, and did remove a malware application agentNNNN.exe (this was flagged in WebRoot).  From there, systems were rebooted and rescanned, all clean.


We obviously kept a close eye on things.


Exactly 7 days later, on the main AD server, Webroot found an infection.  I will be honest and say I cannot recall the name of the file it found, but I was able to link it to a Crypto Locker malware variant.


We scanned all servers (physical and virtual) again, and they came back clean after removing the file Webroot had located.


We suspected a time-bomb, so wanted to dig further into where this may be hidden, and make sure we neutralised it.


We downloaded and ran the Sophos Anti Rootkit tool, and it came back clean


We downloaded and ran the MalWare Bytes Anti Rootkit tool, and it came back clean.


We performed a DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALTH then SCANHEALTH then RESTOREHEALTH then SFC/ SCANNOW.  No errors or corruptions were detected.


We sat back and monitored again.


Today (11 days after initial issue), the Exchange and Active Directory virtual machines both logged a suspicious event:

* Event Time: 26 Jun 2021 13:04:18   
* Source: MsiInstaller   
* Event Log: Application   
* Type: Error   
* Event ID: 11310   
* Event User: <DOMAIN>Administrator
* Product: fakemsi — Error 1310. Error writing to file: C:UsersAdministratorAppDataLocalfakemsifoo.txt.  System error 0.  Verify that you have access to that directory.   

A quick check revealed this to be something potentially nefarious, so we again did a complete scan using Webroot, Sophos, MalWareBytes and the DISM/SFC from above.


The 2008R2 server repaired some files with the SFC /SCANNOW (It can’t run a DISM, it’s not a tool for Server 2008 apparently).  I have the CBS.LOG from this.


All came back clean again.


I’m looking to try and get to the bottom of this – sure, at the moment, Webroot is catching these issues when they pop up – but they have to be coming from somewhere, and I’d love it if an expert or two could step in and assist with this please!


Many thanks in advance  :)

Next Post

Nintendo Is Fumbling The Metroid Dread Hype

Image: Nintendo As hype builds for the next main entry in the Metroid series, people looking to play some of the previous games are dusting off old Nintendo consoles or resorting to emulators. During E3 2021, Nintendo announced Metroid Dread, the first 2D classic style Metroid game in nearly 20 […]