We help IT Professionals succeed at work.

Hit with ransomware cleared, trojan like activity remains.

A customer of mine with a Windows 2016 Server got a ransomware infection this Monday.  Turned out to be the Xorist.  I got the Emsisoft decrypter tool and ran it with success and then decrypted all the files on the server.  

With that part done, scanned the machine with Webroot (installed, don't know how it didn't detect this) windows defender, sophos second opinion, TDDSKiller,  superantispyware  and malwarebytes.  a trojan was found in a zip file that was in a profile that was created by an external source.

I went through all my usual programs to look for anything further (process explorer, tcpview, netstat etc but when it got to process monitor i narrowed a lot of network traffic coming from the lsass.exe process, and it was going to random IP's (gamertalk.com.br)
snapshot of the process monitor
I could not get this traffic to subside, and it eventually crashed the server after 6-8 hours.

I took away the servers DNS settings as well as the gateway setting and this continued to flow in process monitor.

Am I reading this program incorrectly?
How else can I go about trying to find what is making this traffic?

Thank you.
Watch Question

James BunchSystems Engineer

A couple of notes that may be helpful.

1. In your Malwarebytes, did you do a quick scan or customer scan? Always run a custom scan if you know or think something is up and elect to include root kit scanning when selecting the partition/drives to scan. Increases time to complete but helps with detection.

2. Use CCleaner by Piriform. Run a cleaner for registry, check the programs to see if anything weird shows up in installed. Also check with the scheduled tasks to see if anything looks weird. Typicall a string of numbers and letters not legible is no bueno. Can also check web browsers for extensions/add-ins that are bad juju.

3. If you are not certain about the traffic use the all powerful Wireshark program. Free and amazing to track traffic to ports and files that show the traffic. Its a great tool to have and use for a lot of reasons other than hunting a problem.
Jason IveyLevel 3 Tech


I ran a full scan from Malwarebytes.  I am not sure if rootkit detection was on, will rescan.

I am not familiar enough with Wireshark, but I have heard of its power, just never got enough time to sit down and learn how to use it.

Ill get back to you on the rootkit scan.

James BunchSystems Engineer

The rootkit scan is a great way to find underlying stuff that has the normal facades. CCleaner combo with this scan typically cures my ailements on client devices.

Wireshark is super simple to pick up and use (A little tough to master). But you can isolate a port specifically and trace that network traffic back to the file using it or even the remote machine on the LAN and then down to the file. Its most definitely a great tool to start using in your situation. Good luck!
Exec Consultant
Distinguished Expert 2019
Better to rebuild machine that was infected. Manual cleaning is not assuring.

Isolate the machine. Change the login credentials for the administrators. You may want to check the mapped drives and see if the Ransomware notes are existence.

Can try send the Trojan zip to Virustotal to see any other AV detect it and also see the other artefact it creates which maybe more than the callback. https://www.virustotal.com

You should also check the firewall and Internet gateway on traffic surge from this server and block any outgoing calls.
Jason IveyLevel 3 Tech


It's the best logical answer to not risk trying to clean.   The trojan was detected by 1/2 of the scanners at virus total and most identified the gen.trojan.