Howdy,
Since A pair of days in the past, I noticed that we had outgoing Mails with suspicious hyperlinks in it, on completely different accounts.
After some evaluation, i found that I’ve a backdoors on my server, MSIL/Chopper.AC!MTB.
What i’ve carried out till now:
> Up So far the EX with the final safety updates avaliable (CU22);
> Ran the MSERT system, it say that it cleaned the backdoors however truthfully, I do not thrust;
> After MSERT we Ran Trendmicro, malwarebytes nothing detect;
> Look at Advert for a pretend HealthMailbox Inside the Clients OU > Discovered and deleted;
> Look at C:ProgramData for suspicious information > Detected some unusual information, deleted; But Do not know, if there are extra.
After cleansing the Server, after Every week, we run MSERT and Msert found this backdoor.
I want some assist To evaluation the FRST64 scan to see if There’s extra I can do To wash this mess.
And, some extra ideas if there are any.
Thanks Prematurely!
Maik
Source: https://www.bleepingcomputer.com/forums/t/763059/exchange-2016-with-trojanmsilchopperacmtb/