joeardouin

Hello again, Thanks to James we are almost sure the problem is my SQL Server. Password is kind a easy i guess so they easily bruteforced and add their own procedures that download trojan. So in the beginning i close sql ports from internet then remove unnecessary procedures also disable settings which should be off by default also reset sql and windows passwords In my situation blocking public IP's will be difficult but i will try. Thanks for all

I think i found something

Hello again, I blocked powershell with group policy and i think it works but i wanted to deep dive in it and i disable group policy and enable powershell again. And voila... ESS blocked EDX again. Then i checked the event viewer and i think find something interesting. In the picture below, there are 8-10 attempts to login sa. Then it starts to change configuration options.. Finally something is happening to master.dbo (i couldnt understand)

Hello itman, Thanks for your attention. I created HIPS rule right now so i am waiting. Thank you very much

I will try. Thank you Marcos

Hello Marcos, Thanks for your help. The threat repeating without any schedule. ESS keep blocking the script but still cannot detect source of the script. Anyways thank you again

Hello Marcos, Thanks for your attention. 1 - Couldnt find probably deleted . 2- Attached 3-Attached efsw_logs.zip Bootlog.rar

Please help to clean this trojan, thank you! efsw_logs.zip