• Announcements

    • Marcos

      Filecoder.Crysis updated to decode .dharma files   03/01/2017

      We are happy to announce you that we have updated the Filecoder.Crysis decoder to support decryption of files with the .wallet and .onion extensions. The decoder is downloadable from https://download.eset.com/com/eset/tools/decryptors/crysis/latest/esetcrysisdecryptor.exe.
Sign in to follow this  
Followers 0
Formentera

Cannot remove Win32/Korplug.BX Trojan

4 posts in this topic

No matter how many times I scan, the trojan always re-appears. The antivirus always says that the trojan has been removed, but every single day, it reappears. Is there a way to permanently remove it?

I have attached a log file.

Thank you

a.txt

Share this post


Link to post
Share on other sites

Posted (edited)

Appears this malware has a .dll component that has to be manually removed. Trend Micro has an article on how to remove it here you can try: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_plugx.ztbf-b . If the .dll cannot be found per instructions given, then this new variant is doing something else and you need to contact Eset tech support for resolution help.

Your Eset log indicates the malware is being discovered in memory at boot time. Appears it has created a "bogus" service that is automatically being started at boot time using svchost.exe. So removal of that service also has to be addressed.

Edited by itman

Share this post


Link to post
Share on other sites

Posted (edited)

Another thing you can do is run Eset's most aggressive AV scan to see if it will remove the malware.

Below is a screen shot of what you need to run.

  1. Select "Advanced Scans."
  2. Select the following; memory, boot sector, and the drive your OS is installed on.
  3. Click on the wheel symbol to display additional options. Change "Scan Profile" to In-depth.
  4. Click on the "Scan as Administrator" button to run the scan.

This scan will take some time to run so be aware of that.

Eset_Scan.thumb.png.92df8f77b284755af77d72179e169519.png

Edited by itman

Share this post


Link to post
Share on other sites

Collect logs with ELC and "Threat detection" selected from the menu, upload the archive to a safe location and pm me a download link. I assume it''s a fileless threat that is present in the registry only.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.