Restart Problem

[Rahul Nambiar 0]

Hello. Please can anyone help me . My eset anitivirus is asking me to restart the computer again and again. After i Restart my computer it still asks me to restart it. It says " a restart is required to complete the cleaning process. Save all your open documents and restart your computer for all changes to take effect. Restart computer?  -Restart now or Restart Later"

 

the scan log after full scan.. :-

Log
Scan Log
Version of detection engine: 20314 (20191108)
Date: 08-11-2019  Time: 15:45:36
Scanned disks, folders and files: Operating memory;C:\Boot sectors/UEFI;D:\Boot sectors/UEFI;E:\Boot sectors/UEFI;C:\;D:\;E:\
Operating memory » svchost.exe(7556) - a variant of Win32/TrojanDownloader.Delf.BTT trojan - cleaned (after the next restart) - contained infected files [2]
Operating memory » svchost.exe(7556) - a variant of Win32/TrojanDownloader.Delf.BTT trojan - cleaned (after the next restart) - contained infected files [2]
Operating memory » C:\ProgramData\winnmgr\svcnetwk.exe - is OK
C:\Users\Admin\AppData\Local\Dropbox\Dropbox.exe.log - unable to open [4]
C:\Users\Admin\AppData\Local\Dropbox\QuitReports\00f31322-e2b5-4fbe-a45c-3a6bdfd9579d.dbt - unable to open [4]
C:\Users\Admin\AppData\Local\Dropbox\logs\1\1-fd1a-5dc53c3e.tmp - unable to open [4]
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Current Session - unable to open [4]
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Current Tabs - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCacheLock.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\GameBarElevatedFT_Alias.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python3.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\GameBarElevatedFT_Alias.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\python.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\python3.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Roaming\Adobe\CoreSync\GUDE\gude-2019-11-08.log - unable to open [4]
C:\Users\Admin\Downloads\Substance_Painter-2019.2.2-3345-msvc14-x64-standard-full.exe » INNO » {app}\resources\shelf\allegorithmic\smart-materials\Leather\Leather Rough.spsm - decompression could not complete (possible reasons: insufficient free memory or disk space, or a problem with temp folders)
C:\Users\Admin\Downloads\Substance_Painter-2019.2.2-3345-msvc14-x64-standard-full.exe » INNO » {app}\resources\shelf\allegorithmic\smart-materials\Leather\Leather Seat Beige.spsm - error reading archive
C:\Users\Admin\Downloads\_Getintopc.com_Allegorithmic_Substance_Painter_2019.1.0.3020\Allegorithmic_Substance_Painter_2019.1.0.3020\Setup.exe » INNO » {app}\resources\shelf\allegorithmic\smart-materials\Leather\Leather Weathered.spsm - decompression could not complete (possible reasons: insufficient free memory or disk space, or a problem with temp folders)
C:\Users\Admin\Downloads\_Getintopc.com_Allegorithmic_Substance_Painter_2019.1.0.3020\Allegorithmic_Substance_Painter_2019.1.0.3020\Setup.exe » INNO » {app}\resources\shelf\allegorithmic\smart-materials\Leather\Leatherette Damaged.spsm - error reading archive
C:\Users\Admin\NTUSER.DAT - unable to open [4]
C:\Users\Admin\ntuser.dat.LOG1 - unable to open [4]
C:\Users\Admin\ntuser.dat.LOG2 - unable to open [4]
C:\Users\Public\Documents\Wondershare\video-converter-ultimate-desktop_full4295.exe.~P2S » INNO » setup.data - unsupported option
C:\Windows\Temp\is-9GBI1.tmp\LighteningPlayerInstall.exe » NSIS » libvlc.dll - archive damaged - the file could not be extracted.
C:\Windows\Temp\is-9GBI1.tmp\ethyuaia_003.exe » INNO - a variant of Win32/TrojanDownloader.Agent.EBX trojan - cleaned by deleting [1]
C:\hiberfil.sys - unable to open [4]
C:\pagefile.sys - unable to open [4]
C:\swapfile.sys - unable to open [4]
E:\download(laptop)\AirDroid_Desktop_Client_3.5.4.0.exe » NSIS » AirDroid.exe » DOTNETREACTOR - cannot perform the operation
E:\download(laptop)\AirDroid_Desktop_Client_3.5.4.0.exe » NSIS » Android.dll » DOTNETREACTOR - cannot perform the operation
E:\download(laptop)\uTorrent (1).exe » ZIP »  - archive damaged
E:\download(laptop)\uTorrent.exe » ZIP »  - archive damaged
Number of scanned objects: 518141
Number of detections: 3
Number of cleaned objects: 3
Time of completion: 16:50:55  Total scanning time: 3919 sec (01:05:19)
 

 

 

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
08-11-2019 15:30:47;Startup scanner;file;Operating memory » svchost.exe(7556);a variant of Win32/TrojanDownloader.Delf.BTT trojan;cleaned (after the next restart) - contained infected files;;;F955E8360E2644582CA2848B8915914D23613924;
08-11-2019 17:52:15;Startup scanner;file;Operating memory » svchost.exe(7556);a variant of Win32/TrojanDownloader.Delf.BTT trojan;cleaned (after the next restart) - contained infected files;;;C4A5C4B39E126A8637C4518A08EC66C08E3AE9A9;
 

 

please help

[Marcos 5,189]

You have a rootkit in your system that hides away from the OS and other applications, including AVs.

Please provide:
- Logs collected with ESET Log Collector
- a Procmon boot log (https://support.eset.com/kb6308/)

 

[Rahul Nambiar 0]

Logfile.rar

Edited November 8, 2019 by Rahul Nambiar

[Marcos 5,189]

The Procmon log is not from a boot. Please refer to the section https://support.eset.com/kb6308/#boot logs

Also upload logs collected with ESET Log Collector please.

[Rahul Nambiar 0]

sorry cant send any files because it says you can only upload file of size upto 100mb.

[Marcos 5,189]

You can upload it to a file sharing service, e.g. wetransfer.com and drop me a message with a download link.

[Marcos 5,189]

Looks like logging to the Procmon boot log was stopped before the malware was detected, correct? You should stop logging after the detection, otherwise the malicious file won't be logged.

[Rahul Nambiar 0]

how am i going to know which is the malware ? how am going to regonize one ?

 

[Rahul Nambiar 0]

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
08-11-2019 15:30:47;Startup scanner;file;Operating memory » svchost.exe(7556);a variant of Win32/TrojanDownloader.Delf.BTT trojan;cleaned (after the next restart) - contained infected files;;;F955E8360E2644582CA2848B8915914D23613924;
08-11-2019 17:52:15;Startup scanner;file;Operating memory » svchost.exe(7556);a variant of Win32/TrojanDownloader.Delf.BTT trojan;cleaned (after the next restart) - contained infected files;;;C4A5C4B39E126A8637C4518A08EC66C08E3AE9A9;

 

is this trojan downloader a problem for me ? 

 

[Marcos 5,189]

ESET should display an alert some time after the reboot which is the sign that you can stop logging and save the Procmon boot log. Provide fresh ELC logs then as well so that I can check the PID of the righ svchost process.

[Rahul Nambiar 0]

only the fresh eset log u need right not the bootlog ?

[Marcos 5,189]

Both the Procmon boot log and ELC logs.

[Rahul Nambiar 0]

https://we.tl/t-DozXUvL4XM

 

this is the latest i got as per instructions.

Please help me some how.

[Rahul Nambiar 0]

can you give me any solution ??

[Marcos 5,189]

1, Boot from a clean medium (e.g. a Sysrescue USB or CD).
2, Move the file C:\Windows\System32\Ms94668F2AApp.dll to c:\eset for instance.
3, Start Windows in normal mode.
4, Send the file Ms94668F2AApp.dll  to samples[at]eset.com.
5, After confirming the receipt, you can delete the file.