Rahul Nambiar 0 Posted November 8, 2019 Share Posted November 8, 2019 Hello. Please can anyone help me . My eset anitivirus is asking me to restart the computer again and again. After i Restart my computer it still asks me to restart it. It says " a restart is required to complete the cleaning process. Save all your open documents and restart your computer for all changes to take effect. Restart computer? -Restart now or Restart Later" the scan log after full scan.. :- Log Scan Log Version of detection engine: 20314 (20191108) Date: 08-11-2019 Time: 15:45:36 Scanned disks, folders and files: Operating memory;C:\Boot sectors/UEFI;D:\Boot sectors/UEFI;E:\Boot sectors/UEFI;C:\;D:\;E:\ Operating memory » svchost.exe(7556) - a variant of Win32/TrojanDownloader.Delf.BTT trojan - cleaned (after the next restart) - contained infected files [2] Operating memory » svchost.exe(7556) - a variant of Win32/TrojanDownloader.Delf.BTT trojan - cleaned (after the next restart) - contained infected files [2] Operating memory » C:\ProgramData\winnmgr\svcnetwk.exe - is OK C:\Users\Admin\AppData\Local\Dropbox\Dropbox.exe.log - unable to open [4] C:\Users\Admin\AppData\Local\Dropbox\QuitReports\00f31322-e2b5-4fbe-a45c-3a6bdfd9579d.dbt - unable to open [4] C:\Users\Admin\AppData\Local\Dropbox\logs\1\1-fd1a-5dc53c3e.tmp - unable to open [4] C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Current Session - unable to open [4] C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Current Tabs - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCacheLock.dat - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\GameBarElevatedFT_Alias.exe - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python.exe - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python3.exe - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\GameBarElevatedFT_Alias.exe - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.exe - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\python.exe - unable to open [4] C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\python3.exe - unable to open [4] C:\Users\Admin\AppData\Local\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat - unable to open [4] C:\Users\Admin\AppData\Local\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG1 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG2 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\Settings\settings.dat - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\Settings\settings.dat.LOG1 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\Settings\settings.dat.LOG2 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG1 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG2 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat.LOG1 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat.LOG2 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG1 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG2 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\settings.dat - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\settings.dat.LOG1 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\settings.dat.LOG2 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat.LOG1 - unable to open [4] C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat.LOG2 - unable to open [4] C:\Users\Admin\AppData\Roaming\Adobe\CoreSync\GUDE\gude-2019-11-08.log - unable to open [4] C:\Users\Admin\Downloads\Substance_Painter-2019.2.2-3345-msvc14-x64-standard-full.exe » INNO » {app}\resources\shelf\allegorithmic\smart-materials\Leather\Leather Rough.spsm - decompression could not complete (possible reasons: insufficient free memory or disk space, or a problem with temp folders) C:\Users\Admin\Downloads\Substance_Painter-2019.2.2-3345-msvc14-x64-standard-full.exe » INNO » {app}\resources\shelf\allegorithmic\smart-materials\Leather\Leather Seat Beige.spsm - error reading archive C:\Users\Admin\Downloads\_Getintopc.com_Allegorithmic_Substance_Painter_2019.1.0.3020\Allegorithmic_Substance_Painter_2019.1.0.3020\Setup.exe » INNO » {app}\resources\shelf\allegorithmic\smart-materials\Leather\Leather Weathered.spsm - decompression could not complete (possible reasons: insufficient free memory or disk space, or a problem with temp folders) C:\Users\Admin\Downloads\_Getintopc.com_Allegorithmic_Substance_Painter_2019.1.0.3020\Allegorithmic_Substance_Painter_2019.1.0.3020\Setup.exe » INNO » {app}\resources\shelf\allegorithmic\smart-materials\Leather\Leatherette Damaged.spsm - error reading archive C:\Users\Admin\NTUSER.DAT - unable to open [4] C:\Users\Admin\ntuser.dat.LOG1 - unable to open [4] C:\Users\Admin\ntuser.dat.LOG2 - unable to open [4] C:\Users\Public\Documents\Wondershare\video-converter-ultimate-desktop_full4295.exe.~P2S » INNO » setup.data - unsupported option C:\Windows\Temp\is-9GBI1.tmp\LighteningPlayerInstall.exe » NSIS » libvlc.dll - archive damaged - the file could not be extracted. C:\Windows\Temp\is-9GBI1.tmp\ethyuaia_003.exe » INNO - a variant of Win32/TrojanDownloader.Agent.EBX trojan - cleaned by deleting [1] C:\hiberfil.sys - unable to open [4] C:\pagefile.sys - unable to open [4] C:\swapfile.sys - unable to open [4] E:\download(laptop)\AirDroid_Desktop_Client_3.5.4.0.exe » NSIS » AirDroid.exe » DOTNETREACTOR - cannot perform the operation E:\download(laptop)\AirDroid_Desktop_Client_3.5.4.0.exe » NSIS » Android.dll » DOTNETREACTOR - cannot perform the operation E:\download(laptop)\uTorrent (1).exe » ZIP » - archive damaged E:\download(laptop)\uTorrent.exe » ZIP » - archive damaged Number of scanned objects: 518141 Number of detections: 3 Number of cleaned objects: 3 Time of completion: 16:50:55 Total scanning time: 3919 sec (01:05:19) Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 08-11-2019 15:30:47;Startup scanner;file;Operating memory » svchost.exe(7556);a variant of Win32/TrojanDownloader.Delf.BTT trojan;cleaned (after the next restart) - contained infected files;;;F955E8360E2644582CA2848B8915914D23613924; 08-11-2019 17:52:15;Startup scanner;file;Operating memory » svchost.exe(7556);a variant of Win32/TrojanDownloader.Delf.BTT trojan;cleaned (after the next restart) - contained infected files;;;C4A5C4B39E126A8637C4518A08EC66C08E3AE9A9; please help Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted November 8, 2019 Administrators Share Posted November 8, 2019 You have a rootkit in your system that hides away from the OS and other applications, including AVs. Please provide: - Logs collected with ESET Log Collector - a Procmon boot log (https://support.eset.com/kb6308/) Link to comment Share on other sites More sharing options...
Rahul Nambiar 0 Posted November 8, 2019 Author Share Posted November 8, 2019 (edited) Logfile.rar Edited November 8, 2019 by Rahul Nambiar Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted November 8, 2019 Administrators Share Posted November 8, 2019 The Procmon log is not from a boot. Please refer to the section https://support.eset.com/kb6308/#boot logs Also upload logs collected with ESET Log Collector please. Link to comment Share on other sites More sharing options...
Rahul Nambiar 0 Posted November 8, 2019 Author Share Posted November 8, 2019 sorry cant send any files because it says you can only upload file of size upto 100mb. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted November 8, 2019 Administrators Share Posted November 8, 2019 You can upload it to a file sharing service, e.g. wetransfer.com and drop me a message with a download link. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted November 8, 2019 Administrators Share Posted November 8, 2019 Looks like logging to the Procmon boot log was stopped before the malware was detected, correct? You should stop logging after the detection, otherwise the malicious file won't be logged. Link to comment Share on other sites More sharing options...
Rahul Nambiar 0 Posted November 8, 2019 Author Share Posted November 8, 2019 how am i going to know which is the malware ? how am going to regonize one ? Link to comment Share on other sites More sharing options...
Rahul Nambiar 0 Posted November 8, 2019 Author Share Posted November 8, 2019 Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here08-11-2019 15:30:47;Startup scanner;file;Operating memory » svchost.exe(7556);a variant of Win32/TrojanDownloader.Delf.BTT trojan;cleaned (after the next restart) - contained infected files;;;F955E8360E2644582CA2848B8915914D23613924;08-11-2019 17:52:15;Startup scanner;file;Operating memory » svchost.exe(7556);a variant of Win32/TrojanDownloader.Delf.BTT trojan;cleaned (after the next restart) - contained infected files;;;C4A5C4B39E126A8637C4518A08EC66C08E3AE9A9; is this trojan downloader a problem for me ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted November 8, 2019 Administrators Share Posted November 8, 2019 ESET should display an alert some time after the reboot which is the sign that you can stop logging and save the Procmon boot log. Provide fresh ELC logs then as well so that I can check the PID of the righ svchost process. Link to comment Share on other sites More sharing options...
Rahul Nambiar 0 Posted November 8, 2019 Author Share Posted November 8, 2019 only the fresh eset log u need right not the bootlog ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted November 8, 2019 Administrators Share Posted November 8, 2019 Both the Procmon boot log and ELC logs. Link to comment Share on other sites More sharing options...
Rahul Nambiar 0 Posted November 8, 2019 Author Share Posted November 8, 2019 https://we.tl/t-DozXUvL4XM this is the latest i got as per instructions. Please help me some how. Link to comment Share on other sites More sharing options...
Rahul Nambiar 0 Posted November 8, 2019 Author Share Posted November 8, 2019 can you give me any solution ?? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted November 8, 2019 Administrators Share Posted November 8, 2019 1, Boot from a clean medium (e.g. a Sysrescue USB or CD). 2, Move the file C:\Windows\System32\Ms94668F2AApp.dll to c:\eset for instance. 3, Start Windows in normal mode. 4, Send the file Ms94668F2AApp.dll to samples[at]eset.com. 5, After confirming the receipt, you can delete the file. Link to comment Share on other sites More sharing options...
Recommended Posts