Jump to content

Recommended Posts

Hello. Please can anyone help me . My eset anitivirus is asking me to restart the computer again and again. After i Restart my computer it still asks me to restart it. It says " a restart is required to complete the cleaning process. Save all your open documents and restart your computer for all changes to take effect. Restart computer?  -Restart now or Restart Later"

 

the scan log after full scan.. :-

Log
Scan Log
Version of detection engine: 20314 (20191108)
Date: 08-11-2019  Time: 15:45:36
Scanned disks, folders and files: Operating memory;C:\Boot sectors/UEFI;D:\Boot sectors/UEFI;E:\Boot sectors/UEFI;C:\;D:\;E:\
Operating memory » svchost.exe(7556) - a variant of Win32/TrojanDownloader.Delf.BTT trojan - cleaned (after the next restart) - contained infected files [2]
Operating memory » svchost.exe(7556) - a variant of Win32/TrojanDownloader.Delf.BTT trojan - cleaned (after the next restart) - contained infected files [2]
Operating memory » C:\ProgramData\winnmgr\svcnetwk.exe - is OK
C:\Users\Admin\AppData\Local\Dropbox\Dropbox.exe.log - unable to open [4]
C:\Users\Admin\AppData\Local\Dropbox\QuitReports\00f31322-e2b5-4fbe-a45c-3a6bdfd9579d.dbt - unable to open [4]
C:\Users\Admin\AppData\Local\Dropbox\logs\1\1-fd1a-5dc53c3e.tmp - unable to open [4]
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Current Session - unable to open [4]
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Current Tabs - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCacheLock.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\GameBarElevatedFT_Alias.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\python3.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\GameBarElevatedFT_Alias.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\MicrosoftEdge.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\python.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\python3.exe - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\InputApp_cw5n1h2txyewy\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat.LOG1 - unable to open [4]
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat.LOG2 - unable to open [4]
C:\Users\Admin\AppData\Roaming\Adobe\CoreSync\GUDE\gude-2019-11-08.log - unable to open [4]
C:\Users\Admin\Downloads\Substance_Painter-2019.2.2-3345-msvc14-x64-standard-full.exe » INNO » {app}\resources\shelf\allegorithmic\smart-materials\Leather\Leather Rough.spsm - decompression could not complete (possible reasons: insufficient free memory or disk space, or a problem with temp folders)
C:\Users\Admin\Downloads\Substance_Painter-2019.2.2-3345-msvc14-x64-standard-full.exe » INNO » {app}\resources\shelf\allegorithmic\smart-materials\Leather\Leather Seat Beige.spsm - error reading archive
C:\Users\Admin\Downloads\_Getintopc.com_Allegorithmic_Substance_Painter_2019.1.0.3020\Allegorithmic_Substance_Painter_2019.1.0.3020\Setup.exe » INNO » {app}\resources\shelf\allegorithmic\smart-materials\Leather\Leather Weathered.spsm - decompression could not complete (possible reasons: insufficient free memory or disk space, or a problem with temp folders)
C:\Users\Admin\Downloads\_Getintopc.com_Allegorithmic_Substance_Painter_2019.1.0.3020\Allegorithmic_Substance_Painter_2019.1.0.3020\Setup.exe » INNO » {app}\resources\shelf\allegorithmic\smart-materials\Leather\Leatherette Damaged.spsm - error reading archive
C:\Users\Admin\NTUSER.DAT - unable to open [4]
C:\Users\Admin\ntuser.dat.LOG1 - unable to open [4]
C:\Users\Admin\ntuser.dat.LOG2 - unable to open [4]
C:\Users\Public\Documents\Wondershare\video-converter-ultimate-desktop_full4295.exe.~P2S » INNO » setup.data - unsupported option
C:\Windows\Temp\is-9GBI1.tmp\LighteningPlayerInstall.exe » NSIS » libvlc.dll - archive damaged - the file could not be extracted.
C:\Windows\Temp\is-9GBI1.tmp\ethyuaia_003.exe » INNO - a variant of Win32/TrojanDownloader.Agent.EBX trojan - cleaned by deleting [1]
C:\hiberfil.sys - unable to open [4]
C:\pagefile.sys - unable to open [4]
C:\swapfile.sys - unable to open [4]
E:\download(laptop)\AirDroid_Desktop_Client_3.5.4.0.exe » NSIS » AirDroid.exe » DOTNETREACTOR - cannot perform the operation
E:\download(laptop)\AirDroid_Desktop_Client_3.5.4.0.exe » NSIS » Android.dll » DOTNETREACTOR - cannot perform the operation
E:\download(laptop)\uTorrent (1).exe » ZIP »  - archive damaged
E:\download(laptop)\uTorrent.exe » ZIP »  - archive damaged
Number of scanned objects: 518141
Number of detections: 3
Number of cleaned objects: 3
Time of completion: 16:50:55  Total scanning time: 3919 sec (01:05:19)
 

 

 

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
08-11-2019 15:30:47;Startup scanner;file;Operating memory » svchost.exe(7556);a variant of Win32/TrojanDownloader.Delf.BTT trojan;cleaned (after the next restart) - contained infected files;;;F955E8360E2644582CA2848B8915914D23613924;
08-11-2019 17:52:15;Startup scanner;file;Operating memory » svchost.exe(7556);a variant of Win32/TrojanDownloader.Delf.BTT trojan;cleaned (after the next restart) - contained infected files;;;C4A5C4B39E126A8637C4518A08EC66C08E3AE9A9;
 

 

please help

Link to post
Share on other sites
  • Administrators

Looks like logging to the Procmon boot log was stopped before the malware was detected, correct? You should stop logging after the detection, otherwise the malicious file won't be logged.

Link to post
Share on other sites

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
08-11-2019 15:30:47;Startup scanner;file;Operating memory » svchost.exe(7556);a variant of Win32/TrojanDownloader.Delf.BTT trojan;cleaned (after the next restart) - contained infected files;;;F955E8360E2644582CA2848B8915914D23613924;
08-11-2019 17:52:15;Startup scanner;file;Operating memory » svchost.exe(7556);a variant of Win32/TrojanDownloader.Delf.BTT trojan;cleaned (after the next restart) - contained infected files;;;C4A5C4B39E126A8637C4518A08EC66C08E3AE9A9;

 

is this trojan downloader a problem for me ? 

 

Link to post
Share on other sites
  • Administrators

ESET should display an alert some time after the reboot which is the sign that you can stop logging and save the Procmon boot log. Provide fresh ELC logs then as well so that I can check the PID of the righ svchost process.

Link to post
Share on other sites
  • Administrators

1, Boot from a clean medium (e.g. a Sysrescue USB or CD).
2, Move the file C:\Windows\System32\Ms94668F2AApp.dll to c:\eset for instance.
3, Start Windows in normal mode.
4, Send the file Ms94668F2AApp.dll  to samples[at]eset.com.
5, After confirming the receipt, you can delete the file.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...