Jump to content
jackraymund

Win32/TrojanDownloader.Delf.BTT

Recommended Posts

Hello,

i got a problem with virus called Win32/TrojanDownloader.Delf.BTT. This virus removed my antyvirus and did some damages on server.

Tried to scan with ESET and microsoft safety scanner.

Could u help me with it?

2020-01-14 08:57:27;Skaner przy uruchamianiu;plik;Pamięć operacyjna » svchost.exe(784);odmiana zagrożenia Win32/TrojanDownloader.Delf.BTT koń trojański;wyleczony (po następnym uruchomieniu) - zawierał zainfekowane pliki;;;B815C519FC024547A19FBA7184B9921F1739AEBB;

 

Bootlog is in attachment(just change zip to 7z extension)

 

Regards,

Michał

Downloads.zip

Edited by jackraymund

Share this post


Link to post
Share on other sites

You have a rootkit there. Either boot from a clean medium (e.g. ESET SysRescue) and run a full disk scan, or do the following:

- start Windows in safe mode
- move C:\Windows\System32\Ms96FB23EEApp.dll to another folder, e.g. to c:\eset
- start Windows in normal mode
- run a full disk scan.

 

Share this post


Link to post
Share on other sites

I can't turn off this server right now to run full scan on SysRescue.

I would preffer to do second way but:

I dont have this file in C:\System32(at normal mode). Or this file will appear in safe mode?

Tried to show file systems in explorer and tried by ps script PS C:\Windows\System32> ls | findstr Ms96

Share this post


Link to post
Share on other sites

As I wrote, it's a rootkit so you and other apps / AVs won't normally see it. You should see it in safe mode.

Share this post


Link to post
Share on other sites

So, I moved file to other folder, when I check it at explorer(at normal mode) eset removed it.

Godzina;Skaner;Typ obiektu;Obiekt;Wykrycie;Czynność;Użytkownik;Informacje;Skrót;Pierwsze wystąpienie
2020-01-14 13:43:57;Ochrona systemu plików w czasie rzeczywistym;plik;D:\eset\Ms96FB23EEApp.dll;odmiana zagrożenia Win32/Packed.VMProtect.ABD koń trojański;wyleczony przez usunięcie;xxx;Zdarzenie wystąpiło podczas próby uzyskania dostępu do pliku przez aplikację: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;B0E1752744684C8E97CD3B72D5F21DFC0E15DA28;2020-01-02 10:50:28

 

Scanning is in progress....

 

Share this post


Link to post
Share on other sites

Scanning dont detect anything. After reboot everything works and eset dont detect anything. Thanks :)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...