Jump to content


Recommended Posts


i got a problem with virus called Win32/TrojanDownloader.Delf.BTT. This virus removed my antyvirus and did some damages on server.

Tried to scan with ESET and microsoft safety scanner.

Could u help me with it?

2020-01-14 08:57:27;Skaner przy uruchamianiu;plik;Pamięć operacyjna » svchost.exe(784);odmiana zagrożenia Win32/TrojanDownloader.Delf.BTT koń trojański;wyleczony (po następnym uruchomieniu) - zawierał zainfekowane pliki;;;B815C519FC024547A19FBA7184B9921F1739AEBB;


Bootlog is in attachment(just change zip to 7z extension)





Edited by jackraymund
Link to post
Share on other sites
  • Administrators

You have a rootkit there. Either boot from a clean medium (e.g. ESET SysRescue) and run a full disk scan, or do the following:

- start Windows in safe mode
- move C:\Windows\System32\Ms96FB23EEApp.dll to another folder, e.g. to c:\eset
- start Windows in normal mode
- run a full disk scan.


Link to post
Share on other sites

I can't turn off this server right now to run full scan on SysRescue.

I would preffer to do second way but:

I dont have this file in C:\System32(at normal mode). Or this file will appear in safe mode?

Tried to show file systems in explorer and tried by ps script PS C:\Windows\System32> ls | findstr Ms96

Link to post
Share on other sites

So, I moved file to other folder, when I check it at explorer(at normal mode) eset removed it.

Godzina;Skaner;Typ obiektu;Obiekt;Wykrycie;Czynność;Użytkownik;Informacje;Skrót;Pierwsze wystąpienie
2020-01-14 13:43:57;Ochrona systemu plików w czasie rzeczywistym;plik;D:\eset\Ms96FB23EEApp.dll;odmiana zagrożenia Win32/Packed.VMProtect.ABD koń trojański;wyleczony przez usunięcie;xxx;Zdarzenie wystąpiło podczas próby uzyskania dostępu do pliku przez aplikację: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;B0E1752744684C8E97CD3B72D5F21DFC0E15DA28;2020-01-02 10:50:28


Scanning is in progress....


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...