jackraymund 0 Posted January 14, 2020 Posted January 14, 2020 (edited) Hello, i got a problem with virus called Win32/TrojanDownloader.Delf.BTT. This virus removed my antyvirus and did some damages on server. Tried to scan with ESET and microsoft safety scanner. Could u help me with it? 2020-01-14 08:57:27;Skaner przy uruchamianiu;plik;Pamięć operacyjna » svchost.exe(784);odmiana zagrożenia Win32/TrojanDownloader.Delf.BTT koń trojański;wyleczony (po następnym uruchomieniu) - zawierał zainfekowane pliki;;;B815C519FC024547A19FBA7184B9921F1739AEBB; Bootlog is in attachment(just change zip to 7z extension) Regards, Michał Downloads.zip Edited January 14, 2020 by jackraymund
Administrators Marcos 5,467 Posted January 14, 2020 Administrators Posted January 14, 2020 You have a rootkit there. Either boot from a clean medium (e.g. ESET SysRescue) and run a full disk scan, or do the following: - start Windows in safe mode - move C:\Windows\System32\Ms96FB23EEApp.dll to another folder, e.g. to c:\eset - start Windows in normal mode - run a full disk scan. Peter Randziak and jackraymund 2
jackraymund 0 Posted January 14, 2020 Author Posted January 14, 2020 I can't turn off this server right now to run full scan on SysRescue. I would preffer to do second way but: I dont have this file in C:\System32(at normal mode). Or this file will appear in safe mode? Tried to show file systems in explorer and tried by ps script PS C:\Windows\System32> ls | findstr Ms96
Administrators Marcos 5,467 Posted January 14, 2020 Administrators Posted January 14, 2020 As I wrote, it's a rootkit so you and other apps / AVs won't normally see it. You should see it in safe mode. jackraymund 1
jackraymund 0 Posted January 14, 2020 Author Posted January 14, 2020 So, I moved file to other folder, when I check it at explorer(at normal mode) eset removed it. Godzina;Skaner;Typ obiektu;Obiekt;Wykrycie;Czynność;Użytkownik;Informacje;Skrót;Pierwsze wystąpienie 2020-01-14 13:43:57;Ochrona systemu plików w czasie rzeczywistym;plik;D:\eset\Ms96FB23EEApp.dll;odmiana zagrożenia Win32/Packed.VMProtect.ABD koń trojański;wyleczony przez usunięcie;xxx;Zdarzenie wystąpiło podczas próby uzyskania dostępu do pliku przez aplikację: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;B0E1752744684C8E97CD3B72D5F21DFC0E15DA28;2020-01-02 10:50:28 Scanning is in progress....
jackraymund 0 Posted January 14, 2020 Author Posted January 14, 2020 Scanning dont detect anything. After reboot everything works and eset dont detect anything. Thanks
Recommended Posts