Jump to content

TROJAN detected and restart required to clean


Recommended Posts

One of our servers with EFSW installed popup with a message that TROJAN detected and restart required to clean. After restart same error pop is encountered even when a policy from the management console '' maximum security '' is integrated to the AV (i.e in-depth scan and strict cleaning )

Please have a look at it and your earliest response is much appreciated 

Attached is log for the servers 

efsw_logs_6.zip

Link to post
Share on other sites
  • Administrators

Is the trojan detected immediately after a computer restart, e.g. when you run an on-demand scanner of the operating memory?

If so, please provide a Procmon boot log. After a reboot stop logging only after the threat has been detected. With the Procmon log please provide also fresh ELC logs. Also provide logs from Gmer.

I'd also recommend:
- Running a scan with ESET SysRescue to rule out the possibility that a rootkit is hiding malicious files. Delf.BTT seems to be rootkit-related.
- Temporarily disconnecting the machine from network to find out if the threat is detected even if the machine is isolated.

Please do not delete any suspicious files without keeping a copy. We'll need them for perusal.

Link to post
Share on other sites

There's another thread on this rootkit Trojan here: https://forum.eset.com/topic/22184-win32trojandownloaderdelfbtt/

OP got rid of it by moving the file in Win safe mode to another directory. He then rebooted and ran an Eset context scan on that file which deleted it and moved it to quarantine folder. The file can then be submitted to Eset from the quarantine folder.

Link to post
Share on other sites
5 minutes ago, itman said:

There's another thread on this rootkit Trojan here: https://forum.eset.com/topic/22184-win32trojandownloaderdelfbtt/

OP got rid of it by moving the file to another directory. He then ran an Eset context scan on that file which deleted it and moved it to quarantine folder. The file can then be submitted to Eset from the quarantine folder.

Thank you for the response i will do as suggested 

Link to post
Share on other sites
Just now, mayowa said:

Thank you for the response i will do as suggested 

See my edited post. File move needs to be done in safe move. File won't show in normal Win mode.

Link to post
Share on other sites

Also in the referenced posting, the Eset log entry showed svchost.exe:

Quote

2020-01-14 08: 57: 27; Scanner on startup; file; Operating memory »svchost.exe (784); threat version Win32 / TrojanDownloader.Delf.BTT Trojan horse; disinfected (after next startup) - contained infected files; ;; B815C519FC024547A19FBA7184B9921F1739AEBB

Do not move that file! As noted in that posting, the rootkit was actually a .dll file.

Link to post
Share on other sites
On 6/10/2020 at 3:58 PM, Marcos said:

Is the trojan detected immediately after a computer restart, e.g. when you run an on-demand scanner of the operating memory?

If so, please provide a Procmon boot log. After a reboot stop logging only after the threat has been detected. With the Procmon log please provide also fresh ESET Log Collector logs. Also provide logs from Gmer.

I'd also recommend:
- Running a scan with ESET SysRescue to rule out the possibility that a rootkit is hiding malicious files. Delf.BTT seems to be rootkit-related.
- Temporarily disconnecting the machine from network to find out if the threat is detected even if the machine is isolated.

Please do not delete any suspicious files without keeping a copy. We'll need them for perusal.

Hello Marcos ,

Please follow the link below for the procmon log & ESET Log Collector log

ftp://ftp.nod.sk/support/EKOHOTELS/

Awaiting your swift response 

Link to post
Share on other sites
7 minutes ago, mayowa said:

Hello Marcos ,

Please follow the link below for the procmon log & ESET Log Collector log

ftp://ftp.nod.sk/support/EKOHOTELS/

Awaiting your swift response 

We also noticed this in their malware notification alert 

NEW NOTIFICATION

Malicious file Win32/Delf.TXX was detected on computer eko-itmgrsvr.ekohotels.com

Threat type: trojan
Threat name: Win32/Delf.TXX
Computer name: eko-itmgrsvr.ekohotels.com
Logged user:
Time of occurrence: 6/11/20, 8:36:27 AM UTC
Scanner: Startup scanner
Action performed: cleaned

But notification alert kept on coming after the action performed to be cleaned 

Link to post
Share on other sites
6 minutes ago, Marcos said:

Please provide a Gmer log as well.

i will revert as requested as soon as possible 

Link to post
Share on other sites
  • Administrators

In safe mode move the file C:\Windows\System32\Ms546B0CB6App.dll to a new folder, e.g. c:\esetvir. If the file is not accessible in safe mode, boot from a live cd, e.g. SysRescue and move the file.

Afterwards run a full disk scan. If the dll is not detected, please upload it here.

Link to post
Share on other sites
  • Administrators

Also we would like to ask you to generate a complete memory dump at the point when the malware is still running and is detected in memory.

Link to post
Share on other sites
3 hours ago, mayowa said:

Hello Marcos,

 

Please follow the link below as requested 

ftp://ftp.nod.sk/support/Gmerlog & Dumps/

Fine below link for log retrieved from the second server 

The files includes log for GMER, PROCESS MONITOR (BOOT LOG) and screen shots for the below. Also attached a screen shot of event log details which shows before restarting of server! However it does not create memory dump file!
Thanks,

ftp://ftp.nod.sk/support/EKHotels/

 

Anticipating your response as always \

 

Thank you and warm regards 

Link to post
Share on other sites

I will also add that Win32/Delf detections almost universally are associated with malware installing a malcious Win service. Also, a characteristic of rootkits. The key to eliminating this rootkit is to identify the malicious service and remove it.

Link to post
Share on other sites
  • Administrators
1 hour ago, mayowa said:

Kindly follow the link below 

ftp://ftp.nod.sk/support/EKHotels/

Looks like a kernel dump only:

Kernel Summary Dump File: Kernel address space is available, User address space may not be available.

The size of memory.dmp is 207 MB but I assume that more RAM is installed on the machine.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...