mayowa 1 Posted June 10, 2020 Share Posted June 10, 2020 One of our servers with EFSW installed popup with a message that TROJAN detected and restart required to clean. After restart same error pop is encountered even when a policy from the management console '' maximum security '' is integrated to the AV (i.e in-depth scan and strict cleaning ) Please have a look at it and your earliest response is much appreciated Attached is log for the servers efsw_logs_6.zip AhmedAli 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 4,712 Posted June 10, 2020 Administrators Share Posted June 10, 2020 Is the trojan detected immediately after a computer restart, e.g. when you run an on-demand scanner of the operating memory? If so, please provide a Procmon boot log. After a reboot stop logging only after the threat has been detected. With the Procmon log please provide also fresh ELC logs. Also provide logs from Gmer. I'd also recommend: - Running a scan with ESET SysRescue to rule out the possibility that a rootkit is hiding malicious files. Delf.BTT seems to be rootkit-related. - Temporarily disconnecting the machine from network to find out if the threat is detected even if the machine is isolated. Please do not delete any suspicious files without keeping a copy. We'll need them for perusal. Link to comment Share on other sites More sharing options...
itman 1,541 Posted June 10, 2020 Share Posted June 10, 2020 (edited) There's another thread on this rootkit Trojan here: https://forum.eset.com/topic/22184-win32trojandownloaderdelfbtt/ OP got rid of it by moving the file in Win safe mode to another directory. He then rebooted and ran an Eset context scan on that file which deleted it and moved it to quarantine folder. The file can then be submitted to Eset from the quarantine folder. Edited June 10, 2020 by itman Link to comment Share on other sites More sharing options...
mayowa 1 Posted June 10, 2020 Author Share Posted June 10, 2020 5 minutes ago, itman said: There's another thread on this rootkit Trojan here: https://forum.eset.com/topic/22184-win32trojandownloaderdelfbtt/ OP got rid of it by moving the file to another directory. He then ran an Eset context scan on that file which deleted it and moved it to quarantine folder. The file can then be submitted to Eset from the quarantine folder. Thank you for the response i will do as suggested Link to comment Share on other sites More sharing options...
itman 1,541 Posted June 10, 2020 Share Posted June 10, 2020 Just now, mayowa said: Thank you for the response i will do as suggested See my edited post. File move needs to be done in safe move. File won't show in normal Win mode. Link to comment Share on other sites More sharing options...
itman 1,541 Posted June 10, 2020 Share Posted June 10, 2020 Also in the referenced posting, the Eset log entry showed svchost.exe: Quote 2020-01-14 08: 57: 27; Scanner on startup; file; Operating memory »svchost.exe (784); threat version Win32 / TrojanDownloader.Delf.BTT Trojan horse; disinfected (after next startup) - contained infected files; ;; B815C519FC024547A19FBA7184B9921F1739AEBB Do not move that file! As noted in that posting, the rootkit was actually a .dll file. Link to comment Share on other sites More sharing options...
mayowa 1 Posted June 13, 2020 Author Share Posted June 13, 2020 On 6/10/2020 at 3:58 PM, Marcos said: Is the trojan detected immediately after a computer restart, e.g. when you run an on-demand scanner of the operating memory? If so, please provide a Procmon boot log. After a reboot stop logging only after the threat has been detected. With the Procmon log please provide also fresh ESET Log Collector logs. Also provide logs from Gmer. I'd also recommend: - Running a scan with ESET SysRescue to rule out the possibility that a rootkit is hiding malicious files. Delf.BTT seems to be rootkit-related. - Temporarily disconnecting the machine from network to find out if the threat is detected even if the machine is isolated. Please do not delete any suspicious files without keeping a copy. We'll need them for perusal. Hello Marcos , Please follow the link below for the procmon log & ESET Log Collector log ftp://ftp.nod.sk/support/EKOHOTELS/ Awaiting your swift response Link to comment Share on other sites More sharing options...
Administrators Marcos 4,712 Posted June 13, 2020 Administrators Share Posted June 13, 2020 Please provide a Gmer log as well. Link to comment Share on other sites More sharing options...
mayowa 1 Posted June 13, 2020 Author Share Posted June 13, 2020 7 minutes ago, mayowa said: Hello Marcos , Please follow the link below for the procmon log & ESET Log Collector log ftp://ftp.nod.sk/support/EKOHOTELS/ Awaiting your swift response We also noticed this in their malware notification alert NEW NOTIFICATION Malicious file Win32/Delf.TXX was detected on computer eko-itmgrsvr.ekohotels.com Threat type: trojan Threat name: Win32/Delf.TXX Computer name: eko-itmgrsvr.ekohotels.com Logged user: Time of occurrence: 6/11/20, 8:36:27 AM UTC Scanner: Startup scanner Action performed: cleaned But notification alert kept on coming after the action performed to be cleaned Link to comment Share on other sites More sharing options...
mayowa 1 Posted June 13, 2020 Author Share Posted June 13, 2020 6 minutes ago, Marcos said: Please provide a Gmer log as well. i will revert as requested as soon as possible Link to comment Share on other sites More sharing options...
Administrators Marcos 4,712 Posted June 13, 2020 Administrators Share Posted June 13, 2020 In safe mode move the file C:\Windows\System32\Ms546B0CB6App.dll to a new folder, e.g. c:\esetvir. If the file is not accessible in safe mode, boot from a live cd, e.g. SysRescue and move the file. Afterwards run a full disk scan. If the dll is not detected, please upload it here. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,712 Posted June 15, 2020 Administrators Share Posted June 15, 2020 Also we would like to ask you to generate a complete memory dump at the point when the malware is still running and is detected in memory. Link to comment Share on other sites More sharing options...
mayowa 1 Posted June 15, 2020 Author Share Posted June 15, 2020 2 hours ago, Marcos said: Also we would like to ask you to generate a complete memory dump at the point when the malware is still running and is detected in memory. Hello Marcos, Please follow the link below as requested ftp://ftp.nod.sk/support/Gmerlog & Dumps/ Link to comment Share on other sites More sharing options...
mayowa 1 Posted June 15, 2020 Author Share Posted June 15, 2020 (edited) 3 hours ago, mayowa said: Hello Marcos, Please follow the link below as requested ftp://ftp.nod.sk/support/Gmerlog & Dumps/ Fine below link for log retrieved from the second server The files includes log for GMER, PROCESS MONITOR (BOOT LOG) and screen shots for the below. Also attached a screen shot of event log details which shows before restarting of server! However it does not create memory dump file! Thanks, ftp://ftp.nod.sk/support/EKHotels/ Anticipating your response as always \ Thank you and warm regards Edited June 15, 2020 by mayowa Link to comment Share on other sites More sharing options...
itman 1,541 Posted June 15, 2020 Share Posted June 15, 2020 I will also add that Win32/Delf detections almost universally are associated with malware installing a malcious Win service. Also, a characteristic of rootkits. The key to eliminating this rootkit is to identify the malicious service and remove it. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,712 Posted June 15, 2020 Administrators Share Posted June 15, 2020 Please provide a complete memory dump. It should be bigger than just 200 MB. Link to comment Share on other sites More sharing options...
mayowa 1 Posted June 15, 2020 Author Share Posted June 15, 2020 1 hour ago, Marcos said: Please provide a complete memory dump. It should be bigger than just 200 MB. Kindly follow the link below ftp://ftp.nod.sk/support/EKHotels/ Link to comment Share on other sites More sharing options...
Administrators Marcos 4,712 Posted June 15, 2020 Administrators Share Posted June 15, 2020 1 hour ago, mayowa said: Kindly follow the link below ftp://ftp.nod.sk/support/EKHotels/ Looks like a kernel dump only: Kernel Summary Dump File: Kernel address space is available, User address space may not be available. The size of memory.dmp is 207 MB but I assume that more RAM is installed on the machine. Link to comment Share on other sites More sharing options...
Recommended Posts