TROJAN detected and restart required to clean

[mayowa 1]

One of our servers with EFSW installed popup with a message that TROJAN detected and restart required to clean. After restart same error pop is encountered even when a policy from the management console '' maximum security '' is integrated to the AV (i.e in-depth scan and strict cleaning )

Please have a look at it and your earliest response is much appreciated 

Attached is log for the servers 

efsw_logs_6.zip

[Marcos 5,074]

Is the trojan detected immediately after a computer restart, e.g. when you run an on-demand scanner of the operating memory?

If so, please provide a Procmon boot log. After a reboot stop logging only after the threat has been detected. With the Procmon log please provide also fresh ELC logs. Also provide logs from Gmer.

I'd also recommend:
- Running a scan with ESET SysRescue to rule out the possibility that a rootkit is hiding malicious files. Delf.BTT seems to be rootkit-related.
- Temporarily disconnecting the machine from network to find out if the threat is detected even if the machine is isolated.

Please do not delete any suspicious files without keeping a copy. We'll need them for perusal.

[itman 1,659]

There's another thread on this rootkit Trojan here: https://forum.eset.com/topic/22184-win32trojandownloaderdelfbtt/

OP got rid of it by moving the file in Win safe mode to another directory. He then rebooted and ran an Eset context scan on that file which deleted it and moved it to quarantine folder. The file can then be submitted to Eset from the quarantine folder.

Edited June 10, 2020 by itman

[mayowa 1]

5 minutes ago, itman said:

There's another thread on this rootkit Trojan here: https://forum.eset.com/topic/22184-win32trojandownloaderdelfbtt/

OP got rid of it by moving the file to another directory. He then ran an Eset context scan on that file which deleted it and moved it to quarantine folder. The file can then be submitted to Eset from the quarantine folder.

Thank you for the response i will do as suggested 

[itman 1,659]

Just now, mayowa said:

Thank you for the response i will do as suggested 

See my edited post. File move needs to be done in safe move. File won't show in normal Win mode.

[itman 1,659]

Also in the referenced posting, the Eset log entry showed svchost.exe:

Quote

2020-01-14 08: 57: 27; Scanner on startup; file; Operating memory »svchost.exe (784); threat version Win32 / TrojanDownloader.Delf.BTT Trojan horse; disinfected (after next startup) - contained infected files; ;; B815C519FC024547A19FBA7184B9921F1739AEBB

Do not move that file! As noted in that posting, the rootkit was actually a .dll file.

[mayowa 1]

On 6/10/2020 at 3:58 PM, Marcos said:

Is the trojan detected immediately after a computer restart, e.g. when you run an on-demand scanner of the operating memory?

If so, please provide a Procmon boot log. After a reboot stop logging only after the threat has been detected. With the Procmon log please provide also fresh ESET Log Collector logs. Also provide logs from Gmer.

I'd also recommend:
- Running a scan with ESET SysRescue to rule out the possibility that a rootkit is hiding malicious files. Delf.BTT seems to be rootkit-related.
- Temporarily disconnecting the machine from network to find out if the threat is detected even if the machine is isolated.

Please do not delete any suspicious files without keeping a copy. We'll need them for perusal.

Hello Marcos ,

Please follow the link below for the procmon log & ESET Log Collector log

ftp://ftp.nod.sk/support/EKOHOTELS/

Awaiting your swift response 

[Marcos 5,074]

Please provide a Gmer log as well.

[mayowa 1]

7 minutes ago, mayowa said:

Hello Marcos ,

Please follow the link below for the procmon log & ESET Log Collector log

ftp://ftp.nod.sk/support/EKOHOTELS/

Awaiting your swift response 

We also noticed this in their malware notification alert 

NEW NOTIFICATION

Malicious file Win32/Delf.TXX was detected on computer eko-itmgrsvr.ekohotels.com Threat type: trojan Threat name: Win32/Delf.TXX Computer name: eko-itmgrsvr.ekohotels.com Logged user: Time of occurrence: 6/11/20, 8:36:27 AM UTC Scanner: Startup scanner Action performed: cleaned But notification alert kept on coming after the action performed to be cleaned

[mayowa 1]

6 minutes ago, Marcos said:

Please provide a Gmer log as well.

i will revert as requested as soon as possible 

[Marcos 5,074]

In safe mode move the file C:\Windows\System32\Ms546B0CB6App.dll to a new folder, e.g. c:\esetvir. If the file is not accessible in safe mode, boot from a live cd, e.g. SysRescue and move the file.

Afterwards run a full disk scan. If the dll is not detected, please upload it here.

[Marcos 5,074]

Also we would like to ask you to generate a complete memory dump at the point when the malware is still running and is detected in memory.

[mayowa 1]

2 hours ago, Marcos said:

Also we would like to ask you to generate a complete memory dump at the point when the malware is still running and is detected in memory.

Hello Marcos,

 

Please follow the link below as requested 

ftp://ftp.nod.sk/support/Gmerlog & Dumps/

[mayowa 1]

3 hours ago, mayowa said:

Hello Marcos,

 

Please follow the link below as requested 

ftp://ftp.nod.sk/support/Gmerlog & Dumps/

Fine below link for log retrieved from the second server 

The files includes log for GMER, PROCESS MONITOR (BOOT LOG) and screen shots for the below. Also attached a screen shot of event log details which shows before restarting of server! However it does not create memory dump file!
Thanks,

ftp://ftp.nod.sk/support/EKHotels/

 

Anticipating your response as always \

 

Thank you and warm regards 

Edited June 15, 2020 by mayowa

[itman 1,659]

I will also add that Win32/Delf detections almost universally are associated with malware installing a malcious Win service. Also, a characteristic of rootkits. The key to eliminating this rootkit is to identify the malicious service and remove it.

[Marcos 5,074]

Please provide a complete memory dump. It should be bigger than just 200 MB.

[mayowa 1]

1 hour ago, Marcos said:

Please provide a complete memory dump. It should be bigger than just 200 MB.

Kindly follow the link below 

ftp://ftp.nod.sk/support/EKHotels/

[Marcos 5,074]

1 hour ago, mayowa said:

Kindly follow the link below 

ftp://ftp.nod.sk/support/EKHotels/

Looks like a kernel dump only:

Kernel Summary Dump File: Kernel address space is available, User address space may not be available.

The size of memory.dmp is 207 MB but I assume that more RAM is installed on the machine.