Solved NetBT.sys - Backdoor.tidserv!inf

[Citinautic]

HI,
I;ve been reading all the posts related to this Virus, and I did the part of Karspensky revomal and I've got the TDSSKiller log that I'm posting it, it has 2 viruses that I already know I have, the NetBT.sys detected by AVG and the ggsltt.sys(?!) detected by mbam (that I ran once) even thou it says it was removed it keeps coming back, I did the sys restore thing but still, and due the NetBt is a system driver I didn't know how to clean this up (even thou I restore the good one this keeps coming back)

Well, this is the log of TDSSKiller ...

PS, Thanks in advance.

 

[Broni]

Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[Citinautic]

Done ! here are the attachments

Hi, thanks for the welcome!

I followed the instructions and I got these logs, in the 6th step of GMER I've got a BSOD, I'm including the after-event logs (BSOD, I lost the other one), I made sure I didn't have any antivirus active, I have AVG and in every step I turn it off.

The OS is W Vista HE SP2, and the laptop is a Inspiron 1525, Intel DualCore 1.73Mhz, 2 GB RAM

 

[Broni]

You have some McAfee leftovers.
Please, run McAfee Consumer Product Removal Tool: http://www.softpedia.com/get/Tweak/Uninstallers/McAfee-Consumer-Product-Removal-Tool.shtml

=========================================================================

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

===========================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

 

[Citinautic]

MBRcheck Results

Hi Broni,

I'm sorry for the delay, I needed to go out of town, now I'm back,,,:wave:

Here is the MBR results after the leftover removal, and the viewpoint removal.
now I'm waiting for instructions ...

 

[Broni]

MBRCheck log looks good

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Citinautic]

Okay Broni, ComboFix Results

HI Broni again,

I did the ComboFix, it took a little longer, I was trying to read the log and I noticed that the viewpoint (or part of) is shown there even thou I unistalled, also the windows defender, but there's no entry for uninstalling (I have the AVG and is not recommended to have it installed) the only traces of it is in the updates. There is a PixArt thing that I coundn't find anywhere in the PC but here (looks like is for camara pics).Still the ggsltt.sys driver is there (I google it and in the only place it appears is in this post!) this one was marked as a rootkit by mbam. Another one is the bkpkjtmx.sys, this is the first time I saw it.

Anyway, I'm just trying to understand what's going on but you're the man!

Citinautic

 

[Broni]

We'll deal with those leftovers, either through Combofix, or couple of next scans...

You can't really uninstall Windows Defender as MS made it as a part of Windows.
All you can do is to disable it: http://www.mydigitallife.info/2008/...move-and-uninstall-windows-defender-in-vista/


1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\ggsltt1.sys
c:\windows\system32\drivers\fileinfo - Copy.sys
c:\windows\system32\config\systemprofile\AppData\Local\Jfuwipokidupap.dat
c:\windows\system32\drivers\bkpkjtmx.sys
c:\windows\system32\DRIVERS\PFC027.SYS


Folder::
c:\programdata\Viewpoint
c:\windows\PixArt

Driver::
bkpkjtmx
PAC207
ggsltt
ggsltt1


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PAC207_Monitor"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xmoxfttunewfiit]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ggsltt]

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[Citinautic]

ComboFic Resutls 2

Hi Broni,

I did the ComboFix and this is the result, the program displayed a msg saying that it uploaded the results for further analysis.

Here's the result:

 

[Broni]

There are still some baddies...

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\zapglnma.sys


Driver::
zapglnma


Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ggsltt]

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[Citinautic]

Combo Fix results 3

HI Broni,

Me again, here I'm attaching the results of the new Combo Fix script.
and thanks a lot for taking your time to see all this, I really appreciate it

Citinautic

 

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\ggsltt1.sys
c:\windows\system32\drivers\ggsltt.sys

Folder::
c:\windows\system32\config\systemprofile\AppData\Local\igishcfif


Driver::
ggsltt

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ggsltt]

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[Citinautic]

Re-scrubbed by Combofix 3

Hi Broni,

I ran the Combofix again with the scrip of the previous post you sent.me.

Here are the results:

Looks like the ggsltt is gone!

Let me know what you see, and thanks again Broni

 

[Broni]

It was a stubborn SOB, but it seems to be gone

How is computer doing?

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[Citinautic]

Ooops, we talk too soon, it came back!

Hi Broni,

I did the OTL but after 20 secs. aprox. the AVG poped-up a warning about the ggsltt virus!, holy cow!, there must be a program that triggers this up, or maybe from the cache, I don't know, but it keeps coming back.

I'm sending the results of OTL, and also I'm attaching the AVG result of the virus scan (even thou it says ti was removed, it is not) so you can take a look of what's going on.

and, master, I'm waiting for instructions.

 

[Broni]

Update Malwarebytes, run it, post its log.
Re-run TDSSKiller, post fresh log.

 

[Citinautic]

Workaround

Hi Broni,

While I was waiting you response I re-did some of the previous steps to remove it, and it removed perfectly, but after some minutes it was back again.

So, I did a workaround that can keeping it from coming back, so I did the following::darth:

Once that I noticed that the object ggsltt was gone, I placed a dummy file with the same name, I blocked this by changing the attributes (Hide & Read Only) so the malicious file cannot replace or somehow it "thinks" it sits still there, and it worked fine.

I've been rebooting, surfing, open and close some application and then I re-scan the subdirectory and there's no trace of this virus anymore,

This is not the cleanest way to remove it, I know, but it worked as you can see it in the logs.

I know that still somewhere there is a service/program that from time to time, will spit that malware out back again, but with this, I think it won't bother for a while.

So, still I'm sending you the logs, and I'd like to know your advice, and now without the malware on the way could be easier to find the source. don't you think?

And you know something? the PC now is working great! fast as new.

Please let me know what you think.

 

[Broni]

"Dummy" method is not bad, but I'd like to know, what's going on here.

We'll run couple more scans....

Please download Sophos Anti-rootkit & save it to your desktop.

IMPORTANT!

• Disconnect from the Internet or physically unplug you Internet cable connection.
• Clean out your temporary files.
• Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
• Temporarily disable your anti-virus and real-time anti-spyware protection.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

• Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
• Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
• A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
• Make sure the following are checked:
  
  • Running processes
  • Windows Registry
  • Local Hard Drives
  
  
• Click Start scan.
• Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
• When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
• Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
  
  • Files tagged as Removable: No are not marked for removal and cannot be removed.
  • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
  • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  
  
• Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
• A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
• After reboot, a dialog box displays the files you selected for removal and the action taken.
• Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
• When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
• This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\

 

[Citinautic]

Done, looks clean

Hi Broni,

I appreciate your help,
I shut down the resident shields from AVG and the TuneUp service (there's no other way to stop it), after that I ran the first and 2nd scan.

In the second scan only appears 1 item, and it's from AVG that is the AV that I have installed, looks like is in the quarantine folder, but besides that, nothing!, and as I told you, the Laptop is running like a champ!. like brand new.

I agree that the dummy file is an easy-way-out workaround but dangerous. (it could be re-infected because the source might be still around).:suspiciou

Do you have any other suggestion?

 

[Broni]

OK then....

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

==========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

=======================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• Click Start
• IMPORTANT! UN-check Remove found threats
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• NOTE. If Eset won't find any threats, it won't produce any log.

 

[Citinautic]

Well, here are the results

Hi Broni,

I just finished to run all these programs and here are the results,

EBET found a Virus but it was in a quarantine file of Dr Web, I did a scan once trying to clean this up and it put it there, so EBET found it.

This machine looks more clean than my soul, you did a great job, I don't know but I don't see any trace of the ggsltt rootkit, or any other one.:monkey:

Just in case, I'm going to delete all the traces of the quarantine files so we can be safer and the scans could be more accurate.

Let me know what do you think, what else we can do about it

And thanks again for the time you've been spending for this evil ware:evil:

 

[Broni]

Good
Delete manually:
C:\Users\Paola\DoctorWeb\Quarantine\35c4af05-7665e840
Empty recycle bin.

=======================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how is your computer doing.

 

[Citinautic]

A big thanks!

Well Broni,

Thanks a lot for your advices and your time,

All these tools and reviews you did makes me confident you did a good work,

This PC belongs to a teenager, so I'm going to talk to her, because this is the second time we clean this PC. the first time wan't too hard to fix it.

I appreciate all your help and time, and one day, I'm going to treat you for a dinner. when I go to California, I used to go there, I lived in San Francisco for a year almost.

Well, I hope later you can show me where I can learn to use these tools. so I can serve also as support.

Anyway "see later, alligator" :wave:

 

[Broni]

You're very welcome

This PC belongs to a teenager, so I'm going to talk to her, because this is the second time we clean this PC

Lashes work pretty good too....hehehehe

See ya in CA

Good luck and stay safe