I started getting IE popups from RedOrbit. Those stopped and now I'm getting the "clicking" sound IE makes randomly. When I opened Yahoo Mesenger I started getting sound clips playing in the background.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4365
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
7/29/2010 12:25:47 PM
mbam-log-2010-07-29 (12-25-47).txt
Scan type: Full scan (C:\|)
Objects scanned: 293196
Time elapsed: 10 hour(s), 27 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-30 08:40:34
Windows 5.1.2600 Service Pack 2
Running: gt6b0xo3.exe; Driver: C:\DOCUME~1\Thomas\LOCALS~1\Temp\kwliifog.sys
---- Devices - GMER 1.0.15 ----
Device A Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device A Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice A fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- Processes - GMER 1.0.15 ----
Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 3464
---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-30 08:45:55
Windows 5.1.2600 Service Pack 2
Running: gt6b0xo3.exe; Driver: C:\DOCUME~1\Thomas\LOCALS~1\Temp\kwliifog.sys
---- System - GMER 1.0.15 ----
SSDT 8A09DA10 ZwAlertResumeThread
SSDT 8A09DAF0 ZwAlertThread
SSDT 8A1A1BB8 ZwAllocateVirtualMemory
SSDT 8A1B9E90 ZwAssignProcessToJobObject
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB5DBD534]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB5DB7782]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB6604130]
SSDT 8A20DDC0 ZwCreateMutant
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB5DBDCC0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB5DD0EB4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB5DD12A2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB5DDA916]
SSDT 8A1B9CB0 ZwCreateSymbolicLinkObject
SSDT 8A20A2F8 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB5DBDDF6]
SSDT 8A1B9F70 ZwDebugActiveProcess
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB5DB8398]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB66043B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB6604910]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB5DCFDF0]
SSDT 8A25CBC0 ZwFreeVirtualMemory
SSDT 8A20DEB0 ZwImpersonateAnonymousToken
SSDT 8A20DF90 ZwImpersonateThread
SSDT 8A11F6C8 ZwLoadDriver
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB5DD893C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB5DD8B44]
SSDT 8A25CAE0 ZwMapViewOfSection
SSDT 8A20DCE0 ZwOpenEvent
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB5DB7FAA]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB5DD31CE]
SSDT 8A01B1F8 ZwOpenProcessToken
SSDT 8A20DB20 ZwOpenSection
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB5DD2DF8]
SSDT 8A1B9DA0 ZwProtectVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB5DD98D2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB5DD9208]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB5DBD0F4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB5DDA2A4]
SSDT 8A26E1F0 ZwResumeThread
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB5DBD7DC]
SSDT 8A21A868 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB5DB875C]
SSDT 8A1EBAE0 ZwSetInformationProcess
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xB5DD9E12]
SSDT 8A20D9D8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB6604B60]
SSDT 8A20DC00 ZwSuspendProcess
SSDT 8A09DBD0 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB5DD1F0A]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB5DD1C86]
SSDT 8A21A788 ZwTerminateThread
SSDT 8A1EBBD0 ZwUnmapViewOfSection
SSDT 8A1A1AE8 ZwWriteVirtualMemory
---- Devices - GMER 1.0.15 ----
Device A Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device A Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- Processes - GMER 1.0.15 ----
Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 3464
---- EOF - GMER 1.0.15 ----
Originally, my research led me to download Bootkit Remover. remover.exe produced this:
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com
Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`01f60800
Boot sector MD5 is: 2191ee473479383cb93df8a212a49962
Size Device Name MBR Status
--------------------------------------------
38 GB \\.\PhysicalDrive0 Unknown boot code
Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
Done;
Press any key to quit...
I then did as the demostration showed and created a fix.bat file containing
@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT
The result was:
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com
Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
CreateFile() ERROR 121
ERROR: Can't open physical disk device.
Done;
Press any key to quit...
I'm not sure where to go from here and any help would be greatly appreciated.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4365
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
7/29/2010 12:25:47 PM
mbam-log-2010-07-29 (12-25-47).txt
Scan type: Full scan (C:\|)
Objects scanned: 293196
Time elapsed: 10 hour(s), 27 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-30 08:40:34
Windows 5.1.2600 Service Pack 2
Running: gt6b0xo3.exe; Driver: C:\DOCUME~1\Thomas\LOCALS~1\Temp\kwliifog.sys
---- Devices - GMER 1.0.15 ----
Device A Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device A Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice A fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- Processes - GMER 1.0.15 ----
Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 3464
---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-30 08:45:55
Windows 5.1.2600 Service Pack 2
Running: gt6b0xo3.exe; Driver: C:\DOCUME~1\Thomas\LOCALS~1\Temp\kwliifog.sys
---- System - GMER 1.0.15 ----
SSDT 8A09DA10 ZwAlertResumeThread
SSDT 8A09DAF0 ZwAlertThread
SSDT 8A1A1BB8 ZwAllocateVirtualMemory
SSDT 8A1B9E90 ZwAssignProcessToJobObject
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB5DBD534]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB5DB7782]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB6604130]
SSDT 8A20DDC0 ZwCreateMutant
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB5DBDCC0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB5DD0EB4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB5DD12A2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB5DDA916]
SSDT 8A1B9CB0 ZwCreateSymbolicLinkObject
SSDT 8A20A2F8 ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB5DBDDF6]
SSDT 8A1B9F70 ZwDebugActiveProcess
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB5DB8398]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB66043B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB6604910]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB5DCFDF0]
SSDT 8A25CBC0 ZwFreeVirtualMemory
SSDT 8A20DEB0 ZwImpersonateAnonymousToken
SSDT 8A20DF90 ZwImpersonateThread
SSDT 8A11F6C8 ZwLoadDriver
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB5DD893C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB5DD8B44]
SSDT 8A25CAE0 ZwMapViewOfSection
SSDT 8A20DCE0 ZwOpenEvent
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB5DB7FAA]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB5DD31CE]
SSDT 8A01B1F8 ZwOpenProcessToken
SSDT 8A20DB20 ZwOpenSection
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB5DD2DF8]
SSDT 8A1B9DA0 ZwProtectVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB5DD98D2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB5DD9208]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB5DBD0F4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB5DDA2A4]
SSDT 8A26E1F0 ZwResumeThread
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB5DBD7DC]
SSDT 8A21A868 ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB5DB875C]
SSDT 8A1EBAE0 ZwSetInformationProcess
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xB5DD9E12]
SSDT 8A20D9D8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB6604B60]
SSDT 8A20DC00 ZwSuspendProcess
SSDT 8A09DBD0 ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB5DD1F0A]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB5DD1C86]
SSDT 8A21A788 ZwTerminateThread
SSDT 8A1EBBD0 ZwUnmapViewOfSection
SSDT 8A1A1AE8 ZwWriteVirtualMemory
---- Devices - GMER 1.0.15 ----
Device A Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device A Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- Processes - GMER 1.0.15 ----
Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 3464
---- EOF - GMER 1.0.15 ----
Originally, my research led me to download Bootkit Remover. remover.exe produced this:
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com
Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`01f60800
Boot sector MD5 is: 2191ee473479383cb93df8a212a49962
Size Device Name MBR Status
--------------------------------------------
38 GB \\.\PhysicalDrive0 Unknown boot code
Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
Done;
Press any key to quit...
I then did as the demostration showed and created a fix.bat file containing
@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT
The result was:
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com
Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
CreateFile() ERROR 121
ERROR: Can't open physical disk device.
Done;
Press any key to quit...
I'm not sure where to go from here and any help would be greatly appreciated.