TechSpot

IE explorer popups, sound clips playing

By Matt5
Aug 12, 2010
  1. I started getting IE popups from RedOrbit. Those stopped and now I'm getting the "clicking" sound IE makes randomly. When I opened Yahoo Mesenger I started getting sound clips playing in the background.


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4365

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    7/29/2010 12:25:47 PM
    mbam-log-2010-07-29 (12-25-47).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 293196
    Time elapsed: 10 hour(s), 27 minute(s), 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-07-30 08:40:34
    Windows 5.1.2600 Service Pack 2
    Running: gt6b0xo3.exe; Driver: C:\DOCUME~1\Thomas\LOCALS~1\Temp\kwliifog.sys


    ---- Devices - GMER 1.0.15 ----

    Device A Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device A Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice A fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- Processes - GMER 1.0.15 ----

    Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 3464

    ---- EOF - GMER 1.0.15 ----


    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-30 08:45:55
    Windows 5.1.2600 Service Pack 2
    Running: gt6b0xo3.exe; Driver: C:\DOCUME~1\Thomas\LOCALS~1\Temp\kwliifog.sys


    ---- System - GMER 1.0.15 ----

    SSDT 8A09DA10 ZwAlertResumeThread
    SSDT 8A09DAF0 ZwAlertThread
    SSDT 8A1A1BB8 ZwAllocateVirtualMemory
    SSDT 8A1B9E90 ZwAssignProcessToJobObject
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB5DBD534]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB5DB7782]
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB6604130]
    SSDT 8A20DDC0 ZwCreateMutant
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB5DBDCC0]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB5DD0EB4]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB5DD12A2]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB5DDA916]
    SSDT 8A1B9CB0 ZwCreateSymbolicLinkObject
    SSDT 8A20A2F8 ZwCreateThread
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB5DBDDF6]
    SSDT 8A1B9F70 ZwDebugActiveProcess
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB5DB8398]
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB66043B0]
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB6604910]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB5DCFDF0]
    SSDT 8A25CBC0 ZwFreeVirtualMemory
    SSDT 8A20DEB0 ZwImpersonateAnonymousToken
    SSDT 8A20DF90 ZwImpersonateThread
    SSDT 8A11F6C8 ZwLoadDriver
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB5DD893C]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB5DD8B44]
    SSDT 8A25CAE0 ZwMapViewOfSection
    SSDT 8A20DCE0 ZwOpenEvent
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB5DB7FAA]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB5DD31CE]
    SSDT 8A01B1F8 ZwOpenProcessToken
    SSDT 8A20DB20 ZwOpenSection
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB5DD2DF8]
    SSDT 8A1B9DA0 ZwProtectVirtualMemory
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB5DD98D2]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB5DD9208]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB5DBD0F4]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB5DDA2A4]
    SSDT 8A26E1F0 ZwResumeThread
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB5DBD7DC]
    SSDT 8A21A868 ZwSetContextThread
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB5DB875C]
    SSDT 8A1EBAE0 ZwSetInformationProcess
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xB5DD9E12]
    SSDT 8A20D9D8 ZwSetSystemInformation
    SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB6604B60]
    SSDT 8A20DC00 ZwSuspendProcess
    SSDT 8A09DBD0 ZwSuspendThread
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB5DD1F0A]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB5DD1C86]
    SSDT 8A21A788 ZwTerminateThread
    SSDT 8A1EBBD0 ZwUnmapViewOfSection
    SSDT 8A1A1AE8 ZwWriteVirtualMemory

    ---- Devices - GMER 1.0.15 ----

    Device A Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device A Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
    Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    ---- Processes - GMER 1.0.15 ----

    Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 3464

    ---- EOF - GMER 1.0.15 ----



    Originally, my research led me to download Bootkit Remover. remover.exe produced this:

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`01f60800
    Boot sector MD5 is: 2191ee473479383cb93df8a212a49962

    Size Device Name MBR Status
    --------------------------------------------
    38 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...

    I then did as the demostration showed and created a fix.bat file containing

    @ECHO OFF
    START remover.exe fix \\.\PhysicalDrive0
    EXIT

    The result was:

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

    CreateFile() ERROR 121
    ERROR: Can't open physical disk device.

    Done;
    Press any key to quit...

    I'm not sure where to go from here and any help would be greatly appreciated.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,892   +344

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...