Rookit; 3 PCs; Possible IAT Modification; S-1-5- in Registry as User

Likely Rootkit doing IAT modification.  Still there after a clean CD install to Win XP SP1. Then SP2 and 3 from a CD burned by an
uneffected PC!
Infection State: WinXP SP3; current MS Updates; current Mcafee security suite.
It started while browsing - using Google search.  McAfee reported a Trojan.
But it did not stop it.  Redirected sites, false AV scans.  It slowly strangled the machine.
The USB drive attached to it was moved to a second PC, and infected it as well.
I charged my Razr phone using an infected PC and then moved it to a second laptop to charge,
the third PC got infected. So three PCs are trashed.
The worst symtoms (web redirection, disabling hardware, blocking anit-malware sites)
disappeared after a format and reinstall from the recovery partition.
I have scanned using almost every tool available.  MRT reported it as Alureon.
I formated the C: drive and did more than one install from the recovery partition.
The mild symtoms reappeared almost immediately.
The mild systoms are:
Hidden and System "desktop.ini" files created frequently in Documents and Setting folders.
Delete them and they reaapear.  Same with Index.dat files in D&S folders.  Iconcache appears in
one D&S folder as does GDIFonts.dat.  It also appears to modify Explorer to not show all files: GMER
shows a + next to folder. When you get to it, it is empty and the + disappears.
Regedit is unable to see settings that GMER reports in Red.
"Users" have been added to the registry, begining with S-1-5-.
And Windows/Prefetch shows a lot of exectuables (through the ".EXE") that do not appear anywhere on the drive.
Gmer MBR reports clean.  MRT is clean, as is RootKit Repealer, Gmer (other than Registry entries, that I cannot see using Regedit).
DrWeb (both AV and CureIt), AVG Rootkit, MBAM, and a few more.  But, I do not trust these much if the rootkit can hide from them.
After the Gmer registry problems that cannot be seen in Regiedit, the only tool that reports a possible problem is
Rootkit Unhooker:

Rootkit Unhooker reports possible IAT modifcation as follows:

ntkrnlpa.exe+0x0006EC6E, Type: Inline - RelativeJump 0x80545C6E [ntkrnlpa.exe]
[2036]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218 [shimeng.dll]
[2036]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4 [shimeng.dll]
[2036]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268 [shimeng.dll]
[2036]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4 [shimeng.dll]
[2036]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C [shimeng.dll]
[2036]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x771B124C [shimeng.dll]
[2036]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C [shimeng.dll]

I have exhausted my humble abilities and considerable patience.
Any help is greatly appreciated.
Who is Participating?
GregPaulConnect With a Mentor Author Commented:
Case closed.  Repartitioned, reformatted and reinstalled desktop PC.  Restored two laptops from Recovery Partition.
A lot of work, but all seems normal.
Thanks for you time and advice!
sounds like your usb devices are carrying it - after you remove it from them - turn off the autorun feature on the machines to stop it reloading the code.

If you are doing clean installs - do them while disconnected from the network, and install AV first before connecting them to the lan, and turn file sharing off - then do all your updates etc.

also - malwarebytes in safe mode tends to fix most things for me
GregPaulAuthor Commented:
This thing is hooked much deeper than normal.
It will not let me post to this site from an infected PC.  This is being typed on an unifected PC.
And, yes, it does move via Autorun and USB devices.
After a primary partition removal, recreation, format and a reinstall from the recovery partition (which was not removed or reformatted), with no network connection, IT IS STILL THERE.  It creates a RECYCLER directory in the root, and allegedly code-injects common windows executables.
MalwareBytes in Safe Mode says it is clean.
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

mccrackyConnect With a Mentor Commented:
Can't you install "clean" from a CD?  it might have infected the recovery partition.  If you have an install CD, format the whole disk (including the recovery partition) and install.
GregPaulAuthor Commented:
Well...that is the very last resort as I do not have recovery CD's - only the recovery partition.  Two of the PCs are Lenovo Thinkpads, and they are supposed to allow the creation of recovery CDs, but that option does not appear on my restored (from partition) system.

I was hoping to find the root cause, and kill it without completely wiping the entire drive.
Run these on one of those affected machines and post their logs:)
 TdssKiller and Hitmanpro.

 Run Combofix and post log here

>Tools may be required to be downloaded on another machine and transferred via removable device(burn them to a cd if applicable and copy to desktop)

>If they still dont run, redownload them but rename them prior to saving them
GregPaulAuthor Commented:
Thanks Optoma!
I ran all three in Safe Mode with Networking.
I cannot "submit" from the infected PC, so emailed logs to one that is not.
All three are attached.  Not sure TDSS did the full run - only scanned 160 objects.
GregPaulAuthor Commented:
Sorry about that TDSS Log...
This one is complete.
Hi. Not much showing up.
Its better to run the scans in normal mode these days when applicable.
Can you run just TdssKiller and Hitmanpro in normal mode.

Also check this file at virus total

GregPaulAuthor Commented:
Thanks again for your help.
Ran TDSS and  HitManPro in Normal Mode.
Attached are logs.  At airport.  
Won't be back on until Friday.
GregPaulAuthor Commented:
Sorry, here is the HitManPro log from a Normal Mode scan.
I went to the site you recommended and searched for that file, both with and without the C:\windows
prefix and did not get any hits.
Sudeep SharmaTechnical DesignerCommented:
Hi GregPaul,

I believe Optoma means to upload the file to and see if they report the name of virus/ rootkit or anything else.
Also check this file at virus total


GregPaulAuthor Commented:
I have looked at the executable is-3UKAE.exe, and due to the logs created at exactly the same time (attached) it appears to be MBAM, or it could be faked by the malware to look that way, or neuter MBAM.
I did upload the executable to
They have seen it before and here is what they said:
File name: is-PRCJQ.exe
Submission date: 2010-09-16 03:48:08 (UTC)
Current status: finished
Result: 0 /43 (0.0%)

Hi. I'm not sure as what could be on those machines as the logs come back clean.
The flash drive/s, run Flash Disinfector

As mentioned above, try a clean install on one of them and see how it behaves.
GregPaulAuthor Commented:
I did download flash disinfector.  One of the scan tools indicated that there was a worm in its exe?
No big deal, as the USB drive and all PCs are infected at the moment.
I am still trying to identify this thing that has possessed all three PCs.
When the September version of MRT runs, it ends clean (no ifections found), but the log indicates:
"WARNING: Security Policy doesn't allow for all actions MSRT may require.
Engine internal result code = 80508015."
Other symptoms: At boot it creates and locks a file called (variably) flaD.tmp in the TEMP directory.  488,389 bytes.
A PASSWD.LOG file in Windows\Debug (0 bytes and blank when examined with Notepad) is created, refreshed at boot.  It will not allow me to get to the site via IE (now version 8).
Cannot check flaD.tmp with Virus Total either via upload or email because it is locked.
Tried to check running process executables at VirusTotal: explorer.exe, winlogon.exe, csrss.exe, smss.exe.  None could be accessed, uploaded or sent.  The files on the hard drive are clean.  The files in use may be injected versions?
I am going to keep trying to find the root cause.
Any ideas?
FlashDisinfector is flagged by some AV's as bad. Only false positive,ignore warning!

Can you reach any AV sites or MS updates?
GregPaulAuthor Commented:
Thanks Optomo.
Yes, I am getting MS Updates when in Normal Mode.  
I just removed McAfee suite, and ran their special uninstaller(mpcr.exe) and downloaded and attempted install of AVG Suite in Safe mode.
Followed their instructions for Safe Mode install and got install error: "Error: MSVC Redistributables installation failed. Installation of AVG can not continue."
Have posted tech support question with AVG within last 30 minutes.
GregPaulAuthor Commented:
Ok... getting more interesting.
Still in safe mode.
Figured out that AVP needs C+ code base from Microsoft.
Download vcredist_x86.exe from MS.
Start install.. then an Installer Windows pops up with: "The system adminstrator has set policies to prevent this installation."  OK is only response.
Installer process is running as "Owner" (my profile) which is an administrator.
Their are domain entries and group policies in the registry...added by malware.
It's fine to delete if you want, but the author's final post of his "solution" was basically what I suggested in post 3693871.
Following an 'Objection' by mccracky (at to the intended closure of this question, it has been reviewed by at least one Moderator and is being closed by accepting the author's solution and awarding points to an Expert's comment.

At this point I am going to re-start the auto-close procedure.
Thank you,
Community Support Moderator
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.