Rookit; 3 PCs; Possible IAT Modification; S-1-5- in Registry as User

Posted on 2010-09-16
Last Modified: 2013-11-22
Likely Rootkit doing IAT modification.  Still there after a clean CD install to Win XP SP1. Then SP2 and 3 from a CD burned by an
uneffected PC!
Infection State: WinXP SP3; current MS Updates; current Mcafee security suite.
It started while browsing - using Google search.  McAfee reported a Trojan.
But it did not stop it.  Redirected sites, false AV scans.  It slowly strangled the machine.
The USB drive attached to it was moved to a second PC, and infected it as well.
I charged my Razr phone using an infected PC and then moved it to a second laptop to charge,
the third PC got infected. So three PCs are trashed.
The worst symtoms (web redirection, disabling hardware, blocking anit-malware sites)
disappeared after a format and reinstall from the recovery partition.
I have scanned using almost every tool available.  MRT reported it as Alureon.
I formated the C: drive and did more than one install from the recovery partition.
The mild symtoms reappeared almost immediately.
The mild systoms are:
Hidden and System "desktop.ini" files created frequently in Documents and Setting folders.
Delete them and they reaapear.  Same with Index.dat files in D&S folders.  Iconcache appears in
one D&S folder as does GDIFonts.dat.  It also appears to modify Explorer to not show all files: GMER
shows a + next to folder. When you get to it, it is empty and the + disappears.
Regedit is unable to see settings that GMER reports in Red.
"Users" have been added to the registry, begining with S-1-5-.
And Windows/Prefetch shows a lot of exectuables (through the ".EXE") that do not appear anywhere on the drive.
Gmer MBR reports clean.  MRT is clean, as is RootKit Repealer, Gmer (other than Registry entries, that I cannot see using Regedit).
DrWeb (both AV and CureIt), AVG Rootkit, MBAM, and a few more.  But, I do not trust these much if the rootkit can hide from them.
After the Gmer registry problems that cannot be seen in Regiedit, the only tool that reports a possible problem is
Rootkit Unhooker:

Rootkit Unhooker reports possible IAT modifcation as follows:

ntkrnlpa.exe+0x0006EC6E, Type: Inline - RelativeJump 0x80545C6E [ntkrnlpa.exe]
[2036]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218 [shimeng.dll]
[2036]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4 [shimeng.dll]
[2036]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268 [shimeng.dll]
[2036]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4 [shimeng.dll]
[2036]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C [shimeng.dll]
[2036]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x771B124C [shimeng.dll]
[2036]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C [shimeng.dll]

I have exhausted my humble abilities and considerable patience.
Any help is greatly appreciated.
Question by:GregPaul
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 4
  • 2
  • +3
LVL 20

Expert Comment

ID: 33692333
sounds like your usb devices are carrying it - after you remove it from them - turn off the autorun feature on the machines to stop it reloading the code.

If you are doing clean installs - do them while disconnected from the network, and install AV first before connecting them to the lan, and turn file sharing off - then do all your updates etc.

also - malwarebytes in safe mode tends to fix most things for me

Author Comment

ID: 33692693
This thing is hooked much deeper than normal.
It will not let me post to this site from an infected PC.  This is being typed on an unifected PC.
And, yes, it does move via Autorun and USB devices.
After a primary partition removal, recreation, format and a reinstall from the recovery partition (which was not removed or reformatted), with no network connection, IT IS STILL THERE.  It creates a RECYCLER directory in the root, and allegedly code-injects common windows executables.
MalwareBytes in Safe Mode says it is clean.
LVL 12

Assisted Solution

mccracky earned 500 total points
ID: 33693871
Can't you install "clean" from a CD?  it might have infected the recovery partition.  If you have an install CD, format the whole disk (including the recovery partition) and install.
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users


Author Comment

ID: 33694034
Well...that is the very last resort as I do not have recovery CD's - only the recovery partition.  Two of the PCs are Lenovo Thinkpads, and they are supposed to allow the creation of recovery CDs, but that option does not appear on my restored (from partition) system.

I was hoping to find the root cause, and kill it without completely wiping the entire drive.
LVL 22

Expert Comment

ID: 33694572
Run these on one of those affected machines and post their logs:)
 TdssKiller and Hitmanpro.

 Run Combofix and post log here

>Tools may be required to be downloaded on another machine and transferred via removable device(burn them to a cd if applicable and copy to desktop)

>If they still dont run, redownload them but rename them prior to saving them

Author Comment

ID: 33695072
Thanks Optoma!
I ran all three in Safe Mode with Networking.
I cannot "submit" from the infected PC, so emailed logs to one that is not.
All three are attached.  Not sure TDSS did the full run - only scanned 160 objects.

Author Comment

ID: 33695335
Sorry about that TDSS Log...
This one is complete.
LVL 22

Expert Comment

ID: 33696105
Hi. Not much showing up.
Its better to run the scans in normal mode these days when applicable.
Can you run just TdssKiller and Hitmanpro in normal mode.

Also check this file at virus total


Author Comment

ID: 33696633
Thanks again for your help.
Ran TDSS and  HitManPro in Normal Mode.
Attached are logs.  At airport.  
Won't be back on until Friday.

Author Comment

ID: 33696667
Sorry, here is the HitManPro log from a Normal Mode scan.
I went to the site you recommended and searched for that file, both with and without the C:\windows
prefix and did not get any hits.
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 33697411
Hi GregPaul,

I believe Optoma means to upload the file to and see if they report the name of virus/ rootkit or anything else.
Also check this file at virus total



Author Comment

ID: 33703406
I have looked at the executable is-3UKAE.exe, and due to the logs created at exactly the same time (attached) it appears to be MBAM, or it could be faked by the malware to look that way, or neuter MBAM.
I did upload the executable to
They have seen it before and here is what they said:
File name: is-PRCJQ.exe
Submission date: 2010-09-16 03:48:08 (UTC)
Current status: finished
Result: 0 /43 (0.0%)

LVL 22

Expert Comment

ID: 33704253
Hi. I'm not sure as what could be on those machines as the logs come back clean.
The flash drive/s, run Flash Disinfector

As mentioned above, try a clean install on one of them and see how it behaves.

Author Comment

ID: 33731987
I did download flash disinfector.  One of the scan tools indicated that there was a worm in its exe?
No big deal, as the USB drive and all PCs are infected at the moment.
I am still trying to identify this thing that has possessed all three PCs.
When the September version of MRT runs, it ends clean (no ifections found), but the log indicates:
"WARNING: Security Policy doesn't allow for all actions MSRT may require.
Engine internal result code = 80508015."
Other symptoms: At boot it creates and locks a file called (variably) flaD.tmp in the TEMP directory.  488,389 bytes.
A PASSWD.LOG file in Windows\Debug (0 bytes and blank when examined with Notepad) is created, refreshed at boot.  It will not allow me to get to the site via IE (now version 8).
Cannot check flaD.tmp with Virus Total either via upload or email because it is locked.
Tried to check running process executables at VirusTotal: explorer.exe, winlogon.exe, csrss.exe, smss.exe.  None could be accessed, uploaded or sent.  The files on the hard drive are clean.  The files in use may be injected versions?
I am going to keep trying to find the root cause.
Any ideas?
LVL 22

Expert Comment

ID: 33732434
FlashDisinfector is flagged by some AV's as bad. Only false positive,ignore warning!

Can you reach any AV sites or MS updates?

Author Comment

ID: 33732756
Thanks Optomo.
Yes, I am getting MS Updates when in Normal Mode.  
I just removed McAfee suite, and ran their special uninstaller(mpcr.exe) and downloaded and attempted install of AVG Suite in Safe mode.
Followed their instructions for Safe Mode install and got install error: "Error: MSVC Redistributables installation failed. Installation of AVG can not continue."
Have posted tech support question with AVG within last 30 minutes.

Author Comment

ID: 33732815
Ok... getting more interesting.
Still in safe mode.
Figured out that AVP needs C+ code base from Microsoft.
Download vcredist_x86.exe from MS.
Start install.. then an Installer Windows pops up with: "The system adminstrator has set policies to prevent this installation."  OK is only response.
Installer process is running as "Owner" (my profile) which is an administrator.
Their are domain entries and group policies in the registry...added by malware.

Accepted Solution

GregPaul earned 0 total points
ID: 33765119
Case closed.  Repartitioned, reformatted and reinstalled desktop PC.  Restored two laptops from Recovery Partition.
A lot of work, but all seems normal.
Thanks for you time and advice!
LVL 12

Expert Comment

ID: 34174039
It's fine to delete if you want, but the author's final post of his "solution" was basically what I suggested in post 3693871.

Expert Comment

ID: 34203754
Following an 'Objection' by mccracky (at to the intended closure of this question, it has been reviewed by at least one Moderator and is being closed by accepting the author's solution and awarding points to an Expert's comment.

At this point I am going to re-start the auto-close procedure.
Thank you,
Community Support Moderator

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question