Solved

Rookit; 3 PCs; Possible IAT Modification; S-1-5- in Registry as User

Posted on 2010-09-16
22
637 Views
Last Modified: 2013-11-22
Likely Rootkit doing IAT modification.  Still there after a clean CD install to Win XP SP1. Then SP2 and 3 from a CD burned by an
uneffected PC!
Infection State: WinXP SP3; current MS Updates; current Mcafee security suite.
It started while browsing - using Google search.  McAfee reported a Trojan.
But it did not stop it.  Redirected sites, false AV scans.  It slowly strangled the machine.
The USB drive attached to it was moved to a second PC, and infected it as well.
I charged my Razr phone using an infected PC and then moved it to a second laptop to charge,
the third PC got infected. So three PCs are trashed.
The worst symtoms (web redirection, disabling hardware, blocking anit-malware sites)
disappeared after a format and reinstall from the recovery partition.
I have scanned using almost every tool available.  MRT reported it as Alureon.
I formated the C: drive and did more than one install from the recovery partition.
The mild symtoms reappeared almost immediately.
The mild systoms are:
Hidden and System "desktop.ini" files created frequently in Documents and Setting folders.
Delete them and they reaapear.  Same with Index.dat files in D&S folders.  Iconcache appears in
one D&S folder as does GDIFonts.dat.  It also appears to modify Explorer to not show all files: GMER
shows a + next to folder. When you get to it, it is empty and the + disappears.
Regedit is unable to see settings that GMER reports in Red.
"Users" have been added to the registry, begining with S-1-5-.
And Windows/Prefetch shows a lot of exectuables (through the ".EXE") that do not appear anywhere on the drive.
Gmer MBR reports clean.  MRT is clean, as is RootKit Repealer, Gmer (other than Registry entries, that I cannot see using Regedit).
DrWeb (both AV and CureIt), AVG Rootkit, MBAM, and a few more.  But, I do not trust these much if the rootkit can hide from them.
After the Gmer registry problems that cannot be seen in Regiedit, the only tool that reports a possible problem is
Rootkit Unhooker:

Rootkit Unhooker reports possible IAT modifcation as follows:
==============================================
>Stealth
==============================================
>Files
==============================================
>Hooks

ntkrnlpa.exe+0x0006EC6E, Type: Inline - RelativeJump 0x80545C6E [ntkrnlpa.exe]
[2036]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218 [shimeng.dll]
[2036]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4 [shimeng.dll]
[2036]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268 [shimeng.dll]
[2036]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4 [shimeng.dll]
[2036]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C [shimeng.dll]
[2036]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x771B124C [shimeng.dll]
[2036]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C [shimeng.dll]

I have exhausted my humble abilities and considerable patience.
Any help is greatly appreciated.
0
Comment
Question by:GregPaul
  • 11
  • 4
  • 2
  • +3
22 Comments
 
LVL 20

Expert Comment

by:wolfcamel
Comment Utility
sounds like your usb devices are carrying it - after you remove it from them - turn off the autorun feature on the machines to stop it reloading the code.

If you are doing clean installs - do them while disconnected from the network, and install AV first before connecting them to the lan, and turn file sharing off - then do all your updates etc.

also - malwarebytes in safe mode tends to fix most things for me
0
 

Author Comment

by:GregPaul
Comment Utility
This thing is hooked much deeper than normal.
It will not let me post to this site from an infected PC.  This is being typed on an unifected PC.
And, yes, it does move via Autorun and USB devices.
After a primary partition removal, recreation, format and a reinstall from the recovery partition (which was not removed or reformatted), with no network connection, IT IS STILL THERE.  It creates a RECYCLER directory in the root, and allegedly code-injects common windows executables.
MalwareBytes in Safe Mode says it is clean.
0
 
LVL 12

Assisted Solution

by:mccracky
mccracky earned 500 total points
Comment Utility
Can't you install "clean" from a CD?  it might have infected the recovery partition.  If you have an install CD, format the whole disk (including the recovery partition) and install.
0
 

Author Comment

by:GregPaul
Comment Utility
Well...that is the very last resort as I do not have recovery CD's - only the recovery partition.  Two of the PCs are Lenovo Thinkpads, and they are supposed to allow the creation of recovery CDs, but that option does not appear on my restored (from partition) system.

I was hoping to find the root cause, and kill it without completely wiping the entire drive.
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
Run these on one of those affected machines and post their logs:)
 TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

 Run Combofix and post log here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


>Tools may be required to be downloaded on another machine and transferred via removable device(burn them to a cd if applicable and copy to desktop)

>If they still dont run, redownload them but rename them prior to saving them
0
 

Author Comment

by:GregPaul
Comment Utility
Thanks Optoma!
I ran all three in Safe Mode with Networking.
I cannot "submit" from the infected PC, so emailed logs to one that is not.
All three are attached.  Not sure TDSS did the full run - only scanned 160 objects.
TDSSKiller.2.4.2.1-16.09.2010-14.txt
hitmatpro.xml
ComboFix.txt
0
 

Author Comment

by:GregPaul
Comment Utility
Sorry about that TDSS Log...
This one is complete.
TDSSKiller.2.4.2.1-16.09.2010-14.txt
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
Hi. Not much showing up.
Its better to run the scans in normal mode these days when applicable.
Can you run just TdssKiller and Hitmanpro in normal mode.

Also check this file at virus total
http://www.virustotal.com/

C:\WINDOWS\is-3UKAE.exe
0
 

Author Comment

by:GregPaul
Comment Utility
Thanks again for your help.
Ran TDSS and  HitManPro in Normal Mode.
Attached are logs.  At airport.  
Won't be back on until Friday.
TDSSKiller.2.4.2.1-16.09.2010-17.txt
0
 

Author Comment

by:GregPaul
Comment Utility
Sorry, here is the HitManPro log from a Normal Mode scan.
I went to the site you recommended and searched for that file, both with and without the C:\windows
prefix and did not get any hits.
HitManProNormMode.xml
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 29

Expert Comment

by:Sudeep Sharma
Comment Utility
Hi GregPaul,

I believe Optoma means to upload the file to virustotal.com and see if they report the name of virus/ rootkit or anything else.
===========================
Also check this file at virus total
http://www.virustotal.com/

C:\WINDOWS\is-3UKAE.exe
==========================

Sudeep
0
 

Author Comment

by:GregPaul
Comment Utility
I have looked at the executable is-3UKAE.exe, and due to the logs created at exactly the same time (attached) it appears to be MBAM, or it could be faked by the malware to look that way, or neuter MBAM.
I did upload the executable to virustotal.com.
They have seen it before and here is what they said:
File name: is-PRCJQ.exe
Submission date: 2010-09-16 03:48:08 (UTC)
Current status: finished
Result: 0 /43 (0.0%)

is-3UKAE.lst
is-3UKAE.msg
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
Hi. I'm not sure as what could be on those machines as the logs come back clean.
The flash drive/s, run Flash Disinfector
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

As mentioned above, try a clean install on one of them and see how it behaves.
0
 

Author Comment

by:GregPaul
Comment Utility
I did download flash disinfector.  One of the scan tools indicated that there was a worm in its exe?
No big deal, as the USB drive and all PCs are infected at the moment.
I am still trying to identify this thing that has possessed all three PCs.
When the September version of MRT runs, it ends clean (no ifections found), but the log indicates:
"WARNING: Security Policy doesn't allow for all actions MSRT may require.
Engine internal result code = 80508015."
Other symptoms: At boot it creates and locks a file called (variably) flaD.tmp in the TEMP directory.  488,389 bytes.
A PASSWD.LOG file in Windows\Debug (0 bytes and blank when examined with Notepad) is created, refreshed at boot.  It will not allow me to get to the www.ewido.net site via IE (now version 8).
Cannot check flaD.tmp with Virus Total either via upload or email because it is locked.
Tried to check running process executables at VirusTotal: explorer.exe, winlogon.exe, csrss.exe, smss.exe.  None could be accessed, uploaded or sent.  The files on the hard drive are clean.  The files in use may be injected versions?
I am going to keep trying to find the root cause.
Any ideas?
0
 
LVL 22

Expert Comment

by:optoma
Comment Utility
FlashDisinfector is flagged by some AV's as bad. Only false positive,ignore warning!
http://www.virustotal.com/file-scan/report.html?id=1357175d260de3ca70b7f824667eda5e381906a25d7bf1277e8622641225ae77-1285001552

Can you reach any AV sites or MS updates?
0
 

Author Comment

by:GregPaul
Comment Utility
Thanks Optomo.
Yes, I am getting MS Updates when in Normal Mode.  
I just removed McAfee suite, and ran their special uninstaller(mpcr.exe) and downloaded and attempted install of AVG Suite in Safe mode.
Followed their instructions for Safe Mode install and got install error: "Error: MSVC Redistributables installation failed. Installation of AVG can not continue."
Have posted tech support question with AVG within last 30 minutes.
0
 

Author Comment

by:GregPaul
Comment Utility
Ok... getting more interesting.
Still in safe mode.
Figured out that AVP needs C+ code base from Microsoft.
Download vcredist_x86.exe from MS.
Start install.. then an Installer Windows pops up with: "The system adminstrator has set policies to prevent this installation."  OK is only response.
Installer process is running as "Owner" (my profile) which is an administrator.
Their are domain entries and group policies in the registry...added by malware.
0
 

Accepted Solution

by:
GregPaul earned 0 total points
Comment Utility
Case closed.  Repartitioned, reformatted and reinstalled desktop PC.  Restored two laptops from Recovery Partition.
A lot of work, but all seems normal.
Thanks for you time and advice!
0
 
LVL 12

Expert Comment

by:mccracky
Comment Utility
It's fine to delete if you want, but the author's final post of his "solution" was basically what I suggested in post 3693871.
0
 

Expert Comment

by:_alias99
Comment Utility
All,
 
Following an 'Objection' by mccracky (at http://www.experts-exchange.com/Q_26627150.html) to the intended closure of this question, it has been reviewed by at least one Moderator and is being closed by accepting the author's solution and awarding points to an Expert's comment.


At this point I am going to re-start the auto-close procedure.
 
Thank you,
 
_alias99
Community Support Moderator
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
XP as a dual boot with Windows 10 10 87
Virus softwares 11 64
Zepto Virus Infection 3 69
shortcuts on desktops 14 51
Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now