Solved

Rookit; 3 PCs; Possible IAT Modification; S-1-5- in Registry as User

Posted on 2010-09-16
22
649 Views
Last Modified: 2013-11-22
Likely Rootkit doing IAT modification.  Still there after a clean CD install to Win XP SP1. Then SP2 and 3 from a CD burned by an
uneffected PC!
Infection State: WinXP SP3; current MS Updates; current Mcafee security suite.
It started while browsing - using Google search.  McAfee reported a Trojan.
But it did not stop it.  Redirected sites, false AV scans.  It slowly strangled the machine.
The USB drive attached to it was moved to a second PC, and infected it as well.
I charged my Razr phone using an infected PC and then moved it to a second laptop to charge,
the third PC got infected. So three PCs are trashed.
The worst symtoms (web redirection, disabling hardware, blocking anit-malware sites)
disappeared after a format and reinstall from the recovery partition.
I have scanned using almost every tool available.  MRT reported it as Alureon.
I formated the C: drive and did more than one install from the recovery partition.
The mild symtoms reappeared almost immediately.
The mild systoms are:
Hidden and System "desktop.ini" files created frequently in Documents and Setting folders.
Delete them and they reaapear.  Same with Index.dat files in D&S folders.  Iconcache appears in
one D&S folder as does GDIFonts.dat.  It also appears to modify Explorer to not show all files: GMER
shows a + next to folder. When you get to it, it is empty and the + disappears.
Regedit is unable to see settings that GMER reports in Red.
"Users" have been added to the registry, begining with S-1-5-.
And Windows/Prefetch shows a lot of exectuables (through the ".EXE") that do not appear anywhere on the drive.
Gmer MBR reports clean.  MRT is clean, as is RootKit Repealer, Gmer (other than Registry entries, that I cannot see using Regedit).
DrWeb (both AV and CureIt), AVG Rootkit, MBAM, and a few more.  But, I do not trust these much if the rootkit can hide from them.
After the Gmer registry problems that cannot be seen in Regiedit, the only tool that reports a possible problem is
Rootkit Unhooker:

Rootkit Unhooker reports possible IAT modifcation as follows:
==============================================
>Stealth
==============================================
>Files
==============================================
>Hooks

ntkrnlpa.exe+0x0006EC6E, Type: Inline - RelativeJump 0x80545C6E [ntkrnlpa.exe]
[2036]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218 [shimeng.dll]
[2036]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4 [shimeng.dll]
[2036]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268 [shimeng.dll]
[2036]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4 [shimeng.dll]
[2036]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C [shimeng.dll]
[2036]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x771B124C [shimeng.dll]
[2036]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C [shimeng.dll]

I have exhausted my humble abilities and considerable patience.
Any help is greatly appreciated.
0
Comment
Question by:GregPaul
  • 11
  • 4
  • 2
  • +3
22 Comments
 
LVL 20

Expert Comment

by:wolfcamel
ID: 33692333
sounds like your usb devices are carrying it - after you remove it from them - turn off the autorun feature on the machines to stop it reloading the code.

If you are doing clean installs - do them while disconnected from the network, and install AV first before connecting them to the lan, and turn file sharing off - then do all your updates etc.

also - malwarebytes in safe mode tends to fix most things for me
0
 

Author Comment

by:GregPaul
ID: 33692693
This thing is hooked much deeper than normal.
It will not let me post to this site from an infected PC.  This is being typed on an unifected PC.
And, yes, it does move via Autorun and USB devices.
After a primary partition removal, recreation, format and a reinstall from the recovery partition (which was not removed or reformatted), with no network connection, IT IS STILL THERE.  It creates a RECYCLER directory in the root, and allegedly code-injects common windows executables.
MalwareBytes in Safe Mode says it is clean.
0
 
LVL 12

Assisted Solution

by:mccracky
mccracky earned 500 total points
ID: 33693871
Can't you install "clean" from a CD?  it might have infected the recovery partition.  If you have an install CD, format the whole disk (including the recovery partition) and install.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:GregPaul
ID: 33694034
Well...that is the very last resort as I do not have recovery CD's - only the recovery partition.  Two of the PCs are Lenovo Thinkpads, and they are supposed to allow the creation of recovery CDs, but that option does not appear on my restored (from partition) system.

I was hoping to find the root cause, and kill it without completely wiping the entire drive.
0
 
LVL 22

Expert Comment

by:optoma
ID: 33694572
Run these on one of those affected machines and post their logs:)
 TdssKiller and Hitmanpro.
http://support.kaspersky.com/viruses/solutions?qid=208280684
http://www.surfright.nl/en/hitmanpro

 Run Combofix and post log here
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


>Tools may be required to be downloaded on another machine and transferred via removable device(burn them to a cd if applicable and copy to desktop)

>If they still dont run, redownload them but rename them prior to saving them
0
 

Author Comment

by:GregPaul
ID: 33695072
Thanks Optoma!
I ran all three in Safe Mode with Networking.
I cannot "submit" from the infected PC, so emailed logs to one that is not.
All three are attached.  Not sure TDSS did the full run - only scanned 160 objects.
TDSSKiller.2.4.2.1-16.09.2010-14.txt
hitmatpro.xml
ComboFix.txt
0
 

Author Comment

by:GregPaul
ID: 33695335
Sorry about that TDSS Log...
This one is complete.
TDSSKiller.2.4.2.1-16.09.2010-14.txt
0
 
LVL 22

Expert Comment

by:optoma
ID: 33696105
Hi. Not much showing up.
Its better to run the scans in normal mode these days when applicable.
Can you run just TdssKiller and Hitmanpro in normal mode.

Also check this file at virus total
http://www.virustotal.com/

C:\WINDOWS\is-3UKAE.exe
0
 

Author Comment

by:GregPaul
ID: 33696633
Thanks again for your help.
Ran TDSS and  HitManPro in Normal Mode.
Attached are logs.  At airport.  
Won't be back on until Friday.
TDSSKiller.2.4.2.1-16.09.2010-17.txt
0
 

Author Comment

by:GregPaul
ID: 33696667
Sorry, here is the HitManPro log from a Normal Mode scan.
I went to the site you recommended and searched for that file, both with and without the C:\windows
prefix and did not get any hits.
HitManProNormMode.xml
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 33697411
Hi GregPaul,

I believe Optoma means to upload the file to virustotal.com and see if they report the name of virus/ rootkit or anything else.
===========================
Also check this file at virus total
http://www.virustotal.com/

C:\WINDOWS\is-3UKAE.exe
==========================

Sudeep
0
 

Author Comment

by:GregPaul
ID: 33703406
I have looked at the executable is-3UKAE.exe, and due to the logs created at exactly the same time (attached) it appears to be MBAM, or it could be faked by the malware to look that way, or neuter MBAM.
I did upload the executable to virustotal.com.
They have seen it before and here is what they said:
File name: is-PRCJQ.exe
Submission date: 2010-09-16 03:48:08 (UTC)
Current status: finished
Result: 0 /43 (0.0%)

is-3UKAE.lst
is-3UKAE.msg
0
 
LVL 22

Expert Comment

by:optoma
ID: 33704253
Hi. I'm not sure as what could be on those machines as the logs come back clean.
The flash drive/s, run Flash Disinfector
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

As mentioned above, try a clean install on one of them and see how it behaves.
0
 

Author Comment

by:GregPaul
ID: 33731987
I did download flash disinfector.  One of the scan tools indicated that there was a worm in its exe?
No big deal, as the USB drive and all PCs are infected at the moment.
I am still trying to identify this thing that has possessed all three PCs.
When the September version of MRT runs, it ends clean (no ifections found), but the log indicates:
"WARNING: Security Policy doesn't allow for all actions MSRT may require.
Engine internal result code = 80508015."
Other symptoms: At boot it creates and locks a file called (variably) flaD.tmp in the TEMP directory.  488,389 bytes.
A PASSWD.LOG file in Windows\Debug (0 bytes and blank when examined with Notepad) is created, refreshed at boot.  It will not allow me to get to the www.ewido.net site via IE (now version 8).
Cannot check flaD.tmp with Virus Total either via upload or email because it is locked.
Tried to check running process executables at VirusTotal: explorer.exe, winlogon.exe, csrss.exe, smss.exe.  None could be accessed, uploaded or sent.  The files on the hard drive are clean.  The files in use may be injected versions?
I am going to keep trying to find the root cause.
Any ideas?
0
 
LVL 22

Expert Comment

by:optoma
ID: 33732434
FlashDisinfector is flagged by some AV's as bad. Only false positive,ignore warning!
http://www.virustotal.com/file-scan/report.html?id=1357175d260de3ca70b7f824667eda5e381906a25d7bf1277e8622641225ae77-1285001552

Can you reach any AV sites or MS updates?
0
 

Author Comment

by:GregPaul
ID: 33732756
Thanks Optomo.
Yes, I am getting MS Updates when in Normal Mode.  
I just removed McAfee suite, and ran their special uninstaller(mpcr.exe) and downloaded and attempted install of AVG Suite in Safe mode.
Followed their instructions for Safe Mode install and got install error: "Error: MSVC Redistributables installation failed. Installation of AVG can not continue."
Have posted tech support question with AVG within last 30 minutes.
0
 

Author Comment

by:GregPaul
ID: 33732815
Ok... getting more interesting.
Still in safe mode.
Figured out that AVP needs C+ code base from Microsoft.
Download vcredist_x86.exe from MS.
Start install.. then an Installer Windows pops up with: "The system adminstrator has set policies to prevent this installation."  OK is only response.
Installer process is running as "Owner" (my profile) which is an administrator.
Their are domain entries and group policies in the registry...added by malware.
0
 

Accepted Solution

by:
GregPaul earned 0 total points
ID: 33765119
Case closed.  Repartitioned, reformatted and reinstalled desktop PC.  Restored two laptops from Recovery Partition.
A lot of work, but all seems normal.
Thanks for you time and advice!
0
 
LVL 12

Expert Comment

by:mccracky
ID: 34174039
It's fine to delete if you want, but the author's final post of his "solution" was basically what I suggested in post 3693871.
0
 

Expert Comment

by:_alias99
ID: 34203754
All,
 
Following an 'Objection' by mccracky (at http://www.experts-exchange.com/Q_26627150.html) to the intended closure of this question, it has been reviewed by at least one Moderator and is being closed by accepting the author's solution and awarding points to an Expert's comment.


At this point I am going to re-start the auto-close procedure.
 
Thank you,
 
_alias99
Community Support Moderator
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question