Scan of J with AVG and F-Secure Rescue CDs

On September 13, 2008, I scanned a system, J, with an AVG Rescue CD. The system became infected with malware on September 8. I had previously scanned the system with a number of other antivirus, antispyware, and rootkit detection programs, but wanted to scan it with antivirus software that works outside of Microsoft Windows as well. So I used AVG Rescue CD version 7.5 on the system, which was a Dell Optiplex 170L system, to boot the system. The AVG Rescue CD did not recognize the network adapter in the system, but I was able to update its virus and spyware definitions using a USB thumbdrive onto which I had downloaded the latest updated for the software.

Item NameItem Value
General properties 
Report nameSelected Areas Test
Start time9/13/2008 5:20:24 PM
End time9/13/2008 7:00:14 PM (total: 1:39:48.9 hrs)
Launch methodScanning launched manually
Scanning resultThreats found
Report statusScanning completed scucessfully
  
Object summary 
Threats found83
Cleaned0
Moved to vault0
Deleted0
Errors0

Under virus results, I saw 7 objects listed. The rest of the objects found were under Spyware found, but those were only cookies.

ObjectResultStatus
C:\WINDOWS\ServicePackFiles\i386\msimg32.dll  Infected
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cfe684fa1d22f98\msimg32.dll  Infected
C:\WINDOWS\system32\msimg32.dll  Infected
c:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\23WVIXMN\kashir[1].exe Trojan horse Dropper.Bravix.CInfected
c:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W5YX4FEJ\kashir[1].exe Trojan horse Dropper.Bravix.CInfected
c:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W5YX4FEJ\rep[1].exe Trojan horse Downloader.Generic7.AKPTInfected
c:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WHUVKTKX\rep[1].exe Trojan horse Downloader.Generic7.AKPTInfected

I highlighed all of the cookies and then clicked on Move to Vault. I did the same thing for everything under the Virus results, so all items that AVG Rescue CD reported as malware were moved to the vault.

The Vault is a hidden directory on the system's hard drive, i.e. the "hidden" attribute is set for the directory, named $VAULT$.AVG. When objects are moved to the vault, they are given a name in the form XXXXXXXX.FIL, where "XXXXXXXX" is a sequence of 8 digits, e.g. 08466625.FIL.

AVG Rescue CD indicated that C:\WINDOWS\system32\msimg32.dll was infected. According to msimg32.dll - msimg32 - DLL Information, "msimg32.dll is the extension component for Windows GDI that contains new APIs to improve the GDI32 functionality." At Msimg32.dll - File information, the description for the file is "Msimg32.dll used for handeling [sic] Graphics."

I rebooted the system. When I logged on, I saw the error message below:

type32.exe - Unable to Locate Component
White x in a red circle The application has failed to start because MSIMG32.dll was not found. Re-installing the application may fix this problem.

OK
 

According to type32.exe - type32 process information, "type32.exe provides configuration access to Microsoft's Office Keyboard. This is a non-essential process. Disabling or enabling it is down to user preference."

When I clicked on OK for the above error message, similar error messages appeared for point32.exe and msmsgs.exe.

I restored the \Windows\System32\msimg32.dll file from a backup I made on July 17, 2008 with Symantec Ghost 7.5. I uploaded the file to Jotti's malware scan, a site that checks suspicious files with many different antivirus programs (14 at the time I submitted the file). None of the antivirus programs used at that site found anything suspicious with the version of the file I restored.

I also uploaded the file to Virustotal, a free service that "analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines." None of the 36 antivirus programs used by that site detected any malware in the file.

Though I created an image backup of the entire drive with Symantec Ghost 7.5, I did not see the \Windows\ServicePackFiles directory on the backup. The directory was marked as "read-only" on the infected system, but Ghost backed up other read-only and hidden directories and it even backed up pagefile.sys and hiberfil.sys, so I don't know why I didn't see that directory under Windows using Ghost Explorer to view the contents of the backup. When I searched for the file within Ghost Explorer, however, Ghost Explorer found it within \i386, so I restored that one, also. That one was dated 2004-08-04. The one in \Windows\system32 was also dated 2004-08-04. Perhaps the \Windows\ServicePackFiles\i386 directory is just a link to \i386.

I also uploaded the version from the \i386 directory to Jotti's malware scan. It had the same MD5 checksum, so should be identical to the copy of the file I found in \Windows\system32. Again, nothing was detected in that file, either.

I copied the version from \Windows\system32 in the backup file to both locations on the infected system's hard drive. I then rebooted the system that had been infected. No error message appeared when I rebooted.

I then booted the system with an F-Secure Rescue CD 2.00. It did not detect any malware.

82598 files scanned
51 files could not be scanned

Scan completed
   Scan started at Sat Sep 13 23:46:51 UTC 2008
   and ended at Sun Sep 14 02:33:19 UTC 2008