| Item Name | Item Value |
|---|---|
| General properties | |
| Report name | Selected Areas Test |
| Start time | 9/13/2008 5:20:24 PM |
| End time | 9/13/2008 7:00:14 PM (total: 1:39:48.9 hrs) |
| Launch method | Scanning launched manually |
| Scanning result | Threats found |
| Report status | Scanning completed scucessfully |
| Object summary | |
| Threats found | 83 |
| Cleaned | 0 |
| Moved to vault | 0 |
| Deleted | 0 |
| Errors | 0 |
Under virus results, I saw 7 objects listed. The rest of the objects found were under Spyware found, but those were only cookies.
| Object | Result | Status |
|---|---|---|
| C:\WINDOWS\ServicePackFiles\i386\msimg32.dll | Infected | |
| C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cfe684fa1d22f98\msimg32.dll | Infected | |
| C:\WINDOWS\system32\msimg32.dll | Infected | |
| c:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\23WVIXMN\kashir[1].exe | Trojan horse Dropper.Bravix.C | Infected |
| c:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W5YX4FEJ\kashir[1].exe | Trojan horse Dropper.Bravix.C | Infected |
| c:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W5YX4FEJ\rep[1].exe | Trojan horse Downloader.Generic7.AKPT | Infected |
| c:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WHUVKTKX\rep[1].exe | Trojan horse Downloader.Generic7.AKPT | Infected |
I highlighed all of the cookies and then clicked on Move to Vault. I did the same thing for everything under the Virus results, so all items that AVG Rescue CD reported as malware were moved to the vault.
The Vault is a hidden directory on the system's hard drive, i.e.
the "hidden" attribute is set for the directory, named
$VAULT$.AVG. When objects are moved to the vault, they are
given a name in the form XXXXXXXX.FIL, where "XXXXXXXX" is a sequence of 8
digits, e.g. 08466625.FIL.
AVG Rescue CD indicated that C:\WINDOWS\system32\msimg32.dll was
infected. According to
msimg32.dll - msimg32 - DLL Information, "msimg32.dll is the
extension component for Windows GDI that contains new APIs to improve the
GDI32 functionality." At
Msimg32.dll
- File information, the description for the file is
"Msimg32.dll used for handeling [sic] Graphics."
I rebooted the system. When I logged on, I saw the error message below:
| type32.exe - Unable to Locate Component | ||
|
According to type32.exe - type32 process information, "type32.exe provides configuration access to Microsoft's Office Keyboard. This is a non-essential process. Disabling or enabling it is down to user preference."
When I clicked on OK for the above error message, similar
error messages appeared for point32.exe and
msmsgs.exe.
I restored the \Windows\System32\msimg32.dll file from a backup
I made on July 17, 2008 with Symantec Ghost 7.5. I uploaded the file to
Jotti's malware scan, a site
that checks suspicious files with many different antivirus programs (14 at
the time I submitted the file). None of the antivirus programs used at
that site found anything suspicious with the version of the file I restored.
I also uploaded the file to Virustotal, a free service that "analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines." None of the 36 antivirus programs used by that site detected any malware in the file.
Though I created an image backup of the entire drive with Symantec Ghost 7.5,
I did not see the \Windows\ServicePackFiles directory on the
backup. The directory was marked as "read-only" on the infected system, but
Ghost backed up other read-only and hidden directories and it even backed
up pagefile.sys and hiberfil.sys, so I don't
know why I didn't see that directory under Windows using Ghost Explorer to
view the contents of the backup. When I searched for the file within
Ghost Explorer, however, Ghost Explorer found it within \i386,
so I restored that one, also. That one was dated 2004-08-04. The one in
\Windows\system32 was also dated 2004-08-04. Perhaps the
\Windows\ServicePackFiles\i386 directory is just a link
to \i386.
I also uploaded the version from the \i386 directory to
Jotti's malware scan. It had the
same MD5 checksum, so should be identical to the copy of the file
I found in \Windows\system32. Again, nothing was detected
in that file, either.
I copied the version from \Windows\system32 in the backup
file to both locations on the infected system's hard drive. I then rebooted
the system that had been infected. No error message appeared when I rebooted.
I then booted the system with an F-Secure Rescue CD 2.00. It did not detect any malware.
82598 files scanned
51 files could not be scanned
Scan completed
Scan started at Sat Sep 13 23:46:51 UTC 2008
and ended at Sun Sep 14 02:33:19 UTC 2008