I needed to check a laptop running Windows Vista Home Premium that I believed was infected with the Ozdok/Mega-D Trojan. At Ozdok/Mega-D Trojan Analysis, I found the following registry key listed as being associated with this malware:
"C:\WINDOWS\system32\svchost.exe" = C:\WINDOWS\system32\svchost.exe:*:Enabled:svchost
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ICF "aaaaaaaaa[..truncated..]aaaaaaaaaaa[REG_BINARY, size: 16 bytes]" = [REG_BINARY, size: 16 bytes]
After backing up the system with
Norton
Ghost 2003, I booted the system with the network cable unplugged. I
ran regedit and looked for an ICF key under
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\,
but didn't see one. When I checked for any ICF service by running
net start | find /i "ICF" at a command prompt, I did not see
one. I also checked for registry keys mentioned at
Trojan-Ozdok - Symantec.com, but didn't see those
keys either and I had already checked for an ICF service without
finding one. Symantec listed the following keys and service:
I then rebooted the system with F-Secure Rescue CD 2.0, which I used to scan the system for malware. It scanned 1,250 files with no malware found, but then hung. I waited an hour for it to go on to other files with no further progress. It wouldn't respond to Alt-F5 to display details of files being scanned nor Alt-F6 to see any malware found, though the malware count was 0. Nor would it respond to Ctrl-Alt-F2 to switch to another console. Nor would it even respond to Ctrl-C to cancel scanning.
I powered the system off and on and booted from an AVG Rescue CD (build 080321516), instead. I updated its malware definitions with the latest antivirus and antispyware files available for it, which were dated August 14, 2008 and scanned the system.
The AVG Rescue Scan CD scan took 4 hours and 41 minutes to complete the scan of 780,212 files. The AVG scan program reported that 307 threats were found, almost all of which were tracking cookies, but under virus results, it listed the following:
| Object | Result | Status |
|---|---|---|
| C:\Windows\System32\kuser.dll | Infected | |
| C:\Windows\System32\msimg32.dll | Infected | |
| C:\Windows\System32\sfc.dll | Infected | |
| C:\Windows\winsxs\x86_microsoft-windows-d..tshow-kernels... | Infected | |
| C:\Windows\winsxs\x86_microsoft-windows-gdi-painting_31bf... | Infected | |
| C:\Windows\winsxs\x86_microsoft-windows-sfc_31bf3856... | Infected | |
| C:\Windows\winsxs\x86_microsoft-windows-gdi-painting_31bf3856... | Infected |
The files in the winsxs folder are "Windows Side by Side
Assemblies (SxS)". See
Vista & Windows Side by Side Assemblies and
SXS folder in Windows
XP for further information about the directory and files stored within
it.
I chose to move all of the cookies to the vault. For the viruses found, which AVG did not identify, I opted to "heal the file" for all 7 files. All were marked as deleted then. "Heal" apparently equates to "delete" for the AVG antivirus software.
When I tried rebooting the system, Windows Vista would not boot. I received the message below:
| LogonUI.exe - Unable to Locate Component |
|
This application has failed to start because MSIMG32.dll was not found. Reinstalling the application may fix this problem.
|
Clicking on OK just yielded a blank black screen with only the mouse pointer visible. The system did not respond to any keyboard input. I wished I had just chosen to move the files marked as infected to the vault as well, since that would have made it easier to recover from the problem. Luckily, I had backed up the hard drive with Norton Ghost 2003 before running AVG Rescue CD.
I restored the files from the backup drive using Norton Ghost 2003.
I placed them on a USB thumbdrive and rebooted the laptop with the AVG Rescue
CD again, with the thumbdrive plugged in (USB devices have to be plugged
in prior to booting from the CD). I was able to restore the files to
the \windows\system32 directory, but was unable to restore
the files to the windows\winsxs directory, probably because
of the special protections Windows places on that directory.
So I tried booting the system with a Ubuntu
7.10 LiveCD. But the boot
process halted at "Starting Avahi mDNS/DNS-SD Daemon avahi-daemon". So
I tried a SLAX Linux 5.1.8 LiveCD. I was
able to boot from that disc.
But, when I tried writing a file into the windows\sxs directory,
I could not. I though the partition was likely mounted in read-only mode,
so I got a shell prompt, and entered the commands below to unumount it
and then remount it in read-write mode.
umount /dev/sda1
mount -rw /dev/sda1 /mnt/sda1I then verified the partition was mounted in rw, i.e.
read-write mode, by cat /etc/mtab. I still couldn't copy
the dll files from the thumbdrive to the winsxs directory,
though. I tried putting a file in c:\, but couldn't either,
so figured the problem might be due to Windows not being shut down properly
when I couldn't log in after attempting to boot into Vista. I.e., the
disk was probably marked as "dirty".
So I then rebooted with a BartPE
disc, obtained a command prompt, and
then ran chkdsk c: /f to check the file structure on the
disk. After running chkdsk, I tried copying the dll files that were
deleted from the windows\winsxs directories, that were now on
the thumbdrive, back to the directories they were deleted from on the
hard disk, but again got "access denied" messages.
So I rebooted the laptop with the SLAX LiveCD again. Since the
/dev/sda1 partition was mounted read-only by default, I
unmounted it again and then remounted it with /mount -rw
/dev/sda1 /mnt/sda1. Again I tried copying the files.
References:
Created: Tuesday March 10, 2009
