Ozdok/Mega-D Infected System

VIPRE 2015 728x90

I needed to check a laptop running Windows Vista Home Premium that I believed was infected with the Ozdok/Mega-D Trojan. At Ozdok/Mega-D Trojan Analysis, I found the following registry key listed as being associated with this malware:

"C:\WINDOWS\system32\svchost.exe" = C:\WINDOWS\system32\svchost.exe:*:Enabled:svchost
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ICF "aaaaaaaaa[..truncated..]aaaaaaaaaaa[REG_BINARY, size: 16 bytes]" = [REG_BINARY, size: 16 bytes]

After backing up the system with Norton Ghost 2003, I booted the system with the network cable unplugged. I ran regedit and looked for an ICF key under HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\, but didn't see one. When I checked for any ICF service by running net start | find /i "ICF" at a command prompt, I did not see one. I also checked for registry keys mentioned at Trojan-Ozdok - Symantec.com, but didn't see those keys either and I had already checked for an ICF service without finding one. Symantec listed the following keys and service:

The Trojan may create a service with the following characteristics:

I then rebooted the system with F-Secure Rescue CD 2.0, which I used to scan the system for malware. It scanned 1,250 files with no malware found, but then hung. I waited an hour for it to go on to other files with no further progress. It wouldn't respond to Alt-F5 to display details of files being scanned nor Alt-F6 to see any malware found, though the malware count was 0. Nor would it respond to Ctrl-Alt-F2 to switch to another console. Nor would it even respond to Ctrl-C to cancel scanning.

I powered the system off and on and booted from an AVG Rescue CD (build 080321516), instead. I updated its malware definitions with the latest antivirus and antispyware files available for it, which were dated August 14, 2008 and scanned the system.

The AVG Rescue Scan CD scan took 4 hours and 41 minutes to complete the scan of 780,212 files. The AVG scan program reported that 307 threats were found, almost all of which were tracking cookies, but under virus results, it listed the following:

AVG Rescue CD Virus Scan Results
C:\Windows\System32\kuser.dll Infected
C:\Windows\System32\msimg32.dll Infected
C:\Windows\System32\sfc.dll Infected
C:\Windows\winsxs\x86_microsoft-windows-d..tshow-kernels...  Infected
C:\Windows\winsxs\x86_microsoft-windows-gdi-painting_31bf...  Infected
C:\Windows\winsxs\x86_microsoft-windows-sfc_31bf3856...  Infected
C:\Windows\winsxs\x86_microsoft-windows-gdi-painting_31bf3856...  Infected

The files in the winsxs folder are "Windows Side by Side Assemblies (SxS)". See Vista & Windows Side by Side Assemblies and SXS folder in Windows XP for further information about the directory and files stored within it.

I chose to move all of the cookies to the vault. For the viruses found, which AVG did not identify, I opted to "heal the file" for all 7 files. All were marked as deleted then. "Heal" apparently equates to "delete" for the AVG antivirus software.

When I tried rebooting the system, Windows Vista would not boot. I received the message below:

LogonUI.exe - Unable to Locate Component
This application has failed to start because MSIMG32.dll was not found.
Reinstalling the application may fix this problem.


Clicking on OK just yielded a blank black screen with only the mouse pointer visible. The system did not respond to any keyboard input. I wished I had just chosen to move the files marked as infected to the vault as well, since that would have made it easier to recover from the problem. Luckily, I had backed up the hard drive with Norton Ghost 2003 before running AVG Rescue CD.

I restored the files from the backup drive using Norton Ghost 2003. I placed them on a USB thumbdrive and rebooted the laptop with the AVG Rescue CD again, with the thumbdrive plugged in (USB devices have to be plugged in prior to booting from the CD). I was able to restore the files to the \windows\system32 directory, but was unable to restore the files to the windows\winsxs directory, probably because of the special protections Windows places on that directory.

So I tried booting the system with a Ubuntu 7.10 LiveCD. But the boot process halted at "Starting Avahi mDNS/DNS-SD Daemon avahi-daemon". So I tried a SLAX Linux 5.1.8 LiveCD. I was able to boot from that disc. But, when I tried writing a file into the windows\sxs directory, I could not. I though the partition was likely mounted in read-only mode, so I got a shell prompt, and entered the commands below to unumount it and then remount it in read-write mode.

umount /dev/sda1
mount -rw /dev/sda1 /mnt/sda1

I then verified the partition was mounted in rw, i.e. read-write mode, by cat /etc/mtab. I still couldn't copy the dll files from the thumbdrive to the winsxs directory, though. I tried putting a file in c:\, but couldn't either, so figured the problem might be due to Windows not being shut down properly when I couldn't log in after attempting to boot into Vista. I.e., the disk was probably marked as "dirty".

So I then rebooted with a BartPE disc, obtained a command prompt, and then ran chkdsk c: /f to check the file structure on the disk. After running chkdsk, I tried copying the dll files that were deleted from the windows\winsxs directories, that were now on the thumbdrive, back to the directories they were deleted from on the hard disk, but again got "access denied" messages.

So I rebooted the laptop with the SLAX LiveCD again. Since the /dev/sda1 partition was mounted read-only by default, I unmounted it again and then remounted it with /mount -rw /dev/sda1 /mnt/sda1. Again I tried copying the files.


  1. Ozdok/Mega-D Trojan Analysis
    By: Joe Stewart
    Date: February 11, 2008
  2. Ozdok/Mega-D Trojan Analysis
    Date: February 11, 2008
    Arbor Networks Security
  3. Trojan.Ozdok
    Date: February 15, 2008
    Symantec Corporation
  4. Vista & Windows Side by Side Assemblies
  5. SXS folder in Windows XP
    Tomax7 - Digital Smiles

Avast Premier 2016 Malwarebytes Anti-Malware Premium Stopzilla

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Created: Tuesday March 10, 2009