Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows VistaWindows XPWindows MeWindows 98Windows 95Virtual PCInternet ExplorerOutlook ExpressWindows MediaSecurity
Related Topics
MS Server ProductsMS OfficePC HardwareMore Topics ...
Windows Forum / Windows XP / Security and Administration / November 2007

Tip: Looking for answers? Try searching our database.

DomainService, fotomoto, vundo: Still Infected?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
AreWeThereYet - 24 Nov 2007 01:01 GMT
System:
- Intel 32-bit x86
- Win-XP-Pro SP2 (all updates)

Security Software (before):
- Windows Defender (up to date, daily scans, real-time protection)
- Norton 2006 AV (up to date, daily scans, real-time protection)

Security Software (current):
- Bitdefender Total Security 2008 (full-trial)
- Webroot SpySweeper (full-trial)

Primary Threats:
- Trojan.Vundo / Virtumundo
- Trojan.WinFixer
- Trojan.Fotomoto.E, Trojan.Fotomoto.F

I'll add the "full saga" in a further post so you can read or ignore it at
your leisure.

SUMMARY:
Inspite of my best efforts, I belive there is some trace of
Trojan.Fotomoto.?? and/or Trojan.Vundo.?? remaining in my system.

Furthermore, in "Ctl.Panel - Admin-Tools - Services" there is an item
"DomainService" which i've changed from "Auto" to "Disabled".

A search of the registry revieals these "DomainService" keys (posted below).

QUESTION:
Is there a VALID "DomainService" or can I safely clickity-delete these keys?
How do I permanately evict this virus from my system for good?
How do I know when I've succeeded?

Much Thanks to anyone who can help!
I've invested DAYS into fixing this already... :-(
Reply to this Message
AreWeThereYet - 24 Nov 2007 01:06 GMT
Suspect Registry Keys
(Simply Exported these, but deleted excessive HEX-data...)

------------------

Key Name:          

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
Class Name:        <NO CLASS>
Last Write Time:   11/23/2007 - 4:21 PM
Value 0
 Name:            View
 Type:            REG_BINARY

Value 1
 Name:            FindFlags
 Type:            REG_DWORD
 Data:            0xe

Value 2
 Name:            LastKey
 Type:            REG_SZ
 Data:            My

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DOMAINSERVICE

Key Name:          

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites
Class Name:        <NO CLASS>
Last Write Time:   11/14/2007 - 10:29 PM

---------

Key Name:          

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DOMAINSERVICE
Class Name:        <NO CLASS>
Last Write Time:   11/19/2007 - 12:14 AM
Value 0
 Name:            NextInstance
 Type:            REG_DWORD
 Data:            0x1

Key Name:          

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DOMAINSERVICE\0000
Class Name:        <NO CLASS>
Last Write Time:   11/19/2007 - 3:55 AM
Value 0
 Name:            Service
 Type:            REG_SZ
 Data:            DomainService

Value 1
 Name:            Legacy
 Type:            REG_DWORD
 Data:            0x1

Value 2
 Name:            ConfigFlags
 Type:            REG_DWORD
 Data:            0x0

Value 3
 Name:            Class
 Type:            REG_SZ
 Data:            LegacyDriver

Value 4
 Name:            ClassGUID
 Type:            REG_SZ
 Data:            {8ECC055D-047F-11D1-A537-0000F8753ED1}

Value 5
 Name:            DeviceDesc
 Type:            REG_SZ
 Data:            DomainService

---------

Key Name:          
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DomainService
Class Name:        <NO CLASS>
Last Write Time:   11/23/2007 - 5:07 PM
Value 0
 Name:            Type
 Type:            REG_DWORD
 Data:            0x10

Value 1
 Name:            Start
 Type:            REG_DWORD
 Data:            0x4

Value 2
 Name:            ErrorControl
 Type:            REG_DWORD
 Data:            0x0

Value 3
 Name:            ImagePath
 Type:            REG_EXPAND_SZ
 Data:            C:\WINDOWS\system32\bsqeyobl.exe /service

Value 4
 Name:            DisplayName
 Type:            REG_SZ
 Data:            DomainService

Value 5
 Name:            ObjectName
 Type:            REG_SZ
 Data:            LocalSystem

Value 6
 Name:            FailureActions
 Type:            REG_BINARY

Value 7
 Name:            Description
 Type:            REG_SZ
 Data:            DomainService

Key Name:          

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DomainService\Security
Class Name:        <NO CLASS>
Last Write Time:   11/19/2007 - 12:14 AM
Value 0
 Name:            Security
 Type:            REG_BINARY

---------

Key Name:          

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE
Class Name:        <NO CLASS>
Last Write Time:   11/19/2007 - 12:14 AM
Value 0
 Name:            NextInstance
 Type:            REG_DWORD
 Data:            0x1

Key Name:          

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE\0000
Class Name:        <NO CLASS>
Last Write Time:   11/19/2007 - 3:55 AM
Value 0
 Name:            Service
 Type:            REG_SZ
 Data:            DomainService

Value 1
 Name:            Legacy
 Type:            REG_DWORD
 Data:            0x1

Value 2
 Name:            ConfigFlags
 Type:            REG_DWORD
 Data:            0x0

Value 3
 Name:            Class
 Type:            REG_SZ
 Data:            LegacyDriver

Value 4
 Name:            ClassGUID
 Type:            REG_SZ
 Data:            {8ECC055D-047F-11D1-A537-0000F8753ED1}

Value 5
 Name:            DeviceDesc
 Type:            REG_SZ
 Data:            DomainService

-------------

Key Name:          
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DomainService
Class Name:        <NO CLASS>
Last Write Time:   11/23/2007 - 5:07 PM
Value 0
 Name:            Type
 Type:            REG_DWORD
 Data:            0x10

Value 1
 Name:            Start
 Type:            REG_DWORD
 Data:            0x4

Value 2
 Name:            ErrorControl
 Type:            REG_DWORD
 Data:            0x0

Value 3
 Name:            ImagePath
 Type:            REG_EXPAND_SZ
 Data:            C:\WINDOWS\system32\bsqeyobl.exe /service

Value 4
 Name:            DisplayName
 Type:            REG_SZ
 Data:            DomainService

Value 5
 Name:            ObjectName
 Type:            REG_SZ
 Data:            LocalSystem

Value 6
 Name:            FailureActions
 Type:            REG_BINARY

Value 7
 Name:            Description
 Type:            REG_SZ
 Data:            DomainService

Key Name:          

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DomainService\Security
Class Name:        <NO CLASS>
Last Write Time:   11/19/2007 - 12:14 AM
Value 0
 Name:            Security
 Type:            REG_BINARY

Key Name:          
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DomainService\Enum
Class Name:        <NO CLASS>
Last Write Time:   11/23/2007 - 5:07 PM
Value 0
 Name:            0
 Type:            REG_SZ
 Data:            Root\LEGACY_DOMAINSERVICE\0000

Value 1
 Name:            Count
 Type:            REG_DWORD
 Data:            0x1

Value 2
 Name:            NextInstance
 Type:            REG_DWORD
 Data:            0x1

------------

Key Name:          

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DOMAINSERVICE
Class Name:        <NO CLASS>
Last Write Time:   11/19/2007 - 12:14 AM
Value 0
 Name:            NextInstance
 Type:            REG_DWORD
 Data:            0x1

Key Name:          

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DOMAINSERVICE\0000
Class Name:        <NO CLASS>
Last Write Time:   11/19/2007 - 3:55 AM
Value 0
 Name:            Service
 Type:            REG_SZ
 Data:            DomainService

Value 1
 Name:            Legacy
 Type:            REG_DWORD
 Data:            0x1

Value 2
 Name:            ConfigFlags
 Type:            REG_DWORD
 Data:            0x0

Value 3
 Name:            Class
 Type:            REG_SZ
 Data:            LegacyDriver

Value 4
 Name:            ClassGUID
 Type:            REG_SZ
 Data:            {8ECC055D-047F-11D1-A537-0000F8753ED1}

Value 5
 Name:            DeviceDesc
 Type:            REG_SZ
 Data:            DomainService

-----------------

Key Name:          
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService
Class Name:        <NO CLASS>
Last Write Time:   11/23/2007 - 5:07 PM
Value 0
 Name:            Type
 Type:            REG_DWORD
 Data:            0x10

Value 1
 Name:            Start
 Type:            REG_DWORD
 Data:            0x4

Value 2
 Name:            ErrorControl
 Type:            REG_DWORD
 Data:            0x0

Value 3
 Name:            ImagePath
 Type:            REG_EXPAND_SZ
 Data:            C:\WINDOWS\system32\bsqeyobl.exe /service

Value 4
 Name:            DisplayName
 Type:            REG_SZ
 Data:            DomainService

Value 5
 Name:            ObjectName
 Type:            REG_SZ
 Data:            LocalSystem

Value 6
 Name:            FailureActions
 Type:            REG_BINARY

Value 7
 Name:            Description
 Type:            REG_SZ
 Data:            DomainService

Key Name:          

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService\Security
Class Name:        <NO CLASS>
Last Write Time:   11/19/2007 - 12:14 AM
Value 0
 Name:            Security
 Type:            REG_BINARY

Key Name:          

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService\Enum
Class Name:        <NO CLASS>
Last Write Time:   11/23/2007 - 5:07 PM
Value 0
 Name:            0
 Type:            REG_SZ
 Data:            Root\LEGACY_DOMAINSERVICE\0000

Value 1
 Name:            Count
 Type:            REG_DWORD
 Data:            0x1

Value 2
 Name:            NextInstance
 Type:            REG_DWORD
 Data:            0x1

-------------

Key Name:          

HKEY_USERS\S-1-5-21-1547161642-2049760794-725345543-1007\Software\Microsoft\Windows\Cur

rentVersion\Applets\Regedit
Class Name:        <NO CLASS>
Last Write Time:   11/23/2007 - 4:21 PM
Value 0
 Name:            View
 Type:            REG_BINARY

Value 1
 Name:            FindFlags
 Type:            REG_DWORD
 Data:            0xe

Value 2
 Name:            LastKey
 Type:            REG_SZ
 Data:            My

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DOMAINSERVICE

Key Name:          

HKEY_USERS\S-1-5-21-1547161642-2049760794-725345543-1007\Software\Microsoft\Windows\Cur

rentVersion\Applets\Regedit\Favorites
Class Name:        <NO CLASS>
Last Write Time:   11/14/2007 - 10:29 PM
Reply to this Message
Malke - 24 Nov 2007 02:51 GMT
> System:
> - Intel 32-bit x86
[quoted text clipped - 12 lines]
> - Trojan.WinFixer
> - Trojan.Fotomoto.E, Trojan.Fotomoto.F

(snippage)

Recent variants of Vundo are extremely difficult to remove. Register at
one of the following specialty forums, read the posting FAQ, and post
your HijackThis log there (not here please) for guided help.

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html

Malke
Signature

Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Reply to this Message
Niniel - 24 Nov 2007 17:18 GMT
Whatever you do, do not boot from HD when you try to clean up these things!
Boot from a CD so the malware doesn't get loaded into memory.

You may also need to get used to the idea of nuking your installation and
starting from scratch with a clean install.
Reply to this Message
AreWeThereYet - 25 Nov 2007 03:23 GMT
Hmm... I don't have any CD to boot from. My OEM cd only gives the nuke
option... If I BUY Bitdefender, I think it will give me somekind of recovery
CD at least.

Was thinking about that nuke thing, but I've done it several times this
year, before I figured out I had a bad RAID card... It's easily a 20 hour
process just to reinstall and update everything! TRYING to avoid that, if I
can... :-/

> Whatever you do, do not boot from HD when you try to clean up these things!
> Boot from a CD so the malware doesn't get loaded into memory.
>
> You may also need to get used to the idea of nuking your installation and
> starting from scratch with a clean install.
Reply to this Message
AreWeThereYet - 25 Nov 2007 03:18 GMT
Thanks, I'll give this a try tonight/tomorrow!

> > System:
> > - Intel 32-bit x86
[quoted text clipped - 34 lines]
>
> Malke
Reply to this Message
PA Bear, MS MVP - 28 Nov 2007 23:39 GMT
cf. http://aumha.net/viewtopic.php?t=30282 
Signature

~Robear Dyer (PA Bear); posting via web-interface
MS MVP-Windows (IE/OE, Security, Shell/User)
AH VSOP & Admin; DTSL-ORG

> Thanks, I'll give this a try tonight/tomorrow!
>
[quoted text clipped - 36 lines]
> >
> > Malke
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.