DomainService, fotomoto, vundo: Still Infected?

  • Thread starter Thread starter AreWeThereYet
  • Start date Start date
A

AreWeThereYet

System:
- Intel 32-bit x86
- Win-XP-Pro SP2 (all updates)

Security Software (before):
- Windows Defender (up to date, daily scans, real-time protection)
- Norton 2006 AV (up to date, daily scans, real-time protection)

Security Software (current):
- Bitdefender Total Security 2008 (full-trial)
- Webroot SpySweeper (full-trial)

Primary Threats:
- Trojan.Vundo / Virtumundo
- Trojan.WinFixer
- Trojan.Fotomoto.E, Trojan.Fotomoto.F



I'll add the "full saga" in a further post so you can read or ignore it at
your leisure.

SUMMARY:
Inspite of my best efforts, I belive there is some trace of
Trojan.Fotomoto.?? and/or Trojan.Vundo.?? remaining in my system.

Furthermore, in "Ctl.Panel - Admin-Tools - Services" there is an item
"DomainService" which i've changed from "Auto" to "Disabled".

A search of the registry revieals these "DomainService" keys (posted below).


QUESTION:
Is there a VALID "DomainService" or can I safely clickity-delete these keys?
How do I permanately evict this virus from my system for good?
How do I know when I've succeeded?


Much Thanks to anyone who can help!
I've invested DAYS into fixing this already... :-(
 
Suspect Registry Keys
(Simply Exported these, but deleted excessive HEX-data...)

------------------

Key Name:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
Class Name: <NO CLASS>
Last Write Time: 11/23/2007 - 4:21 PM
Value 0
Name: View
Type: REG_BINARY


Value 1
Name: FindFlags
Type: REG_DWORD
Data: 0xe

Value 2
Name: LastKey
Type: REG_SZ
Data: My

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DOMAINSERVICE


Key Name:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites
Class Name: <NO CLASS>
Last Write Time: 11/14/2007 - 10:29 PM


---------


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DOMAINSERVICE
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 12:14 AM
Value 0
Name: NextInstance
Type: REG_DWORD
Data: 0x1


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DOMAINSERVICE\0000
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 3:55 AM
Value 0
Name: Service
Type: REG_SZ
Data: DomainService

Value 1
Name: Legacy
Type: REG_DWORD
Data: 0x1

Value 2
Name: ConfigFlags
Type: REG_DWORD
Data: 0x0

Value 3
Name: Class
Type: REG_SZ
Data: LegacyDriver

Value 4
Name: ClassGUID
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Value 5
Name: DeviceDesc
Type: REG_SZ
Data: DomainService


---------


Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DomainService
Class Name: <NO CLASS>
Last Write Time: 11/23/2007 - 5:07 PM
Value 0
Name: Type
Type: REG_DWORD
Data: 0x10

Value 1
Name: Start
Type: REG_DWORD
Data: 0x4

Value 2
Name: ErrorControl
Type: REG_DWORD
Data: 0x0

Value 3
Name: ImagePath
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\bsqeyobl.exe /service

Value 4
Name: DisplayName
Type: REG_SZ
Data: DomainService

Value 5
Name: ObjectName
Type: REG_SZ
Data: LocalSystem

Value 6
Name: FailureActions
Type: REG_BINARY

Value 7
Name: Description
Type: REG_SZ
Data: DomainService


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DomainService\Security
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 12:14 AM
Value 0
Name: Security
Type: REG_BINARY



---------


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 12:14 AM
Value 0
Name: NextInstance
Type: REG_DWORD
Data: 0x1


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE\0000
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 3:55 AM
Value 0
Name: Service
Type: REG_SZ
Data: DomainService

Value 1
Name: Legacy
Type: REG_DWORD
Data: 0x1

Value 2
Name: ConfigFlags
Type: REG_DWORD
Data: 0x0

Value 3
Name: Class
Type: REG_SZ
Data: LegacyDriver

Value 4
Name: ClassGUID
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Value 5
Name: DeviceDesc
Type: REG_SZ
Data: DomainService


-------------


Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DomainService
Class Name: <NO CLASS>
Last Write Time: 11/23/2007 - 5:07 PM
Value 0
Name: Type
Type: REG_DWORD
Data: 0x10

Value 1
Name: Start
Type: REG_DWORD
Data: 0x4

Value 2
Name: ErrorControl
Type: REG_DWORD
Data: 0x0

Value 3
Name: ImagePath
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\bsqeyobl.exe /service

Value 4
Name: DisplayName
Type: REG_SZ
Data: DomainService

Value 5
Name: ObjectName
Type: REG_SZ
Data: LocalSystem

Value 6
Name: FailureActions
Type: REG_BINARY


Value 7
Name: Description
Type: REG_SZ
Data: DomainService


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DomainService\Security
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 12:14 AM
Value 0
Name: Security
Type: REG_BINARY


Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DomainService\Enum
Class Name: <NO CLASS>
Last Write Time: 11/23/2007 - 5:07 PM
Value 0
Name: 0
Type: REG_SZ
Data: Root\LEGACY_DOMAINSERVICE\0000

Value 1
Name: Count
Type: REG_DWORD
Data: 0x1

Value 2
Name: NextInstance
Type: REG_DWORD
Data: 0x1


------------


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DOMAINSERVICE
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 12:14 AM
Value 0
Name: NextInstance
Type: REG_DWORD
Data: 0x1


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DOMAINSERVICE\0000
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 3:55 AM
Value 0
Name: Service
Type: REG_SZ
Data: DomainService

Value 1
Name: Legacy
Type: REG_DWORD
Data: 0x1

Value 2
Name: ConfigFlags
Type: REG_DWORD
Data: 0x0

Value 3
Name: Class
Type: REG_SZ
Data: LegacyDriver

Value 4
Name: ClassGUID
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Value 5
Name: DeviceDesc
Type: REG_SZ
Data: DomainService


-----------------


Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService
Class Name: <NO CLASS>
Last Write Time: 11/23/2007 - 5:07 PM
Value 0
Name: Type
Type: REG_DWORD
Data: 0x10

Value 1
Name: Start
Type: REG_DWORD
Data: 0x4

Value 2
Name: ErrorControl
Type: REG_DWORD
Data: 0x0

Value 3
Name: ImagePath
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\bsqeyobl.exe /service

Value 4
Name: DisplayName
Type: REG_SZ
Data: DomainService

Value 5
Name: ObjectName
Type: REG_SZ
Data: LocalSystem

Value 6
Name: FailureActions
Type: REG_BINARY

Value 7
Name: Description
Type: REG_SZ
Data: DomainService


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService\Security
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 12:14 AM
Value 0
Name: Security
Type: REG_BINARY


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService\Enum
Class Name: <NO CLASS>
Last Write Time: 11/23/2007 - 5:07 PM
Value 0
Name: 0
Type: REG_SZ
Data: Root\LEGACY_DOMAINSERVICE\0000

Value 1
Name: Count
Type: REG_DWORD
Data: 0x1

Value 2
Name: NextInstance
Type: REG_DWORD
Data: 0x1



-------------


Key Name:

HKEY_USERS\S-1-5-21-1547161642-2049760794-725345543-1007\Software\Microsoft\Windows\Cur

rentVersion\Applets\Regedit
Class Name: <NO CLASS>
Last Write Time: 11/23/2007 - 4:21 PM
Value 0
Name: View
Type: REG_BINARY


Value 1
Name: FindFlags
Type: REG_DWORD
Data: 0xe

Value 2
Name: LastKey
Type: REG_SZ
Data: My

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DOMAINSERVICE


Key Name:

HKEY_USERS\S-1-5-21-1547161642-2049760794-725345543-1007\Software\Microsoft\Windows\Cur

rentVersion\Applets\Regedit\Favorites
Class Name: <NO CLASS>
Last Write Time: 11/14/2007 - 10:29 PM
 
AreWeThereYet said:
System:
- Intel 32-bit x86
- Win-XP-Pro SP2 (all updates)

Security Software (before):
- Windows Defender (up to date, daily scans, real-time protection)
- Norton 2006 AV (up to date, daily scans, real-time protection)

Security Software (current):
- Bitdefender Total Security 2008 (full-trial)
- Webroot SpySweeper (full-trial)

Primary Threats:
- Trojan.Vundo / Virtumundo
- Trojan.WinFixer
- Trojan.Fotomoto.E, Trojan.Fotomoto.F
Click to expand...

(snippage)

Recent variants of Vundo are extremely difficult to remove. Register at
one of the following specialty forums, read the posting FAQ, and post
your HijackThis log there (not here please) for guided help.

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html


Malke
 
Whatever you do, do not boot from HD when you try to clean up these things!
Boot from a CD so the malware doesn't get loaded into memory.

You may also need to get used to the idea of nuking your installation and
starting from scratch with a clean install.
 
Thanks, I'll give this a try tonight/tomorrow!

Malke said:
(snippage)

Recent variants of Vundo are extremely difficult to remove. Register at
one of the following specialty forums, read the posting FAQ, and post
your HijackThis log there (not here please) for guided help.

http://aumha.org/downloads/hijackthis.zip
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/ - Click on the HijackThis forum. Read the announcement
and the stickies *first*.
http://www.atribune.org/forums/index.php?showforum=9
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Click to expand...
 
Hmm... I don't have any CD to boot from. My OEM cd only gives the nuke
option... If I BUY Bitdefender, I think it will give me somekind of recovery
CD at least.

Was thinking about that nuke thing, but I've done it several times this
year, before I figured out I had a bad RAID card... It's easily a 20 hour
process just to reinstall and update everything! TRYING to avoid that, if I
can... :-/
 
Back
Top