RE: DomainService, fotomoto, vundo: Still Infected?

---

• From: AreWeThereYet <AreWeThereYet@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 23 Nov 2007 17:06:01 -0800

---

Suspect Registry Keys
(Simply Exported these, but deleted excessive HEX-data...)

------------------

Key Name:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
Class Name: <NO CLASS>
Last Write Time: 11/23/2007 - 4:21 PM
Value 0
Name: View
Type: REG_BINARY


Value 1
Name: FindFlags
Type: REG_DWORD
Data: 0xe

Value 2
Name: LastKey
Type: REG_SZ
Data: My

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DOMAINSERVICE


Key Name:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites
Class Name: <NO CLASS>
Last Write Time: 11/14/2007 - 10:29 PM


---------


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DOMAINSERVICE
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 12:14 AM
Value 0
Name: NextInstance
Type: REG_DWORD
Data: 0x1


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DOMAINSERVICE\0000
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 3:55 AM
Value 0
Name: Service
Type: REG_SZ
Data: DomainService

Value 1
Name: Legacy
Type: REG_DWORD
Data: 0x1

Value 2
Name: ConfigFlags
Type: REG_DWORD
Data: 0x0

Value 3
Name: Class
Type: REG_SZ
Data: LegacyDriver

Value 4
Name: ClassGUID
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Value 5
Name: DeviceDesc
Type: REG_SZ
Data: DomainService


---------


Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DomainService
Class Name: <NO CLASS>
Last Write Time: 11/23/2007 - 5:07 PM
Value 0
Name: Type
Type: REG_DWORD
Data: 0x10

Value 1
Name: Start
Type: REG_DWORD
Data: 0x4

Value 2
Name: ErrorControl
Type: REG_DWORD
Data: 0x0

Value 3
Name: ImagePath
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\bsqeyobl.exe /service

Value 4
Name: DisplayName
Type: REG_SZ
Data: DomainService

Value 5
Name: ObjectName
Type: REG_SZ
Data: LocalSystem

Value 6
Name: FailureActions
Type: REG_BINARY

Value 7
Name: Description
Type: REG_SZ
Data: DomainService


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DomainService\Security
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 12:14 AM
Value 0
Name: Security
Type: REG_BINARY



---------


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 12:14 AM
Value 0
Name: NextInstance
Type: REG_DWORD
Data: 0x1


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE\0000
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 3:55 AM
Value 0
Name: Service
Type: REG_SZ
Data: DomainService

Value 1
Name: Legacy
Type: REG_DWORD
Data: 0x1

Value 2
Name: ConfigFlags
Type: REG_DWORD
Data: 0x0

Value 3
Name: Class
Type: REG_SZ
Data: LegacyDriver

Value 4
Name: ClassGUID
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Value 5
Name: DeviceDesc
Type: REG_SZ
Data: DomainService


-------------


Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DomainService
Class Name: <NO CLASS>
Last Write Time: 11/23/2007 - 5:07 PM
Value 0
Name: Type
Type: REG_DWORD
Data: 0x10

Value 1
Name: Start
Type: REG_DWORD
Data: 0x4

Value 2
Name: ErrorControl
Type: REG_DWORD
Data: 0x0

Value 3
Name: ImagePath
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\bsqeyobl.exe /service

Value 4
Name: DisplayName
Type: REG_SZ
Data: DomainService

Value 5
Name: ObjectName
Type: REG_SZ
Data: LocalSystem

Value 6
Name: FailureActions
Type: REG_BINARY


Value 7
Name: Description
Type: REG_SZ
Data: DomainService


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DomainService\Security
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 12:14 AM
Value 0
Name: Security
Type: REG_BINARY


Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DomainService\Enum
Class Name: <NO CLASS>
Last Write Time: 11/23/2007 - 5:07 PM
Value 0
Name: 0
Type: REG_SZ
Data: Root\LEGACY_DOMAINSERVICE\0000

Value 1
Name: Count
Type: REG_DWORD
Data: 0x1

Value 2
Name: NextInstance
Type: REG_DWORD
Data: 0x1


------------


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DOMAINSERVICE
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 12:14 AM
Value 0
Name: NextInstance
Type: REG_DWORD
Data: 0x1


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DOMAINSERVICE\0000
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 3:55 AM
Value 0
Name: Service
Type: REG_SZ
Data: DomainService

Value 1
Name: Legacy
Type: REG_DWORD
Data: 0x1

Value 2
Name: ConfigFlags
Type: REG_DWORD
Data: 0x0

Value 3
Name: Class
Type: REG_SZ
Data: LegacyDriver

Value 4
Name: ClassGUID
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Value 5
Name: DeviceDesc
Type: REG_SZ
Data: DomainService


-----------------


Key Name:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService
Class Name: <NO CLASS>
Last Write Time: 11/23/2007 - 5:07 PM
Value 0
Name: Type
Type: REG_DWORD
Data: 0x10

Value 1
Name: Start
Type: REG_DWORD
Data: 0x4

Value 2
Name: ErrorControl
Type: REG_DWORD
Data: 0x0

Value 3
Name: ImagePath
Type: REG_EXPAND_SZ
Data: C:\WINDOWS\system32\bsqeyobl.exe /service

Value 4
Name: DisplayName
Type: REG_SZ
Data: DomainService

Value 5
Name: ObjectName
Type: REG_SZ
Data: LocalSystem

Value 6
Name: FailureActions
Type: REG_BINARY

Value 7
Name: Description
Type: REG_SZ
Data: DomainService


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService\Security
Class Name: <NO CLASS>
Last Write Time: 11/19/2007 - 12:14 AM
Value 0
Name: Security
Type: REG_BINARY


Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DomainService\Enum
Class Name: <NO CLASS>
Last Write Time: 11/23/2007 - 5:07 PM
Value 0
Name: 0
Type: REG_SZ
Data: Root\LEGACY_DOMAINSERVICE\0000

Value 1
Name: Count
Type: REG_DWORD
Data: 0x1

Value 2
Name: NextInstance
Type: REG_DWORD
Data: 0x1



-------------


Key Name:

HKEY_USERS\S-1-5-21-1547161642-2049760794-725345543-1007\Software\Microsoft\Windows\Cur

rentVersion\Applets\Regedit
Class Name: <NO CLASS>
Last Write Time: 11/23/2007 - 4:21 PM
Value 0
Name: View
Type: REG_BINARY


Value 1
Name: FindFlags
Type: REG_DWORD
Data: 0xe

Value 2
Name: LastKey
Type: REG_SZ
Data: My

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DOMAINSERVICE


Key Name:

HKEY_USERS\S-1-5-21-1547161642-2049760794-725345543-1007\Software\Microsoft\Windows\Cur

rentVersion\Applets\Regedit\Favorites
Class Name: <NO CLASS>
Last Write Time: 11/14/2007 - 10:29 PM


.

---

• Prev by Date: Re: SAM cracking
• Next by Date: Re: DVD Burner over Remote Desktop
• Previous by thread: Re: Reinstalling XP in a Compaq Laptop
• Next by thread: Re: DomainService, fotomoto, vundo: Still Infected?
• Index(es):
  • Date
  • Thread

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windowsxp.security_admin  > 2007-11