Which one is the virus?

Post Reply New Topic

I was told that, to remove Backdoor.Tidserv!inf (a backdoor-class virus), I had to remove an infected version of %System%\advapi32.dll.



Now, which one is the infected file?

_________________
My favorite emoticon

Did you install an OS on that machine on april 4, 2008? If so, then I would say the first one...

If that's a machine you bought then if you received it after april 4, 2008, my money would still be on the first one...

%System% is usually the /windows/system32 folder. So I'd go for the second.

wow windows actually comes in different languages. I never knew that, what language is it? French?

My guess is the second one is the problem

It's the second one. The first is the original advapi32.dll that came with your XP install (or when you moved to SP1). When you upgrade to SP2 (unless you uncheck the backup original files box) it automatically makes a copy of the dlls that are being changed and places them in \$NtServicePackUninstall$. This library will not be called unless you uninstall SP2 (thus restoring the original file). The other one (\ServicePackFiles\i386) is just the place where the SP2 .msi was decompressed to before installation. It will also not be called.

Do not just replace the advapi32.dll with the one on your XP CD, since that is the one from XP SP1 or earlier. You can either uninstall SP2 then reinstall it, or grab the file from another SP2 machine you know isn't infected. It's also possible that the virus didn't infect the one from the install package in \ServicePackFiles\i386. You can check if it's different from the one in System32 (and therefore uninfected) using BeyondCompare or a similar file comp tool.

BTW, the date on the file means nothing. It's set in the file's manifest and can easily be changed to whatever the virus writer wants (usually to match the date of the original file to hide the change). You can change the dates yourself with a hex editor or with a free tool like Segobit File Properties Changer.