dirote.exe problem

hello,i've just signed up,my names steven

been trying to fix my dads computer by updating it with patches from microsoft website,however,they downloaded,said they'd installed but it just shows them up again next time i scan for downloads
so i thought i'd install norton systemworks as whenever i opened regedit it closed down after about 10 seconds.i installed it and everything seemed to be ok,but when i tried loading it up,it shut down automatically,which got me very suspicious.so i went into msconfig and on the startup tab there's an option called dirote.exe.i know this is a worm now but which 1 is it?is it the korgo virus as i looked for the registry key in regedit and it is there.but i fear that there might be more than 1 worm/virus/trojan as i've alreayd deleted the sasser worm!!
i've tried removing the registry key with the dirote.exe in the name like it says you should do on symantec.com,but it just puts itself back there after a few seconds.
i've also tried doing an online virus scan,but the program just crashes

any help would be hugely appreciated!!

i've just seen another post about this and the person involved said he went onto taskmgr,i can't do this as i press ctrl+alt+del and taskmgr just crashes

 

Welcome to WindowsBBS Steven

You've got one of the newest nasties. Try to download HijackThis and post a log. We will try to help you with this.

Post back or send me a Private Message with your email address if you are unable to get the download, and I will mail you one.

 

the hijackthis doesn't download through the website or through email

i've also noticed that on the desktop there's a file named ~ and it says the file type is File.its also on msconfig on the startup tab and selected to run

 

That file shouldn't be a problem. Usually appears after updating the OE address book.

If you are able to get into the registry, navigate to HCLM\Software\Microsoft\Windows\Current_Version\Run and delete entries dirote, kolder, ppi Do the same at HKCU. Reboot and try d/l and task manager again.

 

Try this and this also. If the second one works, close ALL windows, open it and click fix. Then try the others again.

 

If none of this works, go to C:\Windows(or WINNT)\System32\Drivers\etc and locate the file named HOSTS. Open it with notepad. It should look like what is in the quote box. If it doesn't, delete anything else there and save. I am referring to any entries below the 127.0.0.1 local host line.

Also check C:\Windows\Help for a HOSTS file. If present delete it. You will have to be able to see hidden files and folders to find them.
Then try the downloads again.

 

smhouston, Dave all Hi

I take it you have sent hijackhtis through email ?
and smhouston is still unable to use it ?

Please if there is any conversation in pms or email fill us in.

 

Hi Lonny,

Yes, I emailed it to him and still no luck. I did instruct him to try save target also. Unable to download. That is the extent of PM's.

 

Lately, I've been seeing computers so trashed with worms, viruses and spyware, that it is easier and faster to wipe them clean rather than clean them up. smhouston, it sounds like you're going to have to give your dad an education in internet security, and maybe even install some for him. I had to put Norton IS on my mom's computer, and then I locked her and her husband out of there with a password to make it as simple as possible. Even if they tried, they couldn't change the settings I chose for them. LOL Sometimes, parents must be dealt with harshly, for they just don't understand the perils of the internet, and will click wherever they are "told ". If you don't teach dad the rules, you'll be doing this all over again in two weeks.

Johanna

 

the hijackthis has worked via this website.here's the log:


Logfile of HijackThis v1.97.7
Scan saved at 19:37:02, on 24/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\drivers\svchost.exe
C:\WINDOWS\System32\wmplayer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\desktop.exe
C:\WINDOWS\System32\f0r0r\dirote.exe
C:\WINDOWS\System32\f0r0r\ppi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\STEVEN HOUSTON\My Documents\HijackThis\HijackThis.exe
C:\WINDOWS\System32\mscnfg32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.co.uk/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O4 - HKLM\..\Run: [Windows Media Player] wmplayer.exe
O4 - HKLM\..\Run: [rn4d] C:\WINDOWS\System32\f0r0r\kolder.exe C:\WINDOWS\System32\f0r0r\dirote.exe
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe
O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\RunServices: [Windows Media Player] wmplayer.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe
O9 - Extra button: BT Yahoo! Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37956.5020023148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DE6CD91-C999-4618-AA2B-0A3C6C4A07A6}: NameServer = 194.72.9.55 194.74.65.85

i'll just try the cwshredder

 

just tried this but the hosts file in the drivers/etc folder won't open with notepad or wordpad

 

smhouston,
Might as well start by reading this thread.

Johanna

 

Scan with HJT again. Place a check next to each of the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
O4 - HKLM\..\Run: [Windows Media Player] wmplayer.exe
O4 - HKLM\..\Run: [rn4d] C:\WINDOWS\System32\f0r0r\kolder.exe C:\WINDOWS\System32\f0r0r\dirote.exe
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe
O4 - HKLM\..\Run: [Microsoft Config 32bit] mscnfg32.exe
O4 - HKLM\..\RunServices: [Windows Media Player] wmplayer.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32bit] mscnfg32.exe


Reboot. Open Task manager and verify that none of these executables are running. End process on any that are.

wmplayer.exe
dirote.exe
desktop.exe
mscnfg32.exe
ppi.exe

Make sure you can see hidden files and folders and in C:\Windows\System32 delete the folder f0r0r, files wmplayer.exe, desktop.exe, mscnfg32.exe if there. Scan with RAVand Housecall. Make sure to check the autoclean box. Post back with results.

 

i did search for that thread before i posted in this forum.i can't press ctrl+alt+del because it just crashes everytime.
i've tried going into the registry to delete the key but it keeps putting it back in so thats a no no.
i've managed to download process explorer and managed to find the f0r0r folder in cmd.exe and see the files.here's what both of them show:

Process Explorer
Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 1
smss.exe 424 Windows NT Session Manager Microsoft Corporation
csrss.exe 480 6 Client Server Runtime Process Microsoft Corporation
winlogon.exe 504 Windows NT Logon Application Microsoft Corporation
services.exe 548 4 Services and Controller app Microsoft Corporation
svchost.exe 724 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 748 6 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 832 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 848 1 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1004 Spooler SubSystem App Microsoft Corporation
SAgent2.exe 1108 EPSON Printer Status Agent SEIKO EPSON CORPORATION
wanmpsvc.exe 1280 1 Wan Miniport (ATW) Service America Online, Inc.
svchost.exe 1304
wmplayer.exe 1340 43
lsass.exe 560 LSA Shell (Export Version) Microsoft Corporation
cmd.exe 3900 Windows Command Processor Microsoft Corporation
31116_upload.exe 3064
cmd.exe 3464 1
explorer.exe 1904 Windows Explorer Microsoft Corporation
mscnfg32.exe 2036
lsasss.exe 2044
lsasss.exe 2844
lsasss.exe 3152
lsasss.exe 3452 1
lsasss.exe 3524
lsasss.exe 3916 7
lsasss.exe 3776
lsasss.exe 3816
lsasss.exe 3648
lsasss.exe 3512 10
lsasss.exe 3672
lsasss.exe 3488 6
IEXPLORE.EXE 2696 Internet Explorer Microsoft Corporation
procexp.exe 2376 10 Sysinternals Process Explorer Sysinternals
dirote.exe 196
ppi.exe 2264

Process: Procexp Pid: -2

Type Name

 

Good move there Steven! It isn't showing in the HJT log but that machine also has the Sasser virus. lsasss.exe Notice the 3 s's after the a. Legit process has only 2. Try downloading and runing the removal tool I linked to in this thread.

 

smhouston,
didn't mean to sound short with you, but thought you would be interested in reading that discussion, if you hadn't already. Do everything Dave (Noahdfear) said to do, if you want to keep the system. Personally, I'd hope Dad's backups were up to date and I'd just wipe it and start fresh. IMHO, I don't think it's worth trying to clean.

That is a mess. There is not just one, but at least two major problems, (Sasser and the "dirote" Newbie that doesn't seem to have a name, or a removal tool available, yet,) and probably more. Looking at the HijackThis log, I didn't see any firewall or AV protection. Did I just miss it?

Johanna

 

yeh,i know i've got the sasser virus.i've already got the removal tool on floopy disk as i've had to delete it several times.it just keeps coming back on though,and due to me not being able to install microsoft updates,i can't do anything about it.

i've tried your other idea of using HJT to fix it,but it didn't work.i rebooted the pc and the virus was still running.also,i noticed that the entry
O4 - HKLM\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe was missing

 

Use Process Explorer to kill them, then try to delete the file/folder.

BTW, Johanna's format suggestion does have merit. But I will do my best to help you rid the machine of these first if that's what you want to do. Be back in a few hours.

 

i didn't see you being harsh with me,but as i said,i'd already read it anyway.

yup,your right that theres no AV or firewall protection on his pc,aswell as not keeping uptodate with any of the microsoft patches.he didn't have any 1 of the patches so kind of serves him right

i've got norton systemworks which i'm going to put onto his when its working properly,then at least he's got some protection.he can't exactly blame me though as i've had my pc for many years and i've only had 1 virus before,and that was when i first bought it/very inexperienced with pc's

as for his backups,he never made backups with system restore.he's got an emachines pc so not sure how easy it will be to resotre the pc to its original state as they don't provide the proper OS cd which i think is stupid.