dirote.exe problem

yes,i would prefer you to try help me get rid of the virus(es),before i basically resort to the last option,wiping it all.

i've come off my dads pc now anyway as it was annoying me,so i'll try using the process kill tomorrow

 

morning (well for me its morning)
couldn't sleep so thought i'd start on the pc.i've managed to kill the processes alright and delete them from registry,just rebooting now

right,noticed i forgot to put the results from the f0r0r file from cmd.exe,here they are:
.
..
170 124578.reg
27,136 calcu.exe
75,344 demo.xt
25,088 dir32.exe
566,784 dirote.exe
0 dordo.sys
36,192 dorod.exe
544 dorod.ini
791 ichan.bat
37,376 klyte.exe
17,408 kolder.exe
logs
35,364 niamx
159,232 ppi.exe
2,633 redroses
52 romto
sounds
3,568 van32.exe
43,520 wexp.exe

total size - 1,031,202 bytes

i've tried killing the processes then deleting from registry.the dirote.exe worked,but there's still wmplayer.exe and mscnfg32.exe which won't stay deleted
btw,i should have system restore disabled?

 

I strongly urge this course of action
http://www.windowsbbs.com/showthread.php?t=30938

 

Little prog here for you. Move-on-Boot After installing you will have a new right click option for files. Delete on next boot. Use it on those files and reboot.

Yes, system restore should be disabled. The restore points will all be infected anyway.

 

just removed the sasser virus/worm/whatever it is.here's my current process log:

Process PID CPU Description Company Name
System Idle Process 0 71
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 2
smss.exe 416 Windows NT Session Manager Microsoft Corporation
csrss.exe 480 Client Server Runtime Process Microsoft Corporation
winlogon.exe 504 Windows NT Logon Application Microsoft Corporation
services.exe 548 2 Services and Controller app Microsoft Corporation
svchost.exe 724 6 Generic Host Process for Win32 Services Microsoft Corporation
urlmap.exe 2132 Money URL Map Microsoft Corporation
wmiprvse.exe 2264 WMI Microsoft Corporation
svchost.exe 748 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 864 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 884 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1000 Spooler SubSystem App Microsoft Corporation
alg.exe 1100 Application Layer Gateway Service Microsoft Corporation
SAgent2.exe 1116 EPSON Printer Status Agent SEIKO EPSON CORPORATION
wanmpsvc.exe 1292 Wan Miniport (ATW) Service America Online, Inc.
svchost.exe 1352
wmplayer.exe 1388 3
lsass.exe 560 9 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 196 Windows Explorer Microsoft Corporation
mscnfg32.exe 436
procexp.exe 2408 8 Sysinternals Process Explorer Sysinternals

Process: Procexp Pid: -2

Type Name

i've also enabled XP's firewall,don't know how good it is but anything is better than nothing in my dads case.

i'll just look at Lonnys suggested course of action then probabaly try your noah

 

Good news. Looking much better. Were you able to delete the f0r0r folder? Does task manager work for you yet? Can you run an online virus scan?

FWIW, you can have those files down in 1 reboot with MOB, faster than you could even make a post over there.

 

yes,the f0r0r folder has been deleted.however,in my processes there's still the wmplayer.exe still running

Process PID CPU Description Company Name
System Idle Process 0 23
Interrupts n/a 2 Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 412 Windows NT Session Manager Microsoft Corporation
csrss.exe 480 Client Server Runtime Process Microsoft Corporation
winlogon.exe 504 Windows NT Logon Application Microsoft Corporation
services.exe 548 8 Services and Controller app Microsoft Corporation
svchost.exe 724 Generic Host Process for Win32 Services Microsoft Corporation
urlmap.exe 884 Money URL Map Microsoft Corporation
svchost.exe 748 2 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 836 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 848 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1000 Spooler SubSystem App Microsoft Corporation
alg.exe 1100 Application Layer Gateway Service Microsoft Corporation
SAgent2.exe 1116 EPSON Printer Status Agent SEIKO EPSON CORPORATION
wanmpsvc.exe 1332 Wan Miniport (ATW) Service America Online, Inc.
svchost.exe 1356
wmplayer.exe 1392 3
lsass.exe 560 3 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 312 2 Windows Explorer Microsoft Corporation
IEXPLORE.EXE 1876 55 Internet Explorer Microsoft Corporation
procexp.exe 2244 5 Sysinternals Process Explorer Sysinternals

Process: Procexp Pid: -2

Type Name


just going to use housecall to do an online virus scan.should hopefully work

 

yes,housecall is working now.its already found the NACHI Worm on this pc

i've done the housecall virus scan and it found nachi and nachi.b worms.wmplayer.exe hasn't been removed though.i've done a search for wmplayer.exe virus and it came up with the following website:
http://www.sophos.com/virusinfo/analyses/w32agobotbm.html

it seems like its talking about the same worm.how should i get rid of it?

 

wmplayer.exe - hijackthis log

Logfile of HijackThis v1.97.7
Scan saved at 09:48:29, on 25/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wmplayer.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\STEVEN HOUSTON\My Documents\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.co.uk/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Windows Media Player] wmplayer.exe
O4 - HKLM\..\RunServices: [Windows Media Player] wmplayer.exe
O9 - Extra button: BT Yahoo! Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37956.5020023148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DE6CD91-C999-4618-AA2B-0A3C6C4A07A6}: NameServer = 194.72.9.55 194.74.65.85

 

Should have just put the log in the original thread. Different virus but still a continuation of the original problem. Less confusing to keep it all together.

Assuming you can use msconfig, on the boot.ini tab, check the safeboot box and OK out. Do not restart yet! Open HJT and scan. Close all other windows and fix the two wmplayer.exe run entries. Reboot. In safe mode, these processes should not have started back up, thereby allowing you to delete the file. If no luck, use the Move-on-Boot program to remove them on reboot.

 

only just come back on.managed to fix the virus on my own but thanks anyway.this is what i did for other people wanting to know

download process explorer and try killing wmplayer.exe. if it works then go into registry editor and delete the following keys

HKLM\Software\Mircrosoft\Windows\Currentversion\Run\Windows Media Player=wmplayer.exe
HKLM\Software\Mircrosoft\Windows\Currentversion\Run\Windows Media Player=wmplayer.exe

download Move-On-Boot program
go to C:\Windows\System32 (assuming C: = infected drive) then search for wmplayer.exe in it.right click and select 'delete file(s) on the next boot' option

on mine,i wasn't able to 'kill the process' as it kept re-appearing,so i chose suspend instead.this enabled me to delete the registry keys without them being put back into the registry,and i also chose the same option on the wmplayer.exe file in the windows\system32 folder.

restarted pc and the registry keys have gone,i've managed to get my antivirus program on my dads pc which runs,and my windows updates are sorted.all download and install properly now

thanks for your help everyone.i had a total of 8 viruses/worms on this pc

 

Its is a differant problem, But stick with the same thread until the issue's are resolved, please

 

sorry,kind of messed this forum up the past couple of days

i can safely say this issue is resolved

 

LOL - I think the forum will survive the experience.

Really glad to hear that you will as well and that your baddies seem to be gone.

 

I had posted your log here.
http://forums.spywareinfo.com/index.php?showtopic=2070

there are several hudred folks who deal with spyware/mailware on a dayly basis there, I wish you and Dave had waited.

 

Lonny,

I know there are alot of folks over there that are much more informed/trained/experienced than myself, but that post is now 9 pages deep with no reply yet, and smhouston's machine is clean.

 

machine is clean.

No its not, that was my point, it is not clean, this thing installs device drivers, and who knows what else, and probaly in time will just put everything back again, if not done correctly, and thuroughly.

 

and i assure you,if the problem re-occurs i'll be straight back on here to complain

and sorry,i didn't know you had posted it there.if you had told me i would of waited

 

I Hope all continue's to be fine.

check and see if the windows media player works

a run item with wmplayer.exe in a folder where its not supposed to be is usualy a sign of coolwebsearch.

this thread has been so long, I dont remember if coolwebschredder(cwsredder) has been suggested ?
If not download and run it with all programs that show in the taskbar closed
http://radiosplace.com/

 

Steven,

I did come across one technical conversation that suggested this thing infects a driver and can return via that route, but have not been able to confirm it as of yet. As you saw in the original thread on this board, I did some testing with various online scanners, and also submitted the f0r0r folder to about 7 different AV companies, including Net-integration (Spybot) and Lavasoft (Ad-aware). The only one I have heard from to date is Panda, which said they added the folder/files to their reference files. RAV seems to do the best job of detection, but I don't know how it will do with an infected PC and removal, since I only have the file, not the infection. I searched the spywareinfo forum for dirote.exe and came up with one post, the one Lonny posted with your log. I think there may be some confusion as to what this virus is. It was identified by Bartkei, the first member to give us a good analysis, as the BDS/HacDef.073.B.4 virus, which is what his email server's AV identified it as while sending me the file. Spywareinfo does have alot of info on the Backdoor.HackerDefender. But that is not what this virus is, although that IS one of the 5 viruses identified contained within the folder. A Google for dirote.exe will produce a Sophos result that identifies it as W32/random-AH, and gives a fair description of it, although the folder name is wrong, as it is on the Trend Micro result. Member rogerwroberts came in with even more information later and has loaded this virus on a test machine, which he is using to monitor it's behavior. I have searched the web high and low for information on this virus, and always end up back here with the most. It is basically still an unknown. I have not since scanned the folder with any online scanners to see if any of them pick up on it better.


My advice, backup the data now, while it 'appears' to be clean, and consider reformatting. I would not format myself. If it does return after putting the proper protection in place, we will have even more insight as to the nature of this thing, and you will have lost nothing but time, backups in place and format do-able at any time. Regardless, that machine needs and AV and firewall.