f0rf0r f4k3 dirote.exe nevo's Log

I need help!!! dirote.exe ppi.exe

I am a beginner, I do not know much about virus.
I have noticed I have in my computer dirote.exe ppi.exe van32.exe kolder.exe dorod.exe. I think all them are the same virus.

Could you give me a guideline to kill them, please?
Moreover, I cannot unzip programs, as a virus is not allowing them to create files in the temp directory, how can I fix this problem?

Please, help me!!!

nevo

 

Hi nevo

Welcome to the windows BBS


Since you have problems with zip files download the exe version of a tool called Hijackthis from here http://radiosplace.com/
But first
Make a new folder , perhaps in C:\Documents and Settings\ "AntiSpyware "<<
Or C:\Anti Spyware for instance,, download it to that folder.
This is necessary to ensure you have backups should anything go wrong

Double click hijackthis.exe and click "scan "
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that and save the log someplace of your choice. Once saved notepad will automatically open with the log contents in text form. Please post its contents.
To do this while in notepad go to file > select all, then file > copy. To paste
right click inside the posting area and select paste from the context menu.

 

ok

Thank your very much for your help! it is what was obtained:

Logfile of HijackThis v1.97.7
Scan saved at 22:10:24, on 23/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
C:\programas\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Archivos de programa\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Archivos de programa\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Archivos de programa\Apoint2K\Apoint.exe
C:\Archivos de programa\TOSHIBA\TouchED\TouchED.Exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\ARCHIV~1\WANADOO\CnxMon.exe
C:\Archivos de programa\Apoint2K\Apntex.exe
C:\ARCHIV~1\WANADOO\TaskbarIcon.exe
C:\Archivos de programa\Winamp\Winampa.exe
C:\Archivos de programa\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Archivos de programa\TrojanHunter 3.0\THGuard.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\f0r0r\dirote.exe
C:\WINDOWS\System32\f4k3\dirote.exe
C:\Archivos de programa\mozilla.org\Mozilla\Mozilla.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Archivos de programa\SAGEM\SAGEM F@st800\dslmon.exe
C:\Archivos de programa\eMule\emule.exe
C:\Archivos de programa\Yahoo!\Messenger\ypager.exe
C:\ARCHIV~1\YAHOO!\MESSEN~1\YSERVER.EXE
C:\Archivos de programa\Wanadoo\EspaceWanadoo.exe
C:\Archivos de programa\Wanadoo\ComComp.exe
C:\Archivos de programa\Wanadoo\Watch.exe
C:\Programas\AntiVirus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = VÃ*nculos
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\ARCHIV~1\WANADOO\SEARCH~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Archivos de programa\WS_FTP Pro\wsbho2k0.dll
O3 - Toolbar: (no name) - {9f7f3724-c344-4b48-ac94-8486e97833e9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Archivos de programa\TOSHIBA\Wireless Hotkey\TosHKCW.exe "
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Archivos de programa\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Archivos de programa\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Archivos de programa\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WooCnxMon] C:\ARCHIV~1\WANADOO\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\ARCHIV~1\WANADOO\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\ARCHIV~1\WANADOO\TaskbarIcon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp\Winampa.exe "
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Archivos de programa\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Archivos de programa\Elaborate Bytes\CloneCD\CloneCDTray.exe "
O4 - HKLM\..\Run: [THGuard] "C:\Archivos de programa\TrojanHunter 3.0\THGuard.exe "
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [rn4d] C:\WINDOWS\System32\f0r0r\kolder.exe C:\WINDOWS\System32\f0r0r\dirote.exe
O4 - HKLM\..\Run: [w0ndz] C:\WINDOWS\System32\f4k3\kolder.exe C:\WINDOWS\System32\f4k3\dirote.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Archivos de programa\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Avisos del Calendario de Microsoft Works.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Wanadoo (HKCU)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087944563329
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/28c61a3bd8b0b4e1ba23/netzip/RdxIE601_es.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38145.5438425926
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = A20008.tjdo.com
O17 - HKLM\Software\..\Telephony: DomainName = A20008.tjdo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D6F57C5-73BB-456E-B395-A623502CA545}: Domain = A20008.tjdo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{798B8079-EE51-4F06-BDB0-A6584A67AE46}: Domain = A20008.tjdo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FB3E1C3-9B4F-4339-9D09-969EFD67BB95}: NameServer = 80.10.246.130 80.10.246.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{DADCD610-DC6F-4D01-9FA8-5AA2A527260F}: Domain = A20008.tjdo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F08459B6-55E2-47C6-AF30-7292C027BA5A}: Domain = A20008.tjdo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F08459B6-55E2-47C6-AF30-7292C027BA5A}: NameServer = 195.235.96.90,195.235.113.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = A20008.tjdo.com

What do I do now??? thks in advance.

 

nevo - there are a few minor things (at least ones I can see) in the Hijackthis log but they can wait until the virus infection is dealt with.

Take a look at the removal instructions Here. Probably good to print a copy of the page. If there are any of the directions that you aren't sure you understand, post back with which ones and we can help.

Otherwise, do the listed things. Since you run XP, you will want to turn off your System Restore until you get things cleaned and then turn it back on.

The link above is from Trend Micro but since you don't have their antivirus program, run RAV from the internet. Link to the site is in the QuickLinks from my signature.

If you need it, a good how-to for turning off System Restore is Here.

 

Glad to see the AV's coming around on this one. Thanks for posting that Newt.

nevo,

If you continue having problems after following the Trend instructions, please do post back. There are other ways to attack that nasty.

 

Hi nevo and all

Im sure the experts/anti virus companies would apreciate copies of both of those folders
If you can zip up both and put them aside for now
C:\WINDOWS\System32\f0r0r
C:\WINDOWS\System32\f4k3

You might have to use a tool like agent ransack to be able to see them

http://www.mythicsoft.com/agentransack/download.aspx

 

and now what should I do?

Hi all,

thank you very much for your help. I think I have finished with this nasty worm but I am not sure because my firewall (keryo professional) says it is still there.

I think keryo has not refreshed in proper terms. The directoriess f0rf0r and f4k3 do not exist anymore. And dirote.exe and ppi.exe are not running in the taskmanager. Then?

Larry Jones you wrote me I had to fix also another issues. After what I did to finish with the worm I made a new hijackthis, could you give me your opinion or suggestions? anyother help is also very welcome!!!

Logfile of HijackThis v1.97.7
Scan saved at 2:49:05, on 02/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4ss.exe
C:\programas\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Archivos de programa\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Archivos de programa\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Archivos de programa\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Archivos de programa\Apoint2K\Apoint.exe
C:\Archivos de programa\TOSHIBA\TouchED\TouchED.Exe
C:\ARCHIV~1\WANADOO\CnxMon.exe
C:\ARCHIV~1\WANADOO\TaskbarIcon.exe
C:\Archivos de programa\Winamp\Winampa.exe
C:\Archivos de programa\Apoint2K\Apntex.exe
C:\Archivos de programa\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\mozilla.org\Mozilla\Mozilla.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Archivos de programa\SAGEM\SAGEM F@st800\dslmon.exe
C:\Archivos de programa\Wanadoo\EspaceWanadoo.exe
C:\Archivos de programa\Wanadoo\ComComp.exe
C:\Archivos de programa\Wanadoo\Watch.exe
C:\Archivos de programa\Winamp\Winamp.exe
C:\Programas\AntiVirus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = VÃ*nculos
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\ARCHIV~1\Wanadoo\SEARCH~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Archivos de programa\WS_FTP Pro\wsbho2k0.dll
O3 - Toolbar: (no name) - {9f7f3724-c344-4b48-ac94-8486e97833e9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Archivos de programa\TOSHIBA\Wireless Hotkey\TosHKCW.exe "
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Apoint] C:\Archivos de programa\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Archivos de programa\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Archivos de programa\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Archivos de programa\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WooCnxMon] C:\ARCHIV~1\WANADOO\CnxMon.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\ARCHIV~1\WANADOO\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\ARCHIV~1\WANADOO\TaskbarIcon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Winamp\Winampa.exe "
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Archivos de programa\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Archivos de programa\Elaborate Bytes\CloneCD\CloneCDTray.exe "
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Archivos de programa\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Avisos del Calendario de Microsoft Works.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Consola de Sun Java (HKLM)
O9 - Extra button: Wanadoo (HKCU)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1087944563329
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/28c61a3bd8b0b4e1ba23/netzip/RdxIE601_es.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38145.5438425926
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = A20008.tjdo.com
O17 - HKLM\Software\..\Telephony: DomainName = A20008.tjdo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D6F57C5-73BB-456E-B395-A623502CA545}: Domain = A20008.tjdo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{798B8079-EE51-4F06-BDB0-A6584A67AE46}: Domain = A20008.tjdo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FB3E1C3-9B4F-4339-9D09-969EFD67BB95}: NameServer = 80.10.246.130 80.10.246.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{DADCD610-DC6F-4D01-9FA8-5AA2A527260F}: Domain = A20008.tjdo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F08459B6-55E2-47C6-AF30-7292C027BA5A}: Domain = A20008.tjdo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F08459B6-55E2-47C6-AF30-7292C027BA5A}: NameServer = 195.235.96.90,195.235.113.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = A20008.tjdo.com

waiting your help,
regards,

nevo

 

Hi nevo

So what all have you done to get rid of it ?

The Log looks fine other than a few Optional fix's
there are a few programs im unfamilul with plus its a forien version of windows, makes it difficult for us

what is "WANADOO "

 

"Wanadoo" is an ISP in France.

Johanna

 

LOL good Morning Johanna
I figued that much,, I was curious what all its startups are for to be specific
CnxMon.exe and Watch.exe

 

My steps in the war against dirote and ppi

Hi all,

Johanna is right, Wanadoo is a ISP in France, indeed a very good one!
I am Spanish but living in France at the moment :___(

well, I followed the steps stated at trendmicro. But with some differences because somehow the virus has changed. When deleting the malware folder, the instructions say "d0e0t1" but instead they are two "f0rf0r" and "f4k3 ".

In safe mode I could delete f4k3 but not f0rf0r. I deleted also the entries at
HKEY_LOCAL_MACHINE>SOFTWARE>MICROSOFT>WINDOWS>CURRENTVERSION

However in,

HKEY_LOCAL_MACHINE>SYSTEM>CURRENTCONTROLSET>SERVICES>ORDOR

I couldn't find "ordor" but other entries with one of the malware files. I think it was dirote.exe and the entries were :dorod (or a word very similar to it) and other two ones that started by the letter w (like wondz or similar to it).
After it I restarted my computer and I could see the other malware directory "f0rf0r ". Then I deleted it.
I restarted my computer and dirote.exe ppi.exe van32.exe and others were not in the taskmanager. The problem is that my firewall says they are still there. I click on refresh and it continues saying these directories exist but I have deleted them and checked they are not! So maybe it is a problem of the firewall program (keryo).

I do not know what is:
CnxMon.exe and Watch.exe

what should I do? what do you recommend me?

best regards,

nevo

 

You seem t have taken care of it great..
You might look here also
http://subratam.org/?page=newsletter1
search the registry for HACKERDEFENDER and post back if anything is found, or delete it after making a backup

see if yoo have a "dordo.ini" file and if so delete it

and see if a file called dordo.sys exists (im unsure of what to do with it)

Im sure one of our Kerio user's will reply

 

You did delete all your System Restore Points, right?

If not, do it (there is a link in Newt's post with instructions) and then reboot, and run the scans again.

Johanna