?
Solved

error message C: windows/system32/dirote.exe and /roadstid.exe

Posted on 2004-08-01
6
Medium Priority
?
2,661 Views
Last Modified: 2012-06-27
The error message C: windows/system32/dirote.exe and /roadstid.exe appeared recently.  Hit the only option of ok, message appeared a few more times, then continued using the pc without any complaints so far.

Are these messages anything to worry about
0
Comment
Question by:ColinIles
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 32

Assisted Solution

by:LucF
LucF earned 75 total points
ID: 11689546
Hi ColinIles,

I've taken a look around as I didn't recognize these processes, but it appears you have been succesful in removing a very nasty piece of spyware, but now windows doesn't know yet that it's gone.
If you feel safe in the registry, I suggest you to do a search for those files and remove them. If you don't feel too safe, use hijackthis:
http://www.spywareinfo.com/~merijn/files/HijackThis.exe and tick the checkbox in front of the entries mentioning those files, and then click "fix checked"
If you're not sure, please post the logfile hijackthis creates and I'll take a look at it.

Greetings,

LucF
0
 

Expert Comment

by:lynardskynard
ID: 11691027
Your issue is due to virus W32/Randon-AH. It is a multi-component network which attempts to spread by copying components of itself over the network via poorly protected network shares. It allows unauthorised remote access to the computer via IRC Channels.

Please visit:

http://www.sophos.com/virusinfo/analyses/w32randonah.html
0
 
LVL 4

Accepted Solution

by:
ashishdaga earned 75 total points
ID: 11691354

 
f0r0r

Overview
f0r0r is a powerful trojan horse that is both hard to detect and to remove. Roger Roberts reports in his preliminary analysis that the trojan is located in %SystemDir%\f0r0r\ where the following files are located: dirote.exe, dorod.ini, redroses.exe, van32.exe, demo.xt, dordo.sys, kltye.exe, processes.exe, niamx.exe, romto.exe, wexp.exe, dir32.exe, dorod.exe, kolder.exe, ppi.exe

A sign of infection is ppi.exe and dirote.exe running in the Task Manager's process list. Roger Roberts reports that "%SystemDir%\f0r0r\" is an invisible folder that stayed invisible even when configuring the system to show hidden and system files. The directory could be viewed when booting the computer with a Linux start-up CD.

The only suggested removal procedure I have come across is to boot the system using another operating system such as MS-DOS, Linux or BEOS, find "%SystemDir%\f0r0r\" and delete it.

Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Packetshack.org is also providing an analysis of f0r0r.

SpywareInfo reports the following about f0r0r: "It turns out our new parasite is protected by an open source NT rootkit called Hacker Defender. Hacker Defender installs a device driver which hooks the Windows API. It allows it to hide a directory with a particular name while allowing files to exist there, hide open ports from a port scanner while allowing connections to and from that port, hide processes in memory from process managers along with other cute tricks. Anything protected by Hacker Defender is a real pain to find and remove."

Classification
Trojan Horse

Files
dirote.exe, dorod.ini, redroses.exe, van32.exe, demo.xt, dordo.sys, kltye.exe, processes.exe, niamx.exe, romto.exe, wexp.exe, dir32.exe, dorod.exe, kolder.exe, ppi.exe

Log references


Vendor
Unknown

Privacy policy
No privacy policy available.

Detection
Bazooka Adware and Spyware Scanner detects f0r0r. Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms, etc. Read more »

Manual removal
Please follow the instructions below if you would like to remove f0r0r manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If f0r0r remains on your system after stepping through the removal instructions, please double-check by stepping through them again.
Boot your computer using another operating system, such as MS-DOS, Linux or BEOS.
Find %SystemDir%\f0r0r\ and delete it.
Note: %SystemDir% is a variable (?). By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Restart your Windows operating system
Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
In the right pane, delete the value called 'rn4d', if it exists.  
 
 
0
WordPress Tutorial 4: Recommended Plugins

Now that you have WordPress installed, understand the interface, and know how to install new parts, let’s take a look at our recommended plugins.

 
LVL 32

Expert Comment

by:LucF
ID: 11691405
ashishdaga, please provide a source next time:
http://www.kephyr.com/spywarescanner/library/f0r0r/index.phtml

See http:help.jsp#hi60 and http:help.jsp#hi125

Thanks,

LucF
0
 

Author Comment

by:ColinIles
ID: 11739046
thanks,
I could not find f0r0r, and have deleted dirote.exe.  So far nothing nasty appears to be happening.  Will let you know if that changes.
0
 
LVL 4

Expert Comment

by:ashishdaga
ID: 11740690
I'll surely provide the source next time, thanks for the feedback.

Good to know that it worked for you ColinIles.

Good Luck.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction How to create multiboot configuration with XP\Vista and Windows 7 on it? And most important question - how to do this correctly so not to have any kind of nightmares we get when system gets screwed? First of all one should realize t…
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question