How to delete System32\f0r0r trojan folder?

[carbine9]

Hi, I'm a newbie here...looking for any help or input on this.

There is apparently a fairly new fearsome trojan that sits in the system32 folder, within a folder invisible to Windows XP (my OS). The folder is call "f0r0r" and contains these hidden files:

calcu.exe
dirote.exe
dorod.ini
logs //DIR//
redroses
van32.exe
demo.xt
dordo.sys
kltye.exe //Sys Internals PS Tool to start remote processes//
niamx //RPC SCanner//
romto
wexp.exe
dir32.exe
dorod.exe
kolder.exe
ppi.exe
sounds //DIR//


I managed to shut down dirote.exe in task manager which allowed me to delete all references to files within this folder from the registry....so it does not seem to be restarting any of these trojans each time I reboot as it was before and, for the time being, it doesn't seem to be reinstalling them in the registry. Apparently, from what I've gleaned from other forums/posts/sites, Windows cannot see this folder and when I try to delete it from the Windows XP boot disk, using the command prompt, it says "Access denied"...citing the dordo.sys file within the folder specifically.

I'm behind a firewall, have all the Service Pack updates, and I've run many different spyware detectors on this, along with my Norton Anti-Virus. Norton occassionally would pick up a rash of virus activity with one or another of the trojan programs in that folder, but never could do anything about the folder itself and it said "Access Denied" when trying to delete any of the files.

Is there any way to delete this folder using a Dos bootup and command prompt, from outside Windows completely? Any help would be greatly appreciated.

[shamus]

Welcome to WD carbine9...

If you start your machine in safe mode you should be able to delete the files\folder.

[carbine9]

Welcome to WD carbine9...

If you start your machine in safe mode you should be able to delete the files\folder.

Nope. That's already been tried by me and others before me. Like I said, Windows doesn't "see" this folder....not even in Safe Mode, not even with the hidden and system folders displayed. And if you try to delete it from the Windows XP command prompt, it says "access denied". This cookie is tougher than that.

I just wish I could boot into a DOS mode with command prompt that would recognize an NTFS file system; a way to truly operate OUTSIDE of Windows XP....sigh....

[DocPC]

http://www.downseek.com/download/21157.asp

[carbine9]

http://www.downseek.com/download/21157.asp

Thanks for this link. The NTFSDOS.EXE works perfectly and I am glad to now have such an option. However, the deletion still will not work.

When I attempt to delete the f0r0r folder or even the dordo.sys file specifically---it gives me an "Extended Error 5" after a moment and can't delete the file or folder.

Anyone know what this means?

[shamus]

Access Denied I believe...Did you change the file attributes in dos before you tried to delete the file? ATTRIB –R –S –H <file name> ?

[carbine9]

Access Denied I believe...Did you change the file attributes in dos before you tried to delete the file? ATTRIB –R –S –H <file name> ?

Well, I just tried changing the attributes at your suggestion (I had not done so before), but it keeps giving me a "Bad Command" message. I'm a bit confused as to you it should look exactly on the command line with the bracketed file name as you put it.

Can you show me exactly how it should appear on the A: prompt command line if I want to change the attributes of this devious little file:

c:\windows\system32\dordo.sys


thanks

[carbine9]

Okay, this is a followup to let you know that I did finally kill this thing----I think. A runtime error has even been fixed which I've been having with my graphics programs since this thing started. And so much of it was thanks to the great help I got here on my first day in this forum.

The symptoms first showed themselves by hundreds of "viruses" being found in quick succession by Norton---at first they were in the form of a "sxe.tmp"---then a few days later, after I had deleted all references to that "sxe.tmp" bug from the registry and it sat quiet for a while with some runtime errors, I began to get the same kind of onslaught with a bug called "redroses". Both were in a Windows/System32 folder called "f0r0r" (note that those are zeros, not the letter "o"). In each case Norton repeatedly found them, piling up quickly, but could not repair or access them or delete them. Access was denied. (See my earlier post for a list of all the programs and files within this trojan folder....there were many more than those two.)

I ran Norton, SpyBot, VCleaner, CWShredder, HijackThis, Registry Mechanic, PDBugDoctor, and I think a couple of others I can't recall now, along with some online scans---and the problem remained. My snooping around on the net indicated some discussion of this trojan since it reared its head around the first of May, but that a lot of virus and spyware prevention programs are not detecting this thing yet and that it's been very difficult to get rid of, since Windows doesn't "see" the folder, even with all hidden and system folders displayed, nor will it allow itself to be deleted from the command prompt within Windows. And if you delete references to it from the registry, they simply reinstalled to the registry upon reboot.

Here's what I did:

First of all, before I came to this forum, I had finally gotten rid of all registry references and stopped the active attack by first going into Task Manager (Control-Alt-Delete) and shutting down the program "dirote.exe". This allowed me to go through the registry and delete every key reference for the folder "f0r0r" and any program or file within that folder. If you don't disable "dirote.exe" the registry entries will just reappear immediately after you delete them. That ended all the virus activity that Norton was detecting, apparently disabling the operation from restarting.

But the folder remained, intact, with all its nasty vermin inside....nestled in my System 32 folder. I don't know about you, but I'm not comfortable with that. I needed some way to delete "f0r0r" folder and/or its contents from outside Windows, since this trojan was designed be unseen by Windows and deny any actions to snuff it at the source from within Windows.

So, shortly after coming here today, thanks to DocPC, I was directed to a link (
http://www.downseek.com/download/21157.asp) where I could download a program (NTSFCDOS.EXE) which I transferred to a floppy. I then used a DOS 6.22 floppy to boot into DOS, then put in the NTSFCDOS floppy and ran that program which allowed me to operate within DOS but still be able to access an NTSFC file system. This NTSFCDOS.EXE told me as it initiated that it had assigned the drive letter D to the operating system's harddrive, so I directed all commands to the D drive (it didn't even recognize C).

Naturally, the first thing I did from the A prompt was check the System32 directory, and it showed the "f0r0r" folder, unlike Windows, along with all the files within the folder when I went a step further. Finally, I entered: del d:\windows\system32\f0r0r .
It asked me if I was sure if I wanted to do this. I said hell yes and hit enter. It gestated for a moment, did a thing or two, then gave an "Extended Error 5" message, meaning apparently that it was denied access on at least one of the files within the folder. I checked and it had actually been able to delete all files within the folder except for the "dirote.exe" program two subfolders named "logs" and "sounds". Interestingly, the two subfolders are apparently empty but refused deletion.

Finally, after several repeat attempts, and after trying to change the files attributes from out in DOS, at the suggestion of Shamus, with no luck (though his suggestion pays off in the end)....I gave up and booted back into Windows.

On a whim, I now opened the Windows Command prompt and even though Windows still did no show the folder or list it when I ran its directory, I treated it as if it was there anyway and worked my way throught the c: cd progression, into the c:\windows\system32 folder, then went the next step to c:\windows\system32\f0r0r and damned if it didn't put me inside the folder. I could even run its directory and pull up the remaing file/folders. So THEN, from within the trojan's folder, it finally let me modify it which it would never do before, muchless from within Windows. As Shamus suggested, I changed the attributes of the stubborn remaining trojan program file (ATTRIB -R -S -H dordo.sys)....the, holding my breath, I ran the delete command on it from within the folder (del dordo.sys) and it disappeared!

I must confess that I tried the same with the two "logs" and "sounds" folders, but they still would not delete, which kept the "f0r0r" folder from allowing deletion, but I checked the innards of both folders and they showed empty. I even went back out into DOS and double-checked the contents of the "f0r0r" folder and it was indeed empty (dordo.sys begone!) as were the two subfolders.

I rebooted into Windows once again and found that my graphics programs would start again after a week of headaches trying to sniff out their problems. I wish I could have completely deleted the "f0r0r" folder, empty or not, but it appears to be effectively gutted at this point...along with its effects. Time will tell.

[shamus]

Sorry for the late response.
No brackets...and don't type "hit enter"
From the A: prompt type:
C: hit enter
C:\>
type CD WINDOWS hit enter
C:\WINDOWS
type C:\WINDOW ATTRIB –R –S –H C:\WINDOWS\SYSTEM32\DORDO.SYS hit enter
C:\WINDOWS
type C:WINDOWS DEL C:\WINDOW\SYSTEM32\DORDO.SYS hit enter

[shamus]

LOL... just saw your response. Glad you figured it out

[carbine9]

LOL... just saw your response. Glad you figured it out

Yeah, hallelujah for DOS....something that will function outside the Windows environment. I knew if I could just get DOS to read something other than Fat32, then progress could be made.

And thanks to you and PCDoc for the help!

[DocPC]

Glad I could help.

[shamus]

And thanks to you and PCDoc for the help!

Your welcome...and just for the record, that'd be DocPC...he's my oldballz lost twin

[carbine9]

A final note:

I ran Agent Ransack on my system and it turned up the f0r0r folder along with the two subfolders...and I was able to delete them from within Agent Ransack (!). Very curious. But I'm glad to be rid of the husk.

[geoff.mann]

Relieved to find others have managed to remove the f0r0r trojan (found this thread on Google). My wife bought a new computer on 7 May with windows XP home edition and Norton antivirus and firewall installed from the outset. About a week ago she was prompted to download Norton updates and this resulted in a big warning notice that a Trojan had been detected in file C:\windows\system32\f0r0r\redroses but that it could not be deleted. The notice said to run a complete antivirus scan, which I did, but this failed to detect any problem at all. Could not remove the worrying warning notice either!

Norton's report showed many failed attempts to remove the files: 'access denied'. I thought Symantec would help me but their website just gave me the runaround and seems designed specifically to prevent any contact with them whatsoever. The folder and its files including redroses could be seen in MSDOS but they could not be deleted or renamed. The folder could not be seen at all in windows. The retailer advised me to try spybot which I downloaded and ran, but it did not find the folder either.

At some stage, Norton apparently deleted the file ppi.exe from the f0r0r folder and the warning notice disappeared. However MSDOS shows the folder is still there with now just two files: dirote.exe and dordo.sys and three apparently empty directories : download, logs, sounds.

I downloaded Agent ransack as suggested in the last response but it failed to find any of these remaining files or folders.

I am not an expert, and not sure I understand some of the procedures in the thread. Should I worry about these last files? And what does this trojan DO? The computer seems to work OK but my wife is woried about security