orof.exe - Dangerous
orof.exe
Manual removal instructions:
Antivirus Report of orof.exe:
orof.exe
We suggest you to remove orof.exe from your computer as soon as possible.
Orof.exe is Trojan/Backdoor.
Kill the process orof.exe and remove orof.exe from Windows startup.
Malware dropper:
C:\sand-box\install.exe
Removed:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\orof.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\services.exe
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MICROSOFT\WINDOWS\WINLOGON.EXE
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:1
----------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
----------------------------------
Values deleted:0
----------------------------------
----------------------------------
Values added:1
----------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\IAPRO: ""C:\sand-box\install.exe" 0;B;"
----------------------------------
Values modified:0
----------------------------------
----------------------------------
Files added:1
----------------------------------
C:\Program Files\Common Files\InternetAntivirusPro.exe
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:0
----------------------------------
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:3
----------------------------------
-------------------------------------------------------------------------------------
Internet activity:
Code:
HTTP GET http://in5iv.com/download/InternetAntivi...
HTTP GET http://in5iv.com/download/file.exe
HTTP GET http://in5iv.com/download/file.exe
HTTP HEAD http://ia-pro.com/
HTTP HEAD http://in5sf.com/
HTTP HEAD http://www.ia-pro.com/
HTTP HEAD http://av-payment.com/
HTTP HEAD http://avpayments.com/
HTTP HEAD http://avpayments.com/
HTTP POST http://in5sf.com/reports/install-report....
HTTP HEAD http://avpayments.com/
HTTP HEAD http://xoomer.alice.it/
HTTP HEAD http://xoomer.virgilio.it/
HTTP HEAD http://www.xoom.it/
HTTP HEAD http://xoomer.alice.it/
HTTP HEAD http://windoptimizer.com/
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: orof
Author: Unknown
Related File: "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\orof.exe"
Type: Explorer Run
Item Name: ITGrdEngine
Author:
Related File: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\services.exe
Type: Auto Services
Item Name: winlogon.exe
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MICROSOFT\WINDOWS\WINLOGON.EXE
Type: Running Processes
Item Name: services.exe
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\SERVICES.EXE
Type: Running Processes
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
| orof.exe | Malware |
| orof.exe | Dangerous |
| orof.exe | High Risk |
Orof.exe is Trojan/Backdoor.
Kill the process orof.exe and remove orof.exe from Windows startup.
Malware dropper:
C:\sand-box\install.exe
Removed:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\orof.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\services.exe
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MICROSOFT\WINDOWS\WINLOGON.EXE
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:1
----------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
----------------------------------
Values deleted:0
----------------------------------
----------------------------------
Values added:1
----------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\IAPRO: ""C:\sand-box\install.exe" 0;B;"
----------------------------------
Values modified:0
----------------------------------
----------------------------------
Files added:1
----------------------------------
C:\Program Files\Common Files\InternetAntivirusPro.exe
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:0
----------------------------------
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:3
----------------------------------
-------------------------------------------------------------------------------------
Internet activity:
Code:
HTTP GET http://in5iv.com/download/InternetAntivi...
HTTP GET http://in5iv.com/download/file.exe
HTTP GET http://in5iv.com/download/file.exe
HTTP HEAD http://ia-pro.com/
HTTP HEAD http://in5sf.com/
HTTP HEAD http://www.ia-pro.com/
HTTP HEAD http://av-payment.com/
HTTP HEAD http://avpayments.com/
HTTP HEAD http://avpayments.com/
HTTP POST http://in5sf.com/reports/install-report....
HTTP HEAD http://avpayments.com/
HTTP HEAD http://xoomer.alice.it/
HTTP HEAD http://xoomer.virgilio.it/
HTTP HEAD http://www.xoom.it/
HTTP HEAD http://xoomer.alice.it/
HTTP HEAD http://windoptimizer.com/
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: orof
Author: Unknown
Related File: "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\orof.exe"
Type: Explorer Run
Item Name: ITGrdEngine
Author:
Related File: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\services.exe
Type: Auto Services
Item Name: winlogon.exe
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MICROSOFT\WINDOWS\WINLOGON.EXE
Type: Running Processes
Item Name: services.exe
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\SERVICES.EXE
Type: Running Processes
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.