User | Post |
lagwagon
Since: 08-12-02 From: Orange County, CA
Since last post: 7774 days Last activity: 7774 days
|
|
hey can someone help me? i wasnt being careful i ran a s7 server (that was in disguise) and now... im scared. i fortunatly was farmiliar w/ it so i have already checked run>msconfig>startup and removed all the supicious files... i deleted a supicious directory that had been created in my C:\ and all the files in it... i checked autoexec.bat and found nothing out of the ordinary there, but it still is searching for the server file at startup ("openme.exe"). i dont have the file saved; i ran it directly from a .zip file, but i still wanna get rid of the message and i wanna make sure i dont have another serverfile..... plz help
-------------------- Â Â Â Â Â Â Â -=[chaos]=-
Kneo  :: lvl 36/31 theif
Lagwagon ::Â lvl 21/20 archer
:: lagwagon was here :: |
MingShun
Since: 05-10-02 Rating: 10 (400 pts)
Since last post: 7617 days Last activity: 7617 days
|
|
I'm assuming you're running something other than Winnt, because you mentioned autoexec.bat. If you're running a Windows NT related environment, this might help.
I don't think I encountered the virus you're talking about, but maybe this will help.
Tips: I'm only experienced with Windows, if you're running some other operating system...I think there's a 10% chance that any of this info will help. Heck, it's 40% right now
- Check to see if the weird directory is back. Something has gotta be recreating it then.
- Run task manager and see if any weird programs are still running.
- I think this generally applies to all windows versions. Maybe it's just the NT kernel. But I don't think you're "Windows Folder" should have a wininit.ini file. If it does, browse the contents, make sure you're not getting rid of something important.
- Be careful here, In the start menu, Use regedit.exe ...Go: My Computer -> HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows -> CurrentVersion -> Run ... any weird keys?
*read the following for a little story cause I just felt like being annoying.
As I debugged my mom's computer, I had a virus that kept recreating itself. Looking at the norton website, I realized it created a windows initialization file called wininit.ini. I checked that file, and discovered a rename command. Looks like the computer was running a virused explorer, that's the file that wininit.ini renamed. I didn't realize that I had a bad explorer file yet. After restarting the computer, I noticed that the suspicious program was still running. After some tampering, I later discovered that the virused explorer.exe was still running. I deleted the virus program, and explorer.exe. I renamed explorer.ex (the good file) to explorer.exe.
-------------------- Wish I had a sig pic.... |
lagwagon
Since: 08-12-02 From: Orange County, CA
Since last post: 7774 days Last activity: 7774 days
|
|
ok ming:
-s7 = sub7, but it turns out, after researching it more, it was not a s7 server but some other virus
-running win98
-found a suspicious program running in taskman called "fastdown"
-virus scanner found 2 infected executables in my windoze directory as soon as i opened it, one called blarghhhhhh.exe and another i cant remember
-no winint file in c;\windows (probably cuz im not running nt)
-the strange directory in c;\ is still gone.
-still getting message in startup about not finding openme.exe
-no suspicious keys found in the windows directory in my system regestry
and ill tell you a story just to be annoying:
for the last year my browser crashes about every 3 minutes or less. it says performed an illegal operation. this is very annoying im not sure any of you can even imagine... i know that it has somthing to do with my wsock32.dll file. i guess it would be so i scanned it and everytime i scan it i find a virus. i replace it w/ ones i download, ones copyied from friends computer, and ones extracted from windows cab files and it still get a virus. anyone nkow of anything i can do to fix my browser if not my wsock32 file?
-------------------- Â Â Â Â Â Â Â -=[chaos]=-
Kneo  :: lvl 36/31 theif
Lagwagon ::Â lvl 21/20 archer
:: lagwagon was here :: |
HyperSauce
Since: 04-28-02 From: Toronto Rating: 10 (400 pts)
Since last post: 7943 days Last activity: 7576 days
|
|
Run 'msconfig'
Then look at the Startup tab and get rid of what you dont want starting.
Careful of what you do with msconfig...
If all else fails, format and install Linux. |
MingShun
Since: 05-10-02 Rating: 10 (400 pts)
Since last post: 7617 days Last activity: 7617 days
|
|
===
http://www.commodon.com/threat/threat-sub7.htm
in case it's really sub7 that's still annoying you.
===
I did a search on the net for your annoyance...
http://www.annoyances.org/exec/forum/winme/r1023842217
^
It might work...seems to affect Win XP and Win ME. But be careful when changing registry entries, in this case something kooky may still be lurking in the background, even if the annoyance is removed. Oh, and be sure not to destroy explorer.exe! Just whatever's after it.
===
As for fastdown:
http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM
^
looks like it's unimportant...
===
hope that helps ! Isn't google great? Hey, I haven't browsed this site completely, but it looks great!
http://www.cexx.org/adware.htm ...screwy url though.
-------------------- Wish I had a sig pic.... |
lagwagon
Since: 08-12-02 From: Orange County, CA
Since last post: 7774 days Last activity: 7774 days
|
|
wow ming! thanks. i havent checked them out, because i just had to thank you for actually caring before i could start. thx again man.
*off to destroy his virus*
-------------------- Â Â Â Â Â Â Â -=[chaos]=-
Kneo  :: lvl 36/31 theif
Lagwagon ::Â lvl 21/20 archer
:: lagwagon was here :: |
MingShun
Since: 05-10-02 Rating: 10 (400 pts)
Since last post: 7617 days Last activity: 7617 days
|
|
Remember, I don't believe I got your virus before, so treat the info carefully.
-------------------- Wish I had a sig pic.... |
Chibi-Bar
Moderator
Since: 04-16-02 Rating: 10 (400 pts)
Since last post: 7661 days Last activity: 7618 days
|
|
another place to check also are the services area to see if any other "weird stuff" are running.
-------------------- Chibi-Bar
Your Local Merchant on Chaos/Loki |
lagwagon
Since: 08-12-02 From: Orange County, CA
Since last post: 7774 days Last activity: 7774 days
|
|
well, i have fixed everything except the message when i start up my computer that says "cannot find the file openme.exe". o well i figure somthing out eventually. if not, ill still be abel to manage. thx for all your help ming, hyper, and chibi
--- end thread.. i think. is there any more to discuss?
-------------------- Â Â Â Â Â Â Â -=[chaos]=-
Kneo  :: lvl 36/31 theif
Lagwagon ::Â lvl 21/20 archer
:: lagwagon was here :: |
HyperSauce
Since: 04-28-02 From: Toronto Rating: 10 (400 pts)
Since last post: 7943 days Last activity: 7576 days
|
|
Originally posted by lagwagon well, i have fixed everything except the message when i start up my computer that says "cannot find the file openme.exe".
Ya sure it isn't in the Startup portion of msconfig?
Try doing a text search of openme.exe of all your files if all else fails. |
lagwagon
Since: 08-12-02 From: Orange County, CA
Since last post: 7774 days Last activity: 7774 days
|
|
yes im positive it is not in startup, but perhaps the virus wrote to one of the existing, essential startup programs, forcing those programs to request the file.do you think this is a possibility? anyway, ill try doing the text search. thx hyper, that is a good idea that hadent even crossed my mind.
[edit] i think i found the problem. its a strange line in system.ini under [boot]. the line reads as follows:
shell=explorer.exe openme.exe
i didnt want to edit my system.ini, for it is a very important file. i just wanted to know if i should remove the entire line, or just the openme.exe part... (btw this was the only result when i did a text search for openme.exe)
--------------------
       -=[chaos]=-
Kneo  :: lvl 36/31 theif
Lagwagon ::Â lvl 21/20 archer
:: lagwagon was here ::
(edited by lagwagon on 09-10-02 12:09 AM) |
HyperSauce
Since: 04-28-02 From: Toronto Rating: 10 (400 pts)
Since last post: 7943 days Last activity: 7576 days
|
|
You can safely delete 'openme.exe', but don't get rid of the entire line. |
MingShun
Since: 05-10-02 Rating: 10 (400 pts)
Since last post: 7617 days Last activity: 7617 days
|
|
I agree!
-------------------- Wish I had a sig pic.... |
lagwagon
Since: 08-12-02 From: Orange County, CA
Since last post: 7774 days Last activity: 7774 days
|
|
YAY!! it worked. thx all
-------------------- Â Â Â Â Â Â Â -=[chaos]=-
Kneo  :: lvl 36/31 theif
Lagwagon ::Â lvl 21/20 archer
:: lagwagon was here :: |
Mahou Seitou
Since: 08-02-02 From: Singapore
Since last post: 7828 days Last activity: 7828 days
|
|
wow... techno babble...
I salute!
(wish I got the lingo ) |
lagwagon
Since: 08-12-02 From: Orange County, CA
Since last post: 7774 days Last activity: 7774 days
|
|
lol its not too techie...
... or have i just been too techie to notice? lol i wish
[edit] oh yah umm i dont think we need anymore posts on this thread... my problems have been resolved. thanks again for your help: mingshun, hypersauce, and chibi-bar
--------------------
       -=[chaos]=-
Kneo  :: lvl 36/31 theif
Lagwagon ::Â lvl 21/20 archer
:: lagwagon was here ::
(edited by lagwagon on 09-11-02 07:13 PM) |
Kasatka
Since: 09-25-02 From: Palana, Koryak, Russia
Since last post: 7825 days Last activity: 8082 days
|
|
I have/had that problem too and I thought of correcting it through msconfig, but I've always been intimadatedby Windows' little tools and programs like that. They have this bizarre way of backfiring on me, despite the fact I rarely change things for that reason.
Thanks, I needed a little confirmation on that.
-----
Was that a poor choice of words?
-----
It worked, BTW.
My thanks as well.
(edited by Kasatka on 09-28-02 04:02 AM) |
lagwagon
Since: 08-12-02 From: Orange County, CA
Since last post: 7774 days Last activity: 7774 days
|
|
i had a wierd version of s7. usually, when you get s7'd, every time your computer starts, you will get an error dialouge saying somthing about an error running windows. the s7 server is being run on your computer under the filename "windows.exe", but it is in your c:\ drive. if you delete that executable (not the real one!) then you should be ok and ppl can hack your computer via that server.
-------------------- Â Â Â Â Â Â Â -=[chaos]=-
Kneo  :: lvl 36/31 theif
Lagwagon ::Â lvl 21/20 archer
:: lagwagon was here :: |
Kasatka
Since: 09-25-02 From: Palana, Koryak, Russia
Since last post: 7825 days Last activity: 8082 days
|
|
How utterly annoying.
I remember a while ago I got a "virus" that was actually a Visual Basic script that rebuilt all my .mp3 and .jpg files into more .vbs scripts. Heh. It really is my fault - I wasnt paying attention to the file and opened it like the doofy dork I was. I'm just glad nobody was around to laugh at me about it. (So why am I telling everyone...)
15,000 files later...
well let's just say Dr. Norton EARNED his fifty dollars.
-----
Hacker-Spammer-VirusBomber.
I hate all of you. Really I do.
(edited by Kasatka on 09-28-02 07:54 PM) |
lagwagon
Since: 08-12-02 From: Orange County, CA
Since last post: 7774 days Last activity: 7774 days
|
|
lol no way i had the same thing happen to me not to long ago. i got it from kazaa too, so it knew where all the mp3s were =P
-------------------- Â Â Â Â Â Â Â -=[chaos]=-
Kneo  :: lvl 36/31 theif
Lagwagon ::Â lvl 21/20 archer
:: lagwagon was here :: |