Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

new virus? openme.exe html package 2

Status
Not open for further replies.
leesh

leesh

IS-IT--Management
Apr 4, 2002
2
US
I have a virus on an XP pro system but can't find any information about it. My (current) Norton AntiVirus and a trial of Sophia both do not detect it.

The virus inititially (about a month) ago, would open up a porn web (apparently in Germany or a nordic country) site about every half hour on the computer. After several attempts to block the sites it accessed (it would keep going around to different sites), I finally found and blocked what seems to be the master site. However, when I temporarily disabled the firewall a few days ago, it immediately went back to the site, installed a "sex shows" icon on my desktop and task-bar, and instructed my modem to dial a 1-900 number.

After further digging, I discovered an "openme.exe" service running on the computer that was a simple html package that seems to be automatically loaded with the Explorer.exe service before other startup programs and services are loaded. I deleted the openme.exe, but it now comes up with a message everytime I start the computer, indicating that Explorer.exe is still trying to load the file (but not finding it). Explorer.exe itself does not appear to be corrupted, but I can't find anywhere else that the startup options set openme.exe for Explorer to load (I have tried to search all files for the text "openme").

Does anyone know anything about this virus or have any ideas of how to stop it from attempting to load this file?
 
Sort by date Sort by votes
Did a search and found someone in Germany that had this problem. Started translating it, but cam across an English reply that said:

I had the same problem and did a search for all files containing text files(openme.exe) and then I found a file called "system" within the windows folder (not the folder called "system"). I opened the file with wordpad and deleted on the second line the word openme.exe (don't delete the whole line!). Then SAVE. This seems to have rectified the problem.

Terry
**************************
* General Disclaimor - Please read *
**************************
Please make sure your post is in the CORRECT forum, has a descriptive title, gives as much detail to the problem as possible, and has examples of expected results. This will enable me and others to help you faster...
 
Upvote 0 Downvote
Thanks Terry! Actually, that solution didn't work for me, but it did give me some ideas to resolve the problem. It wasn't in the system.ini file, but I did find it as a shell command in the registry that was loading a shell copy of explorer.exe with the openme.exe html package. This looks like it was a version of the homepage virus, but a little more sophisticated.
 
Upvote 0 Downvote
Hi over there,
if you let Windows show you the file extension and hidden and system files, the file is not "system" as mentioned above but "system.ini". and in this file you have to delete the "openme.exe" in the shell line, as mentioned above
 
Upvote 0 Downvote
I was infected by openme.exe too. Probably from Kazaa. Im running windows me.

Initially I deleted the reference to the file in system.ini as described above. Unfortunately something was still loaded when I booted the computer. Some unpackaging began, placing up to 3,000 files in c:\windows\temp\sys32 and logged me to the internet too.

Eventually I used MSconfig, and removed loading of explorer.scr. So far that has removed the problem.

Does anybody have any experience to share.
 
Upvote 0 Downvote
Holdum you have a new trojan called Benjamin which is unrelated to openme.exe and this trojan came from Kazaa. You could use the Cleaner to remove it but it's not really necessary. You can remove it manually.

Click start--run--type regedit--ok. Doubleclick on each of these:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Open the Run key and you should see this in the right pane:

System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR

Delete that entry.

Then go here:

HKEY_LOCAL_MACHINE\Software\Microsoft

After doubleclicking the Microsoft key you should see a "syscod"="0065D7DB20008306B6A1" Subkey under the Microsoft key. If it's there delete it.

Then close regedit and restart the computer. After restarting find and delete a file called Explorer.scr which is the trojan. It should be in the System folder. If it won't delete due to an access denied error then delete it from safe mode. Then delete the whole Sys32 folder in your C:\Windows\Temp folder.
 
Upvote 0 Downvote
A correction: since you already unchecked explorer.scr in msconfig you probably don't need to restart after making the registry edit.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
281
Oorde
Oorde
andyv2011
  • Locked
  • Question
Looking at Virus Actions
Replies
0
Views
120
andyv2011
andyv2011
xit
  • Locked
  • News
New beta product from Malwarebytes 1
Replies
4
Views
204
kjv1611
kjv1611
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
179
goombawaho
goombawaho
kharrison70
  • Locked
  • Question
Meskisift Visaal Studie Virus? 6
Replies
6
Views
176
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top