Hi all:
About two weeks ago I was brousing some warez sites a friend of mine emailed me. Sence then when I restart my windows 2000 pro computer. Ater about 20 minutes after bootup or restart no matter if I am working or doing nothing but sitting idle. These XXX explorer windows start poping up.

I have checked the obvious places the win.ini file. the regedit run folders. I deleated the cookies and axtivex stuff. I am also running a pritty good firewall. I know something has to be starting these, but I can't find it... I even watched the processes and syslog and nothing registars.

any Ideas

Michal

I have a link to a kickass software piece that stops pop-up windows by allowing only 1 browser to pop up at once - it's called Pop-Up-Stopper. Visit my site and find the link under the downloads section:

http://www.fleetmack.com

hope this helps!

That would help except that the window will pop up even if I am not using explorer at the time. It will pop up out of no where.

Try this

http://www.spywareinfo.com/hijacked.html

Got it from post #203 in the Virus & Security forum. A good read.

thanks for the info. I will try what they suggested and get back to you.

:)

michael

Having gone through the info (and links) on that site, I'm not sure if that will resolve your problem.

You did say that "about 20 minutes after bootup or restart no matter if I am working or doing nothing but sitting idle. These XXX explorer windows start poping up." This suggests a timer being activated on bootup or restart. Check your services and bring up Task Manager to see what is going on.

Post back.

I have been looking at my services. I have two
problems with that. 1. I can't tell what is supose to
be there and 2. say I do find the particular service
running im not sure how to get ride of it.

One thing I find interesting. If I reboot my cpu then
reboot again within 20 min (before the windows
pop) I get an HTML package error. Saying that it
can not close HTML package. I feel this has
something to do with the problem....

Also the problem is getting worse now after 20 min the windows pop up. I close them then about 5 minutes later they pop up again. after the second time they go away until reboot...

your thoughts

Michael

Have try ad-aware software.. You can download for free from download.com

It look and elmate any spyware which what this sounds like

As to what's running, on my bare bones W2k Pro, I have these processes running:

System Idle Process
System
smss
csrss
explorer
lsass
services
svchost (2 of them)
WinLogon
WinMgmt

These would probably be a minimum number of processes running with a Network installed.

As for the services, there is a description included with each. The RunAs Service can be set to Manual and should not normally start.

Check out:

http://www.blkviper.com/WIN2K/servicecfg.htm

its a good read.

michael: thanks for the info on services. Ill look
into that and get back.

A: thanks for the spyware info. I do not think I will
use the program in question. but it did give me
something to look for.

check out : http://www.cexx.org/startup.htm
this give more info on how to manually get rid of
spyware "trach" programs.

I will keep you all informed as I delve into this
problem deeper.

Any more ideas welcome :)

did you know the FBI uses sypware to track
citizens computer habbits.

michael

michael:

I figured out which processes it could be. I have it narrowed down a process that runs on startup called iexplore.exe. I do know that this is explorer. when I launch explorer it ads another iexplore.exe to the processes. and when the window pops up the I/O writes on the one in question goes from zero to 11. when I force quit this process the window went away.

All I got from this is that the iexplore.exe process it queued in some way just waiting to trigger to bring to life.

It still does not tell me how :(

there is another process that could have something to do with this openme.exe also disapears when I force quit the process but only after the window pops.

I did a search in regedit for iexplore.exe you get about 300. a search for openme.exe gets 2.

any Idea's

Michael

Go going!

For starters, get rid to that openme.exe (copy it to a floppy). I doubt that someone has hacked iexplorer (that's MS Internet Explorer executable), we all would have heard of it by now. iexplore doesn't normally run at startup.

I had taken you at your word that you had checked the win.ini, BOTH start ups (the logged on User and the ALL Users), RUN, RUNAS Service, RunOnce places in the registry. You did a search for openme and found 2. Where in the registry? I'm pretty sure you found your culprit. Now its just a matter of getting it ALL out of your system.

Let me know.

yes I found the openme.exe in the registry.

you said to get rid of / copy to a floppy. I don't quit know what you mean by this. I can get rid of both proceses but they both come back after restart.

Also I noticed that if I get rid of openme.exe after startup. but leave iexplore.exe the window still pops.

I have checked all areas I could think of (including the ones you mention above) I begining to think the culprit has been writen on the boot sector of my HD.. :)

Ill let you know what I find...

What I'd meant was copy the openme.exe file to floppy, then delete it from your hard drive. If this is the file causing the problem and there is only the one copy of this file, you should see an error when the registry tries to run it. Along the lines of "ERROR openme.exe could not be found".

What keys in the registry was openme.exe?

There are ways that a file can be hidden and called back if you delete it. The SirCam virus did this by hidding a copy in the Recycled bin (with the options RHS). The only way to find out was via a command prompt window -

cd \recycled
dir /ah
dir /ar
dir /as

will show all hidden, read only and all system files.

In your check of the ini files, there should be nothing added to them. Check vs the same files on the W2k CD. Also search you HDD for hta and reg files. They can be automatically run if they are in the Start Up folders.

Further to this problem, I found an interesting read on post #99227 (Win95 forum). Check out the links suggested. Not sure if this is germane or not.

Did a google search on openme.exe and almost got caught up in the same problem you have. A popup ask me to make some site my home page. I END TASKed iexplorer to get rid of it. So stay away from

http://oberon.spaceports.com/~codeinj/

One interesting thing I did learn from that site is that there may also be a openme.dll file. Check your disk for it. A search of my W2k Pro installation doesn't come up with openme.exe or dll files.

Let me know.

PS:

Its not likely that something went into your boot sector. The Recovery Console repair has fixmbr and fixboot to restore them to original condition.

But before running them, be aware that they can impede dual or multi booting if you do that now.

michael;

I checked the services and compaired them to the
information on
http://www.blkviper.com/WIN2K/servicecfg.htm
everything looks lagit.

The only thing left is hidden files.

also i am doing my research from my macintosh
so I have no worries of the popups infecting my
mac....

I will let you know what I find this weekend

Michael

Actually, there are a couple of other things. Poster 27446 is experiencing a similar problem with IE poping up a window every 20 mins. One responder mentioned the Task Scheduler as a possible culprit.

michael

First: you mentioned other posts #99227 and 27446 how do I find these? I looked earlier and could not find where you are getting the numbers....

Second: We did find it. I got to thinking at work that I was looking for something starting iexplore.exe. I came home and found the openme.exe in my winnt folder. I opened it and vuela the openme.exe sparks the process iexplor.exe.

so all I have to do now is find where open me is starting and problem solved.

I love this sh#$...

Michael

The search engine here doesn't appear to search the current posts until they pass through 10 pages. So I read. I got the reference for 99227 from another post (don't remember which or how I came to read it), though I had to search for (I think it was) "Hijack Home page" and then read for Lo Wang. 27446 was posted today on this forum by donodiddly titled "website opening automatically".

Do a Message Find (on the left), put the number in and choose the forum. Voila, up that post pops (in the current window).

We were already pretty certain that the openme.exe file was the culprit. Now we're trying to find out how its being launched/started.

The Task Scheduler is one method (or the AT/WINAT commands). Then there's the Startup folders, the Run keys in the registry, load= and run= in the win.ini folder, and lastly (I think) the autoexec.bat (and autoexec.nt) files.

Something nags my brain about reg keys and services - but I'm drawing a blank. Check out the above and let me know.

PS: caught me on that "voila" :)

michael

I have not figured out how the .exe file is bieng
started. I will continue to work on it.

Do you think if I move the openme.exe file from
the winnt folder that it will tell me where the error
came from?

I have checked everywhere with no luch. I will
keep chugging on this. Next is to go back and
figure out how they got this file through my firewall
without me knowing.....

Michael

I thought you had done that after post 11 and 13? When you remove the file, you should get an error. Remove openme.dll too, if you have it.

You never posted back with the location of the openme.exe in the registry.

As for getting through your firewall. You may have clicked a popup that the YES/NO butons were both set to YES (simple coding trick). See my response #13

Having read your saga of the 20 minute pop ups it seems to me you're going about it the hard way. "A" gave you the simple solution . Go get "Ad-Aware" and let it do the job for you . It'll scan and clean everything from your memory,registry and your entire HD no matter where the spyware is hiding. you can also set Ad-Aware up to let you know where the spyware is hiding so you know where to look next time.
As for how it got past your firewall,it was probably hidden in a java code and all you had to do is open the page and it would have downloaded itself along with the cookie. Ad-Aware Plus has an active scanner that catches all that called Ad-Watch. I use it along side ZoneAlarm Pro and McAfee VirusScan and NOTHING gets in without me knowing. At least nothing has got by yet. If you want to check the effectiveness of your security go to The Gibson Research Corp. site and do the ShieldsUp test here https://grc.com/x/ne.dll?bh0bkyd2 . It's a free service and well worth the time it takes to do the test.

I don't know if anyone is still reading this thread, but I encountered this same situation earlier today. As best I can pinpoint, the trojan got in through an email I received. Someone I don't know was giving me their new email address. I later found out my email antivirus software wasn't working, which is why it didn't detect it when I received it, but it was detected when the program was accessed after 20 minutes.

Norton AV identified it as W32.DSS.trojan, with no follow up information. NAV can't clean the files, I had to boot into safe mode, stop the openme.exe process, then delete openme.exe from c:\winnt and also two HTML files from \Local Settings\temp\gbg or something like that (Win 2k machine).

Now I'm stuck with "Can't find openme.exe" every time I restart my system, regardless of who logs on. As suggested above, I checked all startup folders, all run options in the registry, win.ini, autoexec.bat, etc, etc... I can't find where openme.exe is being started from. Can anyone else help?

Dave

Dave

this seemed to work Open regedit and do the following, or just search for openme and delete it every where it appears

HKey_local_Machine -> software -> Microsoft -> windows -> NT Current Version -> winlogon -> shell -> modify and delete the openme.exe

The shell should just read explorer.exe for the data, so just modify it to do so. It work on my machine. if the problem presist check your system.ini file, seems to be where it is hiding on the 98 os.

good luck
Doug

I was having the openme.exe problem for a while without the popup window problem. My Norton AV popped up with the openme.exe as a virus and when norton finds a virus it is pretty hard to do anything on your computer until you deal with the virus so I ended up going into safe mode and deleting the file, then rebooting. This got me back into windows ME and I then received the error that windows needed the openme.exe to start so what I did was search my registry and delete any entries with openme.exe in them, then I looked in the win.ini and found nothing and then I went to msconfig and checked the startup and then I found in the system.ini which is accessible through msconfig and in the boot section there is the openme.exe with the "shell=Explorer.exe openme.exe" which explains my problems and probably explains the popup problems as well. Hope this helps in determining how the file is being started up.

I recently had the same problem with the error message "cannot find openme.exe" at startup. Response #24 is the most accurate way to stop the pop up message. (thanks level). If you put a semicolon (;) before "shell=Explorer.exe openme.exe" then the pop up will stop. Do this in system.ini through msconfig or sysconfig. Hopefully you will still be reading this thread and can fix your problem.

Further to response #24.

I did all that and still a process were started right after reboot, that would eventually unpackage up to 3k files under c:\windows\temp\sys32. Also I was connected to the internet.

Eventually I used msconfig and removed this entry from the start: "explorer.scr". And for now the problem is gone.

Windows ME.

i had openme.exe, and i deleted the second instance of it yesterday on my computer. It dosent just make random porn popups, it cuts your paging files in half each time you boot.

A way to remove it from your computer is to goto http://housecall.antivirus.com and get a free virus scan. I use this all the time, they are up to date and I usually find 9-10 Trojans, backdoors and things.

I didnt know about the openme.dll... that may explain why it came back. I'll have to search my comp tonote.. that sucks, it takes forever to search on my comp.. Anyways, thought you might wanna now these.

o and btw, the folder it installs itself into seems to be a win xp folder.

Back to CS, ;)