Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C:\okehe4.exe? No Info Anywhere On This File.


  • Please log in to reply
7 replies to this topic

#1 tranquility

tranquility

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 10 May 2006 - 07:35 PM

So this is the thing............. I have tried to find information on this startup item but no luck thus far. this is where it starts:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS File not found: c:\okehe4.exe

Now when I search in the registry for okehe4 it comes back in 8 places.
One thing I have never really studied is the registry.

Any help here would be greatly appreciated.

Thx allot,

TranQ!

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:22 PM

Posted 11 May 2006 - 08:52 AM

Do you mean you are getting an error on boot up because the file is not found? What did you remove from your system right before that happened? Any AV scans?

#3 tranquility

tranquility
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 11 May 2006 - 07:24 PM

I wasnt getting any errors when I first noticed it. But I new it shouldnt be there because I have an image of my startups from the point that I installed Windows.

Now after I removed this file.................. filez.exe .......... I removed it according to the how to section here. Now whenever I start up windows there seems to be something new in my services.

First it was .....
winscntrl.exe............... disabled but have not removed,

then.......
Msmgs.exe .... same as above,

and now......
chckntfs.exe....... I keep disabling these startup items in the services section (while in safe mode)

Now should I just find all these files (registry identities as well) and delete?

You see after ( no noticeble time yet ) bet after some time and doing odd things through explorer or internet browsing. My computer starts to not allow me to close or "end tasks" that I happen to be using. All that happens is I can use the "end now" feature but it does not actually do anything and all my windows that are open just stay on my desktop overlapping each other. I cant even bring up my taskmanager through my taskbar or (using ctrl+alt+delete too) and the only thing to do is press my reset button?

ARRRggggHHHH. LOL .....

Im really confused here.
Maybe its time for me to purchase a MAC hehe

Thx ,
TranQ!

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:22 PM

Posted 11 May 2006 - 07:43 PM

It sounds like you need some help form our HJT team... I am betting that if you check your taskmanager when all of this is happening that your disk activity is 100%. So when you are trying to end programs, the command is going into the queue, but the queue is so flooded that it takes a long time to get to that command. After awhile, your system gets so clogged that it just gives up. By my quick research, your box is owned, so drastic measures may be needed. The HJT team can help you, but it will probably take acouple of days before they will be able to get to you... there is a pretty good backlog.

If you can, download winpatrol:
http://www.winpatrol.com/

Once it is installed, there is a tab where you can look at all of your startup programs, and disable them. You can also investigate services, and disable them. You will probably have better luck if you boot into safe mode before doing any investigation (although winpatrol may not show all services then). There are a ton of different ways to disable startups, but winpatrol is free, and it is easy, and it is a nice application to have handy anyway.

Do you have an AV on your system at all? Don't mess with any registry cleaners just yet either. I'm trying to guage your level of ability, and it sort of sounds like you at least are not afraid to try and tackle this on your own, and I can try and walk you through some of it.

#5 tranquility

tranquility
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 11 May 2006 - 08:37 PM

Yea thx, Im not completely un schooled in computers. I do quite a bit of reading daily. But efverything I do know is pretty well self taught.

Yes im using AVG free abd it finds viruses regularly. Ive been trying to find a way to post av scan results here for you but cant seem to figure out other than taking a screenshot of my desktop with the av window open. Any suggestions?

To answer your question.... no I am not getting any errors on boot up.

Heres some of the virus probs I have been having :

minesweeper.exe
bgdnrzir.eqs
bot.exe
bot[1].exe
eraseme_08721.exe
eraseme_22038.exe
eraseme_22480.exe
eraseme_42446.exe
eraseme_63474.exe
jusched.exe
wins\DLLHOST.EXE
winzip.exe

Downloader.Haring.AJ
Generic.TKD
Worm/Opanki.IA
IRC/Backdoor.SdBot2.OC
Worm/Nachi.A
Worm/Agobot.BMK

they are all in system 32 folder!

Hope this helps a bit. Like I said theres so much reading involved when teaching yourself lol :thumbsup:

TranQ!

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:22 PM

Posted 11 May 2006 - 09:03 PM

You have a mess... a couple of those are going to be quite difficult for you to remove on your own. You have a couple infected system files (for starters). Boot into safe mode and delete these:
minesweeper.exe
bgdnrzir.eqs
bot.exe
bot[1].exe
eraseme_08721.exe
eraseme_22038.exe
eraseme_22480.exe
eraseme_42446.exe
eraseme_63474.exe

jusched.exe<-- delete only if in system32 folder
winzip.exe<-- delete only if in system32 folder

DLLHOST.EXE <-- If this one is in the system32/wins folder, it can be deleted. If it is any other folder, it will need to be replaced. If you are uncomfortable with that, there is a tool here:
http://www.symantec.com/avcenter/venc/data...moval.tool.html
that will help you. Apparently your system is way behind on updates... :thumbsup:

#7 tranquility

tranquility
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 11 May 2006 - 10:23 PM

Yea I know about the updates..... I just reinstalled XP and I am not a huge fan of all the updates. I like service pack 1. So much extra PnP configuring with SP2.

I guess I need to bite the bullet and install.

Would it just be easier to run the XP installation again?
Could these Infections stay around even after reformating?
What would be the best way to format?
Does just running the drive format at start of XP installation wipe it completely?

Thx so much for your help.

#8 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:12:22 PM

Posted 11 May 2006 - 10:43 PM

When you do a reinstall without formatting, the infected files are still there, and the infected registry entries are still there, so no. You have to start fresh, and do a thorough reformat. The Welchia worm infection that you have would have been stopped by updates.

The best way to reformat has probably already been covered here, but quick and dirty:
1. Create a boot floppy (make sure it has a CD-rom driver of some sort).
2. Download an AV, firewall, and some other protection software.
3. Physically dosconnect the computer from the net (important).
4. Wipe out the partitions, reformat (full reformat).
5. Reinstall the OS, AV, firewall, etc. (At least make sure the windows firewall is on).
6. Go immediately to get all of your updates.

If you try to install SP2 with all the junk you have on your system, it will not install properly, and you will be worse off than you are now. Other thanthat, I don't know why you would be haning PnP problems. I have not experienced the issues that you are describing. The simple fact is that your system is incredibly vulnerable without the updates. They don't call them critical updates for nothing. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users