Ikonboard » Printable Version of Topic

Forum: Geek Forum
Topic: Er. Winoldap? Halp!
started by: Frosty

Posted by Frosty on Mar. 19 2001,02:44

Okay, I'm not sure if this is a malicious program or what, but I though you guys would be the best place to ask.

The last coupla days, whenver i've tried to end windows, it's said there's a dos program running called NET, and occasionally one called PING. Well, trying to figure out where these are coming from, I found programs running after a clean boot -- winoldap and ping. I don't know wtf these things are besides dos programs. Now, I few days ago i found a .vbm (visual basic, i assume) file called "(kamasutra)" something or other in one of my directories...no clue wtf it was.
Now, while trying to figure out what this winoldap thing was, i checked the registry. Under local user, and down to explorer, I found the culprits in a folder called "Doc Find Spec MRU." Inside was the following:
a "'"
b "directx.*"
c "dx*.*"
d "kamasutra*.*"
e "winoldap*.*"
MRUList "eadcb"

Does anyone have any idea what this crap is? I've gone through everything under the startup tab of msconfig, but i can't seem to lock it down. I hope this has nothing to do with the general protection fault my other computer decided to have. Any help is GREATLY appreciated.

Posted by SimplyModest on Mar. 19 2001,04:49

quote:
Originally posted by Frosty:

The last coupla days, whenver i've tried to end windows, it's said there's a dos program running called NET, and occasionally one called PING. Well, trying to figure out where these are coming from, I found programs running after a clean boot -- winoldap and ping. I don't know wtf these things are besides dos programs. Now, I few days ago i found a .vbm (visual basic, i assume) file called "(kamasutra)" something or other in one of my directories...no clue wtf it was.
Now, while trying to figure out what this winoldap thing was, i checked the registry. Under local user, and down to explorer, I found the culprits in a folder called "Doc Find Spec MRU." Inside was the following:
a "'"
b "directx.*"
c "dx*.*"
d "kamasutra*.*"
e "winoldap*.*"
MRUList "eadcb"
Does anyone have any idea what this crap is? I've gone through everything under the startup tab of msconfig, but i can't seem to lock it down. I hope this has nothing to do with the general protection fault my other computer decided to have. Any help is GREATLY appreciated.

get a virus scanner.. and taht will take care of it..

most new virus' are actually VBScripts.. (my parents had one called network.).. but norton or mcafee took care of it.. no problem..

you should look into that kinda soonish.

Posted by Frosty on Mar. 19 2001,18:32

Modest -- I'm buying Norton today, i think.

As for the rest of it...CatKnight, that's exactly what i was thinking, is that whatever it is may just ping out over and over and over to tell someone "This machine is ready to be hacked, yo" Anyway, it's good to know that the list is only shit i've searched for. Was kinda wondering what the hell anything related to kamasutra would have to do with windows...hrm. Hopefully it's just a malfunction.

Posted by kornalldaway on Mar. 19 2001,20:52

i would sudgest u open VBS file with notepad and read what it does, if u didn't already delete it, it's not too hard to understand VB.
also if u open it with notepad and save it as a text file, u can send it to me.
i used to collect VBS type viruses and i'll be able to tell u if it's a virus or not and what it does.
and as mentioned by people above antivirus will help greatly

------------------
"Me fail English? That's unpossible!"
- Ralph Whigham

Posted by Frosty on Mar. 20 2001,02:15

I was trying to do so when i first found it, but i think i accidentally ran it. Either way, it disappeared. That was probly the dumbest thing i've ever done with a computer.

Posted by Observer on Mar. 20 2001,05:22

Winoldap is just a DOS virtual environment for running old DOS programs like Ping.

Doc Spec MRU is just a history of files you have searched for.

Where you should be looking in the registry for malicious programs is under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

...and your startup folder, of course.

------------------
A good programmer is someone who looks both ways on a one-way street

Posted by CatKnight on Mar. 20 2001,05:37

hey maybe whoever made the virus made it run ping so the virus maker would know when he was online? hmm...

anyway kamasutra is that hindu book of all all the different sex positions. hehe

Posted by blanalex on Mar. 20 2001,21:00

quote:
Originally posted by Observer:
Winoldap is just a DOS virtual environment for running old DOS programs like Ping.
Doc Spec MRU is just a history of files you have searched for.
Where you [b]should be looking in the registry for malicious programs is under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
...and your startup folder, of course.
[/B]

check also for the lines load= and run= near the top of system.ini or win.ini (can't remember which one)

------------------
#define QUESTION (2b)| |!(2b)

Posted by Frosty on Mar. 20 2001,23:17

Phew. Okay, I cleaned the worm out..apparently it wasn't too dangerous, luckily. Anyhow, thanks for your help everyone, at least i've got a little more info about what to look for in the future and a bit more registry knowledge so my previously searched for files don't freak me out. :-D

Posted by Frosty on Mar. 21 2001,05:33

Well shit. It is a virus, VBS/Pica.worm.gen...I thought that goddamn thing looked suspicious.

[Edit -- Virus name]

This message has been edited by Frosty on March 21, 2001 at 12:34 PM

Posted by WillyPete on Mar. 21 2001,11:23

Just a side note: Ping.exe won't alert any hacker to your presence online. Without too much detail regarding the TCP/IP network layers, it doesn't elicit any attention from the 'pinged' computer. Except for two conditions. A 'hacked' ping.exe is placed on your machine to do said job for hacker or the ping.exe has the switches included to create continuous and abnormally large packets to crash a target machine. ie: switch /l and /t (ping of death) Just type ping /? from dos for details.