Announcement

Collapse
No announcement yet.

Is this a virus or something Microsoft related?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is this a virus or something Microsoft related?

    very weird, where do I start...

    Ok here it goes, and for your awareness....

    I just finished reinstalling Windows XP, all is ok, when it loads however I noticed a little dos box that appears running a script called crack.bat.

    I was very curious and started investigating the matter further, it turns out that the content of this bat file is as follows...

    "cd %systemroot%\system32\config
    cmd.exe < secreset.cmd 1> secreset.log 2>&1"

    Note this file was located in the registry under run, so I first disabled it in msconfig then restarted.

    The I checked out the content of "secreset.log" and found the following... (I'll only attach a snippet)

    "Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\WINDOWS\system32\config>cd %systemroot%\system32\config

    C:\WINDOWS\system32\config>
    C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5" %i in (`reg query "HKLM\security\Policy\Secrets" 2^>nul ^|find "\L$"`) do (
    More? reg delete HKEY_LOCAL_MACHINE\security\Policy\Secrets\%i /f
    More? )

    C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5" %i in (`reg query "HKLM\security\Policy\Secrets" 2^>nul ^|find "\G$"`) do (
    More? reg delete HKEY_LOCAL_MACHINE\security\Policy\Secrets\%i /f
    More? )

    C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5" %i in (`reg query "HKLM\security\Policy\Secrets" 2^>nul ^|find "TIMEBOMB"`) do (
    More? reg delete HKEY_LOCAL_MACHINE\security\Policy\Secrets\%i /f
    More? )

    C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5" %i in (`reg query "HKLM\security\Policy\Secrets" 2^>nul ^|find "HYDRAKEY"`) do (
    More? reg delete HKEY_LOCAL_MACHINE\security\Policy\Secrets\%i /f
    More? )

    C:\WINDOWS\system32\config>
    C:\WINDOWS\system32\config>reg delete "HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents" /f

    The operation completed successfully

    C:\WINDOWS\system32\config>reg delete "HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion" /v LicenseInfo /f

    The operation completed successfully

    C:\WINDOWS\system32\config>
    C:\WINDOWS\system32\config>del /f system.14D system.old 1>nul 2>&1

    C:\WINDOWS\system32\config>regback system.14D machine system
    saving system to system.14D

    C:\WINDOWS\system32\config>reg load hku\system system.14D

    The operation completed successfully

    C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5 skip=1" %i in (`regdmp hkey_local_machine\system\currentcontrolset`) do (
    More? reg delete "HKEY_USERS\SYSTEM\%i\Control\Session Manager\WPA" /f
    More? )"

    Of course there is more, but I hope the above triggers something with any of you that could tell me... WHAT THE HECK IS THIS????????????????????????????

    I cleaned up all the stuff but kept the log file for more information.

    Thanks in advance.

    Regards,
    Elie

  • #2
    Session Manager?
    TIMEBOMB?
    HYDRAKEY?
    delete HKEY_LOCAL_MACHINE\security\Policy\Secrets\?

    Don't like the sound of that bro.
    where is crack.bat located?
    rename crack.bat to crack.txt and paste the contents.

    Comment


    • #3
      Figured that much, thanks Guchi...

      The content of crack.bat is...
      "cd %systemroot%\system32\config
      cmd.exe < secreset.cmd 1> secreset.log 2>&1"

      And it was located in c:\windows\system32\config

      I deleted everything, but I hope it wasn't already too late

      Regards,
      Elie
      Last edited by Elie; 2 May 2005, 19:48.

      Comment


      • #4
        How did that get on a new build? Is your copy of XP legit?
        P.S. You've been Spanked!

        Comment


        • #5
          don't know, got it off a buddy of mine who works at a computer store. So I am starting to wonder myself...?

          Regards,
          Elie

          Comment


          • #6
            could it be a cracked version the removes the 30 day limitation when you install window xp?
            Why is it called tourist season, if we can't shoot at them?

            Comment


            • #7
              I have a legit license which i used.

              Comment


              • #8
                Originally posted by GT98
                could it be a cracked version the removes the 30 day limitation when you install window xp?
                I think GT98 is right.

                Read this:

                Ladies and gentlemen, take my advice, pull down your pants and slide on the ice.

                Comment


                • #9
                  Nice Buddy he didn't warn you first that they're using cracked Windoze
                  Chief Lemon Buyer no more Linux sucks but not as much
                  Weather nut and sad git.

                  My Weather Page

                  Comment


                  • #10
                    Thanks Helevitia I think this is what I'm seeing here also, I fixed the problem by deleting all that crap because I don't need no crack when I have a legit License

                    Hey Pit tell me about it, I'm going to talk to him, see what he has to say about this issue!!!

                    Regards,
                    Elie

                    Comment


                    • #11
                      Talk with your fist?

                      Comment

                      Working...
                      X