very weird, where do I start...
Ok here it goes, and for your awareness....
I just finished reinstalling Windows XP, all is ok, when it loads however I noticed a little dos box that appears running a script called crack.bat.
I was very curious and started investigating the matter further, it turns out that the content of this bat file is as follows...
"cd %systemroot%\system32\config
cmd.exe < secreset.cmd 1> secreset.log 2>&1"
Note this file was located in the registry under run, so I first disabled it in msconfig then restarted.
The I checked out the content of "secreset.log" and found the following... (I'll only attach a snippet)
"Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32\config>cd %systemroot%\system32\config
C:\WINDOWS\system32\config>
C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5" %i in (`reg query "HKLM\security\Policy\Secrets" 2^>nul ^|find "\L$"`) do (
More? reg delete HKEY_LOCAL_MACHINE\security\Policy\Secrets\%i /f
More? )
C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5" %i in (`reg query "HKLM\security\Policy\Secrets" 2^>nul ^|find "\G$"`) do (
More? reg delete HKEY_LOCAL_MACHINE\security\Policy\Secrets\%i /f
More? )
C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5" %i in (`reg query "HKLM\security\Policy\Secrets" 2^>nul ^|find "TIMEBOMB"`) do (
More? reg delete HKEY_LOCAL_MACHINE\security\Policy\Secrets\%i /f
More? )
C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5" %i in (`reg query "HKLM\security\Policy\Secrets" 2^>nul ^|find "HYDRAKEY"`) do (
More? reg delete HKEY_LOCAL_MACHINE\security\Policy\Secrets\%i /f
More? )
C:\WINDOWS\system32\config>
C:\WINDOWS\system32\config>reg delete "HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents" /f
The operation completed successfully
C:\WINDOWS\system32\config>reg delete "HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion" /v LicenseInfo /f
The operation completed successfully
C:\WINDOWS\system32\config>
C:\WINDOWS\system32\config>del /f system.14D system.old 1>nul 2>&1
C:\WINDOWS\system32\config>regback system.14D machine system
saving system to system.14D
C:\WINDOWS\system32\config>reg load hku\system system.14D
The operation completed successfully
C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5 skip=1" %i in (`regdmp hkey_local_machine\system\currentcontrolset`) do (
More? reg delete "HKEY_USERS\SYSTEM\%i\Control\Session Manager\WPA" /f
More? )"
Of course there is more, but I hope the above triggers something with any of you that could tell me... WHAT THE HECK IS THIS????????????????????????????
I cleaned up all the stuff but kept the log file for more information.
Thanks in advance.
Regards,
Elie
Ok here it goes, and for your awareness....
I just finished reinstalling Windows XP, all is ok, when it loads however I noticed a little dos box that appears running a script called crack.bat.
I was very curious and started investigating the matter further, it turns out that the content of this bat file is as follows...
"cd %systemroot%\system32\config
cmd.exe < secreset.cmd 1> secreset.log 2>&1"
Note this file was located in the registry under run, so I first disabled it in msconfig then restarted.
The I checked out the content of "secreset.log" and found the following... (I'll only attach a snippet)
"Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32\config>cd %systemroot%\system32\config
C:\WINDOWS\system32\config>
C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5" %i in (`reg query "HKLM\security\Policy\Secrets" 2^>nul ^|find "\L$"`) do (
More? reg delete HKEY_LOCAL_MACHINE\security\Policy\Secrets\%i /f
More? )
C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5" %i in (`reg query "HKLM\security\Policy\Secrets" 2^>nul ^|find "\G$"`) do (
More? reg delete HKEY_LOCAL_MACHINE\security\Policy\Secrets\%i /f
More? )
C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5" %i in (`reg query "HKLM\security\Policy\Secrets" 2^>nul ^|find "TIMEBOMB"`) do (
More? reg delete HKEY_LOCAL_MACHINE\security\Policy\Secrets\%i /f
More? )
C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5" %i in (`reg query "HKLM\security\Policy\Secrets" 2^>nul ^|find "HYDRAKEY"`) do (
More? reg delete HKEY_LOCAL_MACHINE\security\Policy\Secrets\%i /f
More? )
C:\WINDOWS\system32\config>
C:\WINDOWS\system32\config>reg delete "HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\WPAEvents" /f
The operation completed successfully
C:\WINDOWS\system32\config>reg delete "HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion" /v LicenseInfo /f
The operation completed successfully
C:\WINDOWS\system32\config>
C:\WINDOWS\system32\config>del /f system.14D system.old 1>nul 2>&1
C:\WINDOWS\system32\config>regback system.14D machine system
saving system to system.14D
C:\WINDOWS\system32\config>reg load hku\system system.14D
The operation completed successfully
C:\WINDOWS\system32\config>for /f "usebackq delims=\ tokens=5 skip=1" %i in (`regdmp hkey_local_machine\system\currentcontrolset`) do (
More? reg delete "HKEY_USERS\SYSTEM\%i\Control\Session Manager\WPA" /f
More? )"
Of course there is more, but I hope the above triggers something with any of you that could tell me... WHAT THE HECK IS THIS????????????????????????????
I cleaned up all the stuff but kept the log file for more information.
Thanks in advance.
Regards,
Elie
Comment