what is this on my computer?

Discussion in 'malware problems & news' started by rayik, Apr 4, 2003.

Thread Status:
Not open for further replies.
  1. rayik

    rayik Registered Member

    Joined:
    Feb 4, 2003
    Posts:
    14
    I run winxp pro sp1 standalone machine connected to net by dialup.

    Recently I went into network places and noticed a network set up. I deleted that network (without unfortunately saving any info about it).

    I went into the Systems folder recently. Under the general tab there was a graphic under the windows log along with additional text and a new button. I've tried to attach jpeg photos of this at the end.

    The graphic states; "Manufactured and Supported by BrainX" There is a white square with a large red X in it. Over the processor information is the word "R.O.S.T.I."

    There is also a button which under the processor info which states: "Support Information." Clicking that results in a window which states:
    "............................................
    presented by R.O.S.T.I @ BrainX
    ............................................
    presented by R.O.S.T.I @ BrainX
    ............................................"

    I used jv16 power tools. I noticed in installed software a program called "lameme." I deleted that program and removed all registry entries that referrenced it.

    I ran startup list with full option. I don't think there is anything malicious running. Here's what it said:

    StartupList report, 4/4/2003, 7:11:15 AM
    StartupList version: 1.51
    Started from : C:\temp\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
    C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
    C:\WINNT\System32\devldr32.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
    C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
    C:\WINNT\system32\cmd.exe
    C:\temp\StartupList.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Synchronization Manager = mobsync.exe /logon
    APVXDWIN = "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
    Outpost Firewall = C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    washindex = C:\Program Files\Washer\washidx.exe

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{306D6C21-C1B6-4629-986C-E59E1875B8AF}] *
    StubPath = "C:\WINNT\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",HideIconsUser

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
    StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINNT\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINNT\Explorer\Explorer.exe: not present
    C:\WINNT\System\Explorer.exe: not present
    C:\WINNT\System32\Explorer.exe: not present
    C:\WINNT\Command\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Download Program Files:

    [HouseCall Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003031901/housecall.antivirus.com/housecall/xscan53.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    Fax: %systemroot%\system32\fxssvc.exe (autostart)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    LexBce Server: C:\WINNT\system32\LEXBCES.EXE (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
    Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    Outpost Firewall Service: C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /service (autostart)
    Panda anti-virus driver: \SystemRoot\system32\drivers\Pavdrv51.sys (autostart)
    Panda anti-virus service: C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe (autostart)
    PfModNT: \??\C:\WINNT\System32\PfModNT.sys (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Speed Disk service: C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    --------------------------------------------------
    End of report, 8,360 bytes
    Report generated in 0.110 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    Questions:

    1) What is that in my systems folder?
    2) Does the computer look compromised?

    I would like to remove whatever installed itself. I'm leaning towards a clean install of win.

    Thanks for any help. I've attempted to attach the pictures below.
     

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi rayik,

    Did you ever use Tweak XP Pro without paying for it? :D

    Quote from Doug Knox:

    "Locate the OEMINFO.INI file in the Windows or Windows\System32 folder.
    Right click it and select Rename. Change the extension to TXT if you
    like.
    This is where custom information, such as the new logo and additional text come from."

    Regards,

    Pieter
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Seems like it. tweak xp pro comes with the crack
    version 2.06 the person that cracked this program put his
    oem logo and info in your system32 folder.

    regards.

    paul
     
  4. rayik

    rayik Registered Member

    Joined:
    Feb 4, 2003
    Posts:
    14
    Oops, guilty as charged Pieter. Makes me think that those things could contain other stuff, more malicious, being installed also. Lesson learned for the future. Removing logo and that program too.

    Thanks for the help Pieter and Forum Admin.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi rayik,

    That's the risk you take by using cracks.
    You run a program on your PC that is made by someone who doesn't care about other peoples rights.

    And then there is the fact that you got to go looking for them at sites that are dubious at best.

    So the chance of running something else then you had hoped for, is ever present.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.