what is this on my computer?

Discussion in 'malware problems & news' started by rayik, Apr 4, 2003.

Thread Status:
Not open for further replies.
  1. rayik

    rayik Registered Member

    Feb 4, 2003
    I run winxp pro sp1 standalone machine connected to net by dialup.

    Recently I went into network places and noticed a network set up. I deleted that network (without unfortunately saving any info about it).

    I went into the Systems folder recently. Under the general tab there was a graphic under the windows log along with additional text and a new button. I've tried to attach jpeg photos of this at the end.

    The graphic states; "Manufactured and Supported by BrainX" There is a white square with a large red X in it. Over the processor information is the word "R.O.S.T.I."

    There is also a button which under the processor info which states: "Support Information." Clicking that results in a window which states:
    presented by R.O.S.T.I @ BrainX
    presented by R.O.S.T.I @ BrainX

    I used jv16 power tools. I noticed in installed software a program called "lameme." I deleted that program and removed all registry entries that referrenced it.

    I ran startup list with full option. I don't think there is anything malicious running. Here's what it said:

    StartupList report, 4/4/2003, 7:11:15 AM
    StartupList version: 1.51
    Started from : C:\temp\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Showing rarely important sections

    Running processes:

    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
    C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
    C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
    C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe


    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,


    Autorun entries from Registry:

    Synchronization Manager = mobsync.exe /logon
    APVXDWIN = "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
    Outpost Firewall = C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice


    Autorun entries from Registry:

    washindex = C:\Program Files\Washer\washidx.exe


    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{306D6C21-C1B6-4629-986C-E59E1875B8AF}] *
    StubPath = "C:\WINNT\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",HideIconsUser

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
    StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe


    Checking for EXPLORER.EXE instances:

    C:\WINNT\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINNT\Explorer\Explorer.exe: not present
    C:\WINNT\System\Explorer.exe: not present
    C:\WINNT\System32\Explorer.exe: not present
    C:\WINNT\Command\Explorer.exe: not present


    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden


    Enumerating Download Program Files:

    [HouseCall Control]
    InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003031901/housecall.antivirus.com/housecall/xscan53.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Enumerating Windows NT/2000/XP services

    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    Fax: %systemroot%\system32\fxssvc.exe (autostart)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    LexBce Server: C:\WINNT\system32\LEXBCES.EXE (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
    Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
    Outpost Firewall Service: C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /service (autostart)
    Panda anti-virus driver: \SystemRoot\system32\drivers\Pavdrv51.sys (autostart)
    Panda anti-virus service: C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe (autostart)
    PfModNT: \??\C:\WINNT\System32\PfModNT.sys (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Speed Disk service: C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe (autostart)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

    End of report, 8,360 bytes
    Report generated in 0.110 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    1) What is that in my systems folder?
    2) Does the computer look compromised?

    I would like to remove whatever installed itself. I'm leaning towards a clean install of win.

    Thanks for any help. I've attempted to attach the pictures below.

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    Hi rayik,

    Did you ever use Tweak XP Pro without paying for it? :D

    Quote from Doug Knox:

    "Locate the OEMINFO.INI file in the Windows or Windows\System32 folder.
    Right click it and select Rename. Change the extension to TXT if you
    This is where custom information, such as the new logo and additional text come from."


  3. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    Seems like it. tweak xp pro comes with the crack
    version 2.06 the person that cracked this program put his
    oem logo and info in your system32 folder.


  4. rayik

    rayik Registered Member

    Feb 4, 2003
    Oops, guilty as charged Pieter. Makes me think that those things could contain other stuff, more malicious, being installed also. Lesson learned for the future. Removing logo and that program too.

    Thanks for the help Pieter and Forum Admin.
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    Hi rayik,

    That's the risk you take by using cracks.
    You run a program on your PC that is made by someone who doesn't care about other peoples rights.

    And then there is the fact that you got to go looking for them at sites that are dubious at best.

    So the chance of running something else then you had hoped for, is ever present.


Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.