Was working on a friend's computer when I came across this strange file, located in C:\windows\repair. Its contents were:

@echo off
Rem: Brought to you by: By the best, The only
Rem: people that did it.
Rem: AngelDeath, Epyx, Slanchoca, DopeWeasel, Meph.
Rem: The now Famous 5.

batch.cmd
inuse.exe security %systemroot%\system32\config\security /y >nul

I did some googling and found inuse.exe is a windows utility (http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/inuse-o.asp) that allows you to replace files in system memory. Is this some new spyware exploit? Has anyone seen this before?

*overstating the obvious*

For one, it comes from the Resource Kit, so it doesnt just "show up"

Secondly, the bat credits as having been created by crackers.

I wouldnt leave that OS on for 5 more minutes.

I am attaching the readme files that come from the actually installation under C:\Program Files\Resource Kit.


What kind of symptoms lead you to examine the system to begin with? What were you attempting to do? Did you examine the list of all installed programs to see if this could be slipped in with a "warez" somewhere?

.

It is actually an exploit used to reset a trial period for xp back to "000" so the trial period never expires. That is as good as i can do. lol

I read your links in PM Hunter

Yah thats what I was hinting at, especially with it in the \repair folder. If its only for resetting product activation, thats one thing, but when you dont know what processes get altered, or how your system GOT a hack, can you trust it?

Its the game you play, mess with warez, risk getting burned.

Good research Hunter

.

thats why i wouldnt post how i can to that conclusion here, i didnt want to risk anyone trying those links.

thats why i wouldnt post how i can to that conclusion here, i didnt want to risk anyone trying those links.

warez site are seldom friendly, these werent either . . . heheeh im too locked down




.

The first clue is when the site automaticly tries to send you the file without you asking for it.

When dub sees this, if he requests i will send him those links, but make sure your pc is really locked down before using them.

His comp was riddled with spyware and pretty much unusable.. I ended up just reinstalling, and it did turn out he had a warez copy of xp... thanks for the replies.

u can close this thread now

As long as it all worked out, and i hope you told him he better start coming here and listening to all the warnings we post about spyware, and addware.

spyware is evil
but malware is worse
with spyware it can be removed
butwith malware it messes up your puter

Oh how true CJ, and that is why i didnt close this thread. It may still prove usefull to someone.