Pegasus - Not hacked - You're right

[dcdon]

I've checked as far as I can and teh large file appears to be a trojan. I'm still intrigued
and you like to remove it, if feasible. I've started a journal file and will make a side
project of it. So far my money is being able to delete the 3000 file. But I really would like
to cut off the outflow to the source, whether have a handle on DNS or not. I really feel it
will show up in ZA logs somewhere.

In light of that, would appreciate your input. And thanks for the find.txt search; that is the
first major step. I have posted the files included, but am going to post them again here for
your perusal.


---------- C:WINNT\SOB\3000
c:\adlog.txt
c:\blocklog.txt
c:\recv_bp.txt
c:\send_bp.txt
c:\documents and settings\jwang\desktop\htlogs\%d.txt
c:\documents and settings\jwang\desktop\htlogs\%d.txt
c:\recv_ap.txt
c:\send_ap.txt
pec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
windir=C:\WINNT
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
windir=C:\WINNT
\??\C:\WINNT\system32\winlogon.exe
NTREM c:\config.sys.
NTREM visible to an OS/2 program that opens c:\config.sys, however they are
NTREM modify NT OS/2 config.sys configuration by editing c:\config.sys with
REM OS/2 Apps that access c:\config.sys actually manipulate this information.
PROTSHELL=c:\os2\pmshell.exe c:\os2\os2.ini c:\os2\os2sys.ini \cmd.exe
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\x509\x509_vfy.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_eay.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_oaep.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_sign.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_asn1.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dh\dh_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\err\err.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\stack\stack.c
4@c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rand\md_rand.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\pkcs12\p12_decr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\lhash\lhash.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\objects\o_names.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_enc.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_srvr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_asn1.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_cert.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_ciph.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_rsa.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_sess.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\t1_enc.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_print.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_sock.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_buff.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_nbio.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bio_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_acpt.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_bio.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_conn.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bitstr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bytes.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_digest.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_dup.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_gentm.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_int.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_object.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_set.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_type.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_utctm.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_verify.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\asn1_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_dhp.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_r_pr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\p8_pkey.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_algor.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_attrib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_cinf.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_crl.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\e
C:\WINNT\CSC
C:\WINNT\system32\
\??\C:\WINNT\system32\winlogon.exe
SERSPROFILE=C:\Documents and Settings\All Users
CommonProgramFiles=C:\Program Files\Common Files
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
ALLUSERSPROFILE=C:\Documents and Settings\All Users
CommonProgramFiles=C:\Program Files\Common Files
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
ProgramFiles=C:\Program Files
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
USERPROFILE=C:\Documents and Settings\don
windir=C:\WINNT
ProgramFiles=C:\Program Files
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
USERPROFILE=C:\Documents and Settings\don
windir=C:\WINNT
ÿÿÿÿ'Mu'Muÿÿÿÿ7'Mu;'MuC:\perfc???.dat
C:\MSHLOCAL.LOG
C:\DEBUG.LOG
c:\
X±ÿÿÿÿÀÿ*\G{00020430-0000-0000-C000-000000000046}#1.0#0#C:\WINNT\System32\stdole32.tlb#


Do you have any suggestion as to the direction to take at this point? Remembering your earlier
suggestion, I did place a folder around the file without any adverse effect that I could
determine. In fact I layered the folders with others and moved it before a cold boot, not
detrimental effect.

Looking at the files, what would your next logical step be? Just picked up a trojanware.
(TD-3) w'ell see.

Thank you very much.

don

 

[dcdon]

Picked up a trojanware program called TD-3 by Diamond out of Au. http://diamondcs.com.au/
Haven't had time to look into it. Pressure cooker day at the markets. In this invironment, a
tough roast can be made tender or a shoe soul sole.

Just thought I'd try that.
If I were to change files by renaming, venture a guess as to which one(s) would start teh
communication with the outside.?

I also though about a packet recorder. Which is the best for this type thing?

Sorry, get carried away with ideas of approach.


;-)
don
-----------------
I've checked as far as I can and teh large file appears to be a trojan. I'm still intrigued
and you like to remove it, if feasible. I've started a journal file and will make a side
project of it. So far my money is being able to delete the 3000 file. But I really would like
to cut off the outflow to the source, whether have a handle on DNS or not. I really feel it
will show up in ZA logs somewhere.

In light of that, would appreciate your input. And thanks for the find.txt search; that is the
first major step. I have posted the files included, but am going to post them again here for
your perusal.


---------- C:WINNT\SOB\3000
c:\adlog.txt
c:\blocklog.txt
c:\recv_bp.txt
c:\send_bp.txt
c:\documents and settings\jwang\desktop\htlogs\%d.txt
c:\documents and settings\jwang\desktop\htlogs\%d.txt
c:\recv_ap.txt
c:\send_ap.txt
pec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
windir=C:\WINNT
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
windir=C:\WINNT
\??\C:\WINNT\system32\winlogon.exe
NTREM c:\config.sys.
NTREM visible to an OS/2 program that opens c:\config.sys, however they are
NTREM modify NT OS/2 config.sys configuration by editing c:\config.sys with
REM OS/2 Apps that access c:\config.sys actually manipulate this information.
PROTSHELL=c:\os2\pmshell.exe c:\os2\os2.ini c:\os2\os2sys.ini \cmd.exe
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\x509\x509_vfy.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_eay.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_oaep.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_sign.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_asn1.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dh\dh_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\err\err.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\stack\stack.c
4@c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rand\md_rand.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\pkcs12\p12_decr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\lhash\lhash.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\objects\o_names.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_enc.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_srvr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_asn1.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_cert.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_ciph.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_rsa.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_sess.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\t1_enc.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_print.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_sock.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_buff.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_nbio.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bio_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_acpt.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_bio.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_conn.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bitstr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bytes.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_digest.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_dup.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_gentm.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_int.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_object.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_set.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_type.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_utctm.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_verify.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\asn1_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_dhp.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_r_pr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\p8_pkey.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_algor.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_attrib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_cinf.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_crl.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\e
C:\WINNT\CSC
C:\WINNT\system32\
\??\C:\WINNT\system32\winlogon.exe
SERSPROFILE=C:\Documents and Settings\All Users
CommonProgramFiles=C:\Program Files\Common Files
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
ALLUSERSPROFILE=C:\Documents and Settings\All Users
CommonProgramFiles=C:\Program Files\Common Files
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
ProgramFiles=C:\Program Files
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
USERPROFILE=C:\Documents and Settings\don
windir=C:\WINNT
ProgramFiles=C:\Program Files
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
USERPROFILE=C:\Documents and Settings\don
windir=C:\WINNT
ÿÿÿÿ'Mu'Muÿÿÿÿ7'Mu;'MuC:\perfc???.dat
C:\MSHLOCAL.LOG
C:\DEBUG.LOG
c:\
X±ÿÿÿÿÀÿ*\G{00020430-0000-0000-C000-000000000046}#1.0#0#C:\WINNT\System32\stdole32.tlb#


Do you have any suggestion as to the direction to take at this point? Remembering your earlier
suggestion, I did place a folder around the file without any adverse effect that I could
determine. In fact I layered the folders with others and moved it before a cold boot, not
detrimental effect.

Looking at the files, what would your next logical step be? Just picked up a trojanware.
(TD-3) w'ell see.

Thank you very much.

don

 

[dcdon]

Sorry about the spelling
invironment=environment
teh = the (fat finger typo)
though = thought

thx,
don
----------


Picked up a trojanware program called TD-3 by Diamond out of Au. http://diamondcs.com.au/
Haven't had time to look into it. Pressure cooker day at the markets. In this invironment, a
tough roast can be made tender or a shoe soul sole.

Just thought I'd try that.
If I were to change files by renaming, venture a guess as to which one(s) would start teh
communication with the outside.?

I also though about a packet recorder. Which is the best for this type thing?

Sorry, get carried away with ideas of approach.


;-)
don
-----------------
I've checked as far as I can and teh large file appears to be a trojan. I'm still intrigued
and you like to remove it, if feasible. I've started a journal file and will make a side
project of it. So far my money is being able to delete the 3000 file. But I really would like
to cut off the outflow to the source, whether have a handle on DNS or not. I really feel it
will show up in ZA logs somewhere.

In light of that, would appreciate your input. And thanks for the find.txt search; that is the
first major step. I have posted the files included, but am going to post them again here for
your perusal.


---------- C:WINNT\SOB\3000
c:\adlog.txt
c:\blocklog.txt
c:\recv_bp.txt
c:\send_bp.txt
c:\documents and settings\jwang\desktop\htlogs\%d.txt
c:\documents and settings\jwang\desktop\htlogs\%d.txt
c:\recv_ap.txt
c:\send_ap.txt
pec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
windir=C:\WINNT
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
windir=C:\WINNT
\??\C:\WINNT\system32\winlogon.exe
NTREM c:\config.sys.
NTREM visible to an OS/2 program that opens c:\config.sys, however they are
NTREM modify NT OS/2 config.sys configuration by editing c:\config.sys with
REM OS/2 Apps that access c:\config.sys actually manipulate this information.
PROTSHELL=c:\os2\pmshell.exe c:\os2\os2.ini c:\os2\os2sys.ini \cmd.exe
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\x509\x509_vfy.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_eay.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_oaep.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_sign.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_asn1.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dh\dh_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\err\err.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\stack\stack.c
4@c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rand\md_rand.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\pkcs12\p12_decr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\lhash\lhash.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\objects\o_names.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_enc.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_srvr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_asn1.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_cert.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_ciph.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_rsa.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_sess.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\t1_enc.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_print.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_sock.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_buff.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_nbio.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bio_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_acpt.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_bio.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_conn.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bitstr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bytes.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_digest.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_dup.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_gentm.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_int.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_object.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_set.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_type.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_utctm.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_verify.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\asn1_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_dhp.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_r_pr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\p8_pkey.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_algor.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_attrib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_cinf.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_crl.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\e
C:\WINNT\CSC
C:\WINNT\system32\
\??\C:\WINNT\system32\winlogon.exe
SERSPROFILE=C:\Documents and Settings\All Users
CommonProgramFiles=C:\Program Files\Common Files
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
ALLUSERSPROFILE=C:\Documents and Settings\All Users
CommonProgramFiles=C:\Program Files\Common Files
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
ProgramFiles=C:\Program Files
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
USERPROFILE=C:\Documents and Settings\don
windir=C:\WINNT
ProgramFiles=C:\Program Files
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
USERPROFILE=C:\Documents and Settings\don
windir=C:\WINNT
ÿÿÿÿ'Mu'Muÿÿÿÿ7'Mu;'MuC:\perfc???.dat
C:\MSHLOCAL.LOG
C:\DEBUG.LOG
c:\
X±ÿÿÿÿÀÿ*\G{00020430-0000-0000-C000-000000000046}#1.0#0#C:\WINNT\System32\stdole32.tlb#


Do you have any suggestion as to the direction to take at this point? Remembering your earlier
suggestion, I did place a folder around the file without any adverse effect that I could
determine. In fact I layered the folders with others and moved it before a cold boot, not
detrimental effect.

Looking at the files, what would your next logical step be? Just picked up a trojanware.
(TD-3) w'ell see.

Thank you very much.

don