HACKED; and Looking for Some help

[dcdon]

I've been hacked and would like to try to catch the guy.
Anyone have the expertise to help find who it is?

The way I found him is with the help of Pegasus running a "find.txt" file on a ver
large hidden file in the %SystemRoot% (3 gig).

thanks,
don

 

[Jonathan Maltz [MS-MVP]]

Could it have been a trojan horse?

What's your AV situation?

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.

 

[dcdon]

Jonathan,

Thanks for asking. I use AVG, and it seems to have done okay. I also use ZA
forewall set to stealth. Usually check with Shields UP. It is an oriental guy with
a a game called Battlestar on the machine. It's all hidden. Pegasus helped me run
a "find.txt" on a 3gig hidden file that was nested in %SystemRoot%.

I have all the files and would really like to get the guy. Is that nutz, or what?

don
------------------
His name is jwang



Could it have been a trojan horse?

What's your AV situation?

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.

 

[Jonathan Maltz [MS-MVP]]

What's a "find.txt"?

Also, a bit of my own view. I wouldn't try to "get back at this guy",
rather, I would just find out what he did (by reviewing logs, etc) and fix
it. Retaliation can only come back to hit you twice as hard the second
time. Even worst, you may be attacking the wrong person if a hacker uses a
trojan horse on an innocent user's computer to launch attacks.

Was this 3 GB file malicious?
Have you taken this machine off-line?
Are you checking the machine for mysterious packets being sent out?

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.

Jonathan,

Thanks for asking. I use AVG, and it seems to have done okay. I also use ZA
forewall set to stealth. Usually check with Shields UP. It is an oriental guy with
a a game called Battlestar on the machine. It's all hidden. Pegasus helped me run
a "find.txt" on a 3gig hidden file that was nested in %SystemRoot%.

I have all the files and would really like to get the guy. Is that nutz, or what?

don
------------------
His name is jwang



Could it have been a trojan horse?

What's your AV situation?

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.

I've been hacked and would like to try to catch the guy.
Anyone have the expertise to help find who it is?

The way I found him is with the help of Pegasus running a "find.txt"

file
on a ver

large hidden file in the %SystemRoot% (3 gig).

thanks,
don

 

[dcdon]

Thank you Jonathan,
I'm not trying to find out to get even. I am curious and mad that I didn't keep
him out. I've been paranoid about the way this box has acted for some time. First
I just want to know if there is a way to find him, and I want to understand, so
others can not do the same thing.

Speaking about the logs, I have just started with the list of of the 3 gig file.
Just started by doing common searches and am yet to find one file. They are all
hidden from the GUI. As far as it being malicious, he captured thru my user
profile, switched all over to the %SystemRoot, had all of my user profile flow
through this file. I was so stupid, could not believe it. Everytime I called a
command prompt is was on the root drive, and I used it just like I had good sense.
It was after I installed a folder around the file, my command prompts were on the
Documents and Settings\<profile>. Really felt stupid when I discovered that one.
No, I haven't taken it offline. I'm trying to absorb it and try to understand.

I believe I can delete the files that are inside the "3000"(system file) (as he so
aptly named it). Still looking into it right now.

The find.txt file is from a command prompt "find" to ferrit out the file names
buried in the 3000 file and list them in a .txt file. Strange I had just looked at
doing this a day or two before. Goes something like this:

find /i "c:\" c:\sob\3000 > find.txt

It took about 7 hours going through the GUI, with my 2.4 Northwood running wide
open, and it didn't even step the fan up. I thought that was pretty good. It I had
known it was going to take that long, I would have booted with a start up disk. I
may do it again, just find the time difference.


thanks,
don



What's a "find.txt"?

Also, a bit of my own view. I wouldn't try to "get back at this guy",
rather, I would just find out what he did (by reviewing logs, etc) and fix
it. Retaliation can only come back to hit you twice as hard the second
time. Even worst, you may be attacking the wrong person if a hacker uses a
trojan horse on an innocent user's computer to launch attacks.

Was this 3 GB file malicious?
Have you taken this machine off-line?
Are you checking the machine for mysterious packets being sent out?

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.

Jonathan,

Thanks for asking. I use AVG, and it seems to have done okay. I also use ZA
forewall set to stealth. Usually check with Shields UP. It is an oriental guy with
a a game called Battlestar on the machine. It's all hidden. Pegasus helped me run
a "find.txt" on a 3gig hidden file that was nested in %SystemRoot%.

I have all the files and would really like to get the guy. Is that nutz, or what?

don
------------------
His name is jwang



Could it have been a trojan horse?

What's your AV situation?

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.

I've been hacked and would like to try to catch the guy.
Anyone have the expertise to help find who it is?

The way I found him is with the help of Pegasus running a "find.txt"

file
on a ver

large hidden file in the %SystemRoot% (3 gig).

thanks,
don

 

[Jonathan Maltz [MS-MVP]]

Are you sure you were hacked, and as I said, not just the victim of a trojan
horse?

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.

Thank you Jonathan,
I'm not trying to find out to get even. I am curious and mad that I didn't keep
him out. I've been paranoid about the way this box has acted for some time. First
I just want to know if there is a way to find him, and I want to understand, so
others can not do the same thing.

Speaking about the logs, I have just started with the list of of the 3 gig file.
Just started by doing common searches and am yet to find one file. They are all
hidden from the GUI. As far as it being malicious, he captured thru my user
profile, switched all over to the %SystemRoot, had all of my user profile flow
through this file. I was so stupid, could not believe it. Everytime I called a
command prompt is was on the root drive, and I used it just like I had good sense.
It was after I installed a folder around the file, my command prompts were on the
Documents and Settings\<profile>. Really felt stupid when I discovered that one.
No, I haven't taken it offline. I'm trying to absorb it and try to understand.

I believe I can delete the files that are inside the "3000"(system file) (as he so
aptly named it). Still looking into it right now.

The find.txt file is from a command prompt "find" to ferrit out the file names
buried in the 3000 file and list them in a .txt file. Strange I had just looked at
doing this a day or two before. Goes something like this:

find /i "c:\" c:\sob\3000 > find.txt

It took about 7 hours going through the GUI, with my 2.4 Northwood running wide
open, and it didn't even step the fan up. I thought that was pretty good. It I had
known it was going to take that long, I would have booted with a start up disk. I
may do it again, just find the time difference.


thanks,
don



What's a "find.txt"?

Also, a bit of my own view. I wouldn't try to "get back at this guy",
rather, I would just find out what he did (by reviewing logs, etc) and fix
it. Retaliation can only come back to hit you twice as hard the second
time. Even worst, you may be attacking the wrong person if a hacker uses a
trojan horse on an innocent user's computer to launch attacks.

Was this 3 GB file malicious?
Have you taken this machine off-line?
Are you checking the machine for mysterious packets being sent out?

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.

Jonathan,

Thanks for asking. I use AVG, and it seems to have done okay. I also use ZA
forewall set to stealth. Usually check with Shields UP. It is an

oriental
guy with

a a game called Battlestar on the machine. It's all hidden. Pegasus

helped
me run

a "find.txt" on a 3gig hidden file that was nested in %SystemRoot%.

I have all the files and would really like to get the guy. Is that nutz, or what?

don
------------------
His name is jwang



Could it have been a trojan horse?

What's your AV situation?

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.

I've been hacked and would like to try to catch the guy.
Anyone have the expertise to help find who it is?

The way I found him is with the help of Pegasus running a "find.txt"

file
on a ver

large hidden file in the %SystemRoot% (3 gig).

thanks,
don

 

[Enkidu]

BTW, I am running a Zone Alarm firewall in stealth mode, and have ran countless
checks like to see if Shield UP could get it, and never once.

Here's the way to circumvent a firewall. Make a utility that everyone
wants. Attach your trojan to it. They all download the trojan and run
it. The trojan phones home and you connect to their machine. Since
their machine initiated the connection the firewall thinks it is OK,
(or may display a warning message).

Trojans are like vampires. You are safe unless you yourself invite
them in.

I'm not saying that's what happened to you, but a firewall, no matter
how secure, won't keep out nasties if you intentionally or
accidentally let them in. Or if your browser has a flaw that let's
them in.

Cheers,

Cliff

 

[dcdon]

Let me show the files, may be you can tell better:


---------- C:WINNT\SOB\3000
c:\adlog.txt
c:\blocklog.txt
c:\recv_bp.txt
c:\send_bp.txt
c:\documents and settings\jwang\desktop\htlogs\%d.txt
c:\documents and settings\jwang\desktop\htlogs\%d.txt
c:\recv_ap.txt
c:\send_ap.txt
pec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
windir=C:\WINNT
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
windir=C:\WINNT
\??\C:\WINNT\system32\winlogon.exe
NTREM c:\config.sys.
NTREM visible to an OS/2 program that opens c:\config.sys, however they are
NTREM modify NT OS/2 config.sys configuration by editing c:\config.sys with
REM OS/2 Apps that access c:\config.sys actually manipulate this information.
PROTSHELL=c:\os2\pmshell.exe c:\os2\os2.ini c:\os2\os2sys.ini \cmd.exe
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\x509\x509_vfy.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_eay.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_oaep.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_sign.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_asn1.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dh\dh_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\err\err.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\stack\stack.c
4@c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rand\md_rand.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\pkcs12\p12_decr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\lhash\lhash.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\objects\o_names.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_enc.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_srvr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_asn1.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_cert.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_ciph.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_rsa.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_sess.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\t1_enc.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_print.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_sock.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_buff.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_nbio.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bio_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_acpt.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_bio.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_conn.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bitstr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bytes.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_digest.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_dup.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_gentm.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_int.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_object.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_set.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_type.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_utctm.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_verify.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\asn1_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_dhp.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_r_pr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\p8_pkey.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_algor.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_attrib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_cinf.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_crl.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\e
C:\WINNT\CSC
C:\WINNT\system32\
\??\C:\WINNT\system32\winlogon.exe
SERSPROFILE=C:\Documents and Settings\All Users
CommonProgramFiles=C:\Program Files\Common Files
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
ALLUSERSPROFILE=C:\Documents and Settings\All Users
CommonProgramFiles=C:\Program Files\Common Files
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
ProgramFiles=C:\Program Files
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
USERPROFILE=C:\Documents and Settings\don
windir=C:\WINNT
ProgramFiles=C:\Program Files
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
USERPROFILE=C:\Documents and Settings\don
windir=C:\WINNT
ÿÿÿÿ’Mu’Muÿÿÿÿ7’Mu;’MuC:\perfc???.dat
C:\MSHLOCAL.LOG
C:\DEBUG.LOG
c:\
X±ÿÿÿÿÀÿ*\G{00020430-0000-0000-C000-000000000046}#1.0#0#C:\WINNT\System32\stdole32.tlb#



thanks,
don
---------------------



Are you sure you were hacked, and as I said, not just the victim of a trojan
horse?

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.

Thank you Jonathan,
I'm not trying to find out to get even. I am curious and mad that I didn't keep
him out. I've been paranoid about the way this box has acted for some time. First
I just want to know if there is a way to find him, and I want to understand, so
others can not do the same thing.

Speaking about the logs, I have just started with the list of of the 3 gig file.
Just started by doing common searches and am yet to find one file. They are all
hidden from the GUI. As far as it being malicious, he captured thru my user
profile, switched all over to the %SystemRoot, had all of my user profile flow
through this file. I was so stupid, could not believe it. Everytime I called a
command prompt is was on the root drive, and I used it just like I had good sense.
It was after I installed a folder around the file, my command prompts were on the
Documents and Settings\<profile>. Really felt stupid when I discovered that one.
No, I haven't taken it offline. I'm trying to absorb it and try to understand.

I believe I can delete the files that are inside the "3000"(system file) (as he so
aptly named it). Still looking into it right now.

The find.txt file is from a command prompt "find" to ferrit out the file names
buried in the 3000 file and list them in a .txt file. Strange I had just looked at
doing this a day or two before. Goes something like this:

find /i "c:\" c:\sob\3000 > find.txt

It took about 7 hours going through the GUI, with my 2.4 Northwood running wide
open, and it didn't even step the fan up. I thought that was pretty good. It I had
known it was going to take that long, I would have booted with a start up disk. I
may do it again, just find the time difference.


thanks,
don



What's a "find.txt"?

Also, a bit of my own view. I wouldn't try to "get back at this guy",
rather, I would just find out what he did (by reviewing logs, etc) and fix
it. Retaliation can only come back to hit you twice as hard the second
time. Even worst, you may be attacking the wrong person if a hacker uses a
trojan horse on an innocent user's computer to launch attacks.

Was this 3 GB file malicious?
Have you taken this machine off-line?
Are you checking the machine for mysterious packets being sent out?

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.

Jonathan,

Thanks for asking. I use AVG, and it seems to have done okay. I also use ZA
forewall set to stealth. Usually check with Shields UP. It is an

oriental
guy with

a a game called Battlestar on the machine. It's all hidden. Pegasus

helped
me run

a "find.txt" on a 3gig hidden file that was nested in %SystemRoot%.

I have all the files and would really like to get the guy. Is that nutz, or what?

don
------------------
His name is jwang



Could it have been a trojan horse?

What's your AV situation?

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.

I've been hacked and would like to try to catch the guy.
Anyone have the expertise to help find who it is?

The way I found him is with the help of Pegasus running a "find.txt"

file
on a ver

large hidden file in the %SystemRoot% (3 gig).

thanks,
don

 

[Lanwench [MVP - Exchange]]

What inbound ports do you have open in your ZA?

 

[dcdon]

Hi there,
How have you been? Thanks for the post.

ZA ia set to pure stealth
I did a Symantec online Security; it found no vulnerabilities.
I ran TD-3 and found 135, 445, an a few that were services, but nothing to pin it down.
Think a packet grabber set at startup would get there before the phone home is turned on.

BTW, here is the files that were recovered from that hidden file they called 3000 (3gig is
suspicious)

Here are the files


---------- C:WINNT\SOB\3000
c:\adlog.txt
c:\blocklog.txt
c:\recv_bp.txt
c:\send_bp.txt
c:\documents and settings\jwang\desktop\htlogs\%d.txt
c:\documents and settings\jwang\desktop\htlogs\%d.txt
c:\recv_ap.txt
c:\send_ap.txt
pec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
windir=C:\WINNT
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
windir=C:\WINNT
\??\C:\WINNT\system32\winlogon.exe
NTREM c:\config.sys.
NTREM visible to an OS/2 program that opens c:\config.sys, however they are
NTREM modify NT OS/2 config.sys configuration by editing c:\config.sys with
REM OS/2 Apps that access c:\config.sys actually manipulate this information.
PROTSHELL=c:\os2\pmshell.exe c:\os2\os2.ini c:\os2\os2sys.ini \cmd.exe
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\x509\x509_vfy.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_eay.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_oaep.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_sign.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_asn1.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dh\dh_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\err\err.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\stack\stack.c
4@c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rand\md_rand.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\pkcs12\p12_decr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\lhash\lhash.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\objects\o_names.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_enc.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_srvr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_asn1.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_cert.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_ciph.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_rsa.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_sess.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\t1_enc.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_print.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_sock.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_buff.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_nbio.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bio_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_acpt.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_bio.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_conn.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bitstr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bytes.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_digest.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_dup.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_gentm.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_int.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_object.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_set.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_type.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_utctm.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_verify.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\asn1_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_dhp.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_r_pr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\p8_pkey.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_algor.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_attrib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_cinf.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_crl.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\e
C:\WINNT\CSC
C:\WINNT\system32\
\??\C:\WINNT\system32\winlogon.exe
SERSPROFILE=C:\Documents and Settings\All Users
CommonProgramFiles=C:\Program Files\Common Files
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
ALLUSERSPROFILE=C:\Documents and Settings\All Users
CommonProgramFiles=C:\Program Files\Common Files
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
ProgramFiles=C:\Program Files
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
USERPROFILE=C:\Documents and Settings\don
windir=C:\WINNT
ProgramFiles=C:\Program Files
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
USERPROFILE=C:\Documents and Settings\don
windir=C:\WINNT
ÿÿÿÿ’Mu’Muÿÿÿÿ7’Mu;’MuC:\perfc???.dat
C:\MSHLOCAL.LOG
C:\DEBUG.LOG
c:\
X±ÿÿÿÿÀÿ*\G{00020430-0000-0000-C000-000000000046}#1.0#0#C:\WINNT\System32\stdole32.tlb#


These files would actually capture the user profile and route it through these files. I
enveloped it into a folder of another name, and it changed the route on the user profile back
to default. BTW, I was really duh, when I realized everytime I called up a command prompt, I
was getting the %SystemRoot% instead of %SystemRoot%\Documents and Settings\UserProfile .
(lLike I said, doh)

Strange little routine. Has a kids game loaded in it. Has my stock trading program routed
through it and that one has a humongous feed from all the markets live.

Think of anything, I'm open.

thanks,
don