KeelBug Posted December 11, 2008 Posted December 11, 2008 So I login to my work laptop yesterday and everything is peachy. About 20 minutes later... I have no files on my desktop, start menu,quick launch and IE favorites. The folder structure is there... just no files. Now I've managed to recover the files from everywhere except my desktop (maybe already overwritten by the time I noticed it, which would have been 4-5 hours after it happened). I run Trend anti virus & firewall as its a work standard, with the Spybot agent tracking registry changes and such and nothing was flagged. This morning I login and a folder starts up from my startup (may have done this yesterday I might have just been to busy to notice) and it contains some suspicious files. ..\Startup\directory.src ..\Startup\makefile ..\Startup\cp\Directory.cpp ..\Startup\cp\directory.exe ..\Startup\cp\directory.obj ..\Startup\cp\directory.pdb ..\Startup\cp\makefile ..\Startup\cs\Directory.cs ..\Startup\cs\Directory.exe ..\Startup\cs\Directory.pdb ..\Startup\cs\makefile ..\Startup\vb\Directory.exe ..\Startup\vb\Directory.pdb ..\Startup\vb\Directory.vb ..\Startup\vb\makefile You can download said files here > http://www.fase.me/Startup.rar < Pass 'hak5'. Is anyone here (if you have time/nothing better to do :P ) able to go through these and see just what the hell it did to my system? Besides finally making me do more regular backups... Cheers. Quote
Sparda Posted December 11, 2008 Posted December 11, 2008 They are programs apparently (not even downloading it). Written in C++ (cpp) Compiled in to machine code (obj) Then linked with libraries to produce the program (exe) pdb is possibly from the IDE used to write them? Quote
KeelBug Posted December 11, 2008 Author Posted December 11, 2008 They are programs apparently (not even downloading it). Written in C++ (cpp) Compiled in to machine code (obj) Then linked with libraries to produce the program (exe) pdb is possibly from the IDE used to write them? Yeah I get that :P. Just don't have the tools/time at work to deconstruct/sandbox them. Theres no doubt some residual file hiding in my system somewhere. Quote
Sparda Posted December 11, 2008 Posted December 11, 2008 Yeah I get that :P. Just don't have the tools/time at work to deconstruct/sandbox them. Theres no doubt some residual file hiding in my system somewhere. Delete them, move on with your life. Quote
KeelBug Posted December 11, 2008 Author Posted December 11, 2008 Delete them, move on with your life. Having no idea whats changed its a bit hard to delete something I don't know exists... Ive moved on... prob just re-image the thing next week. Still leaves me curious though. Quote
digip Posted December 12, 2008 Posted December 12, 2008 Sounds like you got pwned. Did you leave it on and unattended anywhere, like where other people could have plugged in a USB key ;) I think PDB files contain debug information for compiled programs when testing. Chances are they were created by the cpp file. That cpp file is encrypted or compiled code, so can't tell whats in it without knowing how to decrypt it first. Normally source code is in plain text. Whateve rit is, it looks like it failed to clean up after itself, so the code is probably broken to some extent. CLEANUP = *.exe *.pdb *.obj Guess it never did since you were able to see the files. Virus Total sees nothing but an encrypted archive: http://www.virustotal.com/analisis/7e90ab2...bfb333383175755 edit: well, if it was malicious, vitus total can't seem to see anything: http://www.virustotal.com/analisis/a9c48b6...e3d91858a0f27a1 that doesn't mean you don't have malware or anything like that on your pc. I'd backup your important stuff and reformat. I am goign to reupload it to them in a seperate(unpassworded) file to be sure. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.