«

[HelenD]

A few weeks ago, I found that a large number of adult material files appeared on the computer over the weekend when it was not connected to the internet and I was not using the computer. Last week, I found that a similar incident had occurred one week earlier when I did not have the computer but it was connected to the company network.

From quick analysis I found the following:

* Both events were bounded by two failed logon attempts under my user ID

* Time duration between the two failed logon attempts was two days and twenty one hours.

* Over the time period between the two failed logon attempts on each occasion, 72 event ID 636 and 72 event ID 637 occurred. Event ID 636 is : A user or group account was added to a local security group on the computer or on the domain, and Event ID 637 is: A user or group account was removed from a local security group on the computer or on the domain.

* MS Installer events occurred post the creation of the adult material files when the computer was next logged onto the network.

I am interested in knowing whether anyone thinks this is substantial evidence of a virus or malware attack or if these two events are related. It is concerning because I have had virus and malware scanners run across the computer that were available between the 30th March and 4th April and none of these returned the presence of any virus or malware – in particular Symantec Anti-Virus v9.0.0.33.8, F-Prot v6.0.6.3, Avast! Anti-Virus v4.7.942 and Ad-Aware v1.06r1. Is it possible that they could have missed something? Are you aware of any other malware / viruses that could have demonstrated this behaviour?

Please find logs and some initial analysis attached. I have separted out the two dates on the last two tabs of the attached excel spreadsheet

Any help is appreciated,

HelenD