On Wed, Oct 05, 2011 at 07:57:03PM +0000, halfdog wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello List, > > I just puchased a Lenovo x121e and just before init with random data > and setting up the crypto disks, I found that the disk was not > completely clean. It seems that > > a) X121 ships with a dirty disk or > b) machine was used before purchase > > After reconstruction of bootsector, a NTFS partition is readable, > pagefile.sys shows > COMPUTERNAME=ADMIN-THINK > > Newest files in / > dr-x------ 1 root root 28672 May 29 09:45 SWDL > - -r-------- 2 root root 2490 May 29 09:36 ExitWinXP.bat > dr-x------ 1 root root 4096 Apr 6 13:59 WWAN1 > dr-x------ 1 root root 0 Mar 1 2011 Temp > dr-x------ 1 root root 0 Jan 6 2011 $Recycle.Bin > dr-x------ 1 root root 4096 Jan 6 2011 Users > dr-x------ 1 root root 0 Jan 6 2011 Intel > - -r-------- 2 root root 1959 Oct 2 2010 bluetooth.txt > > Funny: Might also be infected with virus, that generated sal.xls.exe > > - -r-------- 2 root root 4810 Oct 13 2007 > \346\270\205\351\231\244sal.xls.exe\347\227\205\346\257\222.bat > > The non-printables seem to be UTF-8 and display as Chinese glyphs on > other machine. > > I'm complete noob in win-forensics, but at least it seems, that there > is no evidence for other user accounts, Documents & Settings empty, so > perhaps this could really be an authentic IBM OEM image (with virus), > but they just replaced the boot sector to get rid of the partitions? > > Since I don't want to waste too much time on dirty hardware, I did > some googling, but found nothing of value. > > > Does someone know of similar findings on Lenovo machines and what's > your guess: is it worth to dig in deeper or is it just waste of time > to recover OEM-Windows image, that was deflowered and insufficiently > cleaned by some Chinese factory worker during lunch hours? > > hd > > - -- > http://www.halfdog.net/ > PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFOjLZtxFmThv7tq+4RAjg3AJ4xCLYJqExTYk0kqLowYFdB+RU3PQCgk4yW > zD1Qa8MoApdLGQ5Mns0wpKE= > =UuJ/ > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
I have pretty new X220t and 2011-09-18 I noticed this http://paste.nerv.fi/59031966-strangedrivers.png when I was working as administrator. I didn't have any network connected (LAN, WLAN, bluetooth) nor USB-devices. I also did check event viewer, but didn't find anything useful. I didn't notice it again nor did I find any evidence of abuse. There is recovery partition in my model at least, which could have a big amount of executables and/or drivers. I also do know how to use Windows so as far as I can tell my laptop is pretty secure. I have firewall, IPS, anti-virus and I am not installing programs to my system easily :) Please notify me if you find anything related to this issue. I would be happy to receive sample of sal.xls.exe. Where did you purchase your laptop? Best regards, Henri Salo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
