Huge Autoexec.bat

["Matthew S Barnes" <btc1 () alltel net>]

Hi all we were working on a system the other day at a client's who called us
in to fix a downed domain controller, his system was blue screening and so
we got there and started poking around the system, we noticed something
weird and wanted to ask if anyone had seen it before. I hadnt ever ...
His autoexec.bat was huuge 26 megabytes to be exact. Now this computer was
running nt 4 sp6a and also a ton of other stuff but none of the stuff in
autoexec.bat as far as i could see was anything related to his systems, i
told him he was probably hacked and that he needed to really treat this like
it was a crime scene and try to save all the data so we could reconstruct
later, well he said he didnt care(no wonder he was hacked ) and told me to
not waste time on it he wouldnt pay me to investigate he would only pay me
to fix it. I did save some of the files I thought were suspicious and was
hoping someone, anyone could point me in a direction to find out what would
make this autoexec.bat so big? is there any known exploits that do this type
of thing?  I appreciate all you help

The autoexec.bat file was full of script's and code and also some old emails
of his from years ago and we never got time to go thru the whole thing just
enuff to make me think it was a total compromise of his system.....

Sincerely

Matthew S Barnes

---
Outgoing mail is certified Virus Free.
Barnes Technical Consulting 2002
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.385 / Virus Database: 217 - Release Date: 9/4/2002


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com