it wrote code in the index.php file on line 46
there was info in there that I am not sure I am supposd to repost here so I wont but when users came to the site it would state that the site either had the above exploit using CA or a trojan using another anti virus program.
the file size changed to 3k
not sure what other files might have been messed with. I did not see any other files or folders that were changed on or near the date of that index.php file.
using XOOPS 2.0.18.1 with protector.
FYI