Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Recommend Us
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: py2w1
New Today: 1
New Yesterday: 2
Overall: 27405

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Forensic scripts and tasks
 Windows Registry Default Printer
 Strange startup traffic
 Encase and EFS
 ENCE EXAMS

Computer Forensics World Forums


Pages Served
We received
34642400
page views since August 2004

Security Sources

Firewalls
Cryptography
ISO 17799 ISO 27001
ISO 17799 Toolkit
ISO 27001 & 27000
Disk Analysis
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - ntuser.dat.log says "dirty"
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

ntuser.dat.log says "dirty"
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
CMH
Newbie
Newbie


Joined: Sep 22, 2006
Posts: 2

PostPosted: Thu Sep 28, 2006 12:08 am    Post subject: ntuser.dat.log says "dirty" Reply with quote

We are inspecting a computer at work for potential abuse. We have found some graphic images and have run a few programs and noticed a lot of surfing to some questionable sites. We just checked the ntuser.dat.log under every username and all the files have the word "dirty" in them.

I just looked at my computer and my ntuser.dat.log does NOT have that word in there.

I'm assuming I have a big problem on my hand....any suggestions?
Back to top
View user's profile
Precision
Newbie
Newbie


Joined: Sep 24, 2006
Posts: 20
Location: MD

PostPosted: Fri Sep 29, 2006 12:07 am    Post subject: Reply with quote

I hope for your sake and that of the company you know what you are doing and/or can prove that when push comes to shove if the employee in question ever decides to pursue litigation. I assume everyone here knows that, but, just in case before offering my opinion on the matter.

Since you haven't described exactly what you've done other than viewing a few graphic images and running a few programs and noticing a lot of surfing to some questionable sites, I wills start from the beginning.

This is all assuming you are using a forensics copy/image to do the investigation:

1.) Ran antivirus/spyware software to determine any kind of infection. The reasons I state this are because:

a) Questionable sites were visited - (although they shouldn't be questionable - it should be black and white - is the site appropriate or not - if not, then off limit sites were visted.)

b) All the user accounts are showing the same thing, so, to me, it looks like a system wide problem, not just a user account. If that is the case, then some serious security issues comes to mind such as the privelages of the user account in question in the first place and why was the account with a high level or privelage (assuming this was the account that created the infection if there is an infection) surfing the net. BTW, if possible, I would isolate the machine as well since this seems like a system wide thing.

2.) The Ntuser.dot.log file says dirty. Where does it say this. For example, when I look at my ntuser.dat.log file, it has the following:

Under name: ntuser.dat.LOG
Size: Will vary
Type: Text document
Modified: Will vary

So, is the dirty part of the file name, like ntuser.dat.dirty.LOG or is it under type, or where exactly is the word dirty showing up. I have never seen the issue before, so I am interested in what it looks like.

3.) Since the log file is questionable, I would assume the item it logs is also questionable, the NTuser.dat file. This file, along with the log file affect the HKEY_CURRENT_USER registry. Since this hive is the current profile loaded, unless you are logged in under the user, no point in looking there. What you want to look at is the HKEY_USERS, but it depends where to look. If the account is held at a domain controller, then you will have to find the SID of the user account, and I am assuming - never done this - look at the registry hive on the domain controller in which the account is local. If the account is a local account to the machine, then you could look at the HKEY_USERS there.

My next step would be to analyze the hive to see what is going on. I would use the results from the antivirus/spyware scan to assist with this. Beyond those starting points, I would have to see it to understand what was going on.

Just as a reminder, this is not an expert opinion, just my view on how I would go looking into things. Just remember the legal impacts if this goes any further - for example any discipline to the owner of the account in question.
Back to top
View user's profile
gralfus
Newbie
Newbie


Joined: Sep 30, 2004
Posts: 113

PostPosted: Fri Sep 29, 2006 1:28 am    Post subject: Reply with quote

"dirty" refers to the live system hive not being updated properly:
scilnet.fortlewis.edu/tech/NT-Server/registry.htm

When you make changes to the Registry that affect the HKEY_LOCAL_MACHINE\SYSTEM hive, the changes are first applied to the actual system hive, then to the alternate hive. If there is a system failure during the updates to the alternate hive, there is no problem, and after the system boots, NT updates the alternate hive to again be an exact copy of the actual system hive. However, if there is a failure during an update to the actual system hive, when NT reboots it detects that the system hive is dirty, so instead it boots using the alternate hive, which is in an older but stable state. It then rolls back changes to the original system hive.
Back to top
View user's profile
CMH
Newbie
Newbie


Joined: Sep 22, 2006
Posts: 2

PostPosted: Fri Sep 29, 2006 11:41 pm    Post subject: More about the log... Reply with quote

Thank you both for your posts. They are very helpful. To reply to Precision, here is some more information.

The computer is isolated and has not affected any other machines in our network. We've run spyware/adaware/antivirus, etc and did not find anything. We are assuming the graphic images were brought in from an outside source i.e.-floppy, flash drive, cd, etc. These images are on only 1 machine.

Here is the text from the ntuser.dat.log file on that computer:

regf  \Lx    0  t t i n g s \ A d m i n i s t r a t o r \ N T U S E R . D A T DIRT


We would definitely appreciate any and all replies.

Thanks!
Back to top
View user's profile
Precision
Newbie
Newbie


Joined: Sep 24, 2006
Posts: 20
Location: MD

PostPosted: Sat Sep 30, 2006 12:55 am    Post subject: Reply with quote

Thanks for the info!

Well, I don't know how your documents and settings folder looks, but I did a little looking in mine, and this is what I found.

A while back, I had problems with my profile, but still had data I wanted to get (but I still have yet to go back and back it up - silly me) so I left the original profile in place and made another one with the same username. So, my documents and settings folder has the following:

username
username.domain

So, I am logged in with the username.domain account, and can't view my ntuser.dat.log file because it is in use since I am logged in. But, I can go view my username ntuser.dat.log file, and to my suprise, I saw the same thing:

username\ n t u s e r . d a t --- DIRTA

(the dashes are parts I took out just in case they are something that could be revealing of my system - all me paranoid!)

I then went and looked the the all users folder in Documents and Settings and got this:

\ a l l u s e r s \ n t u s e r . d a t --- DIRT

I logged out, checked my file from another account, it does not have this.

I believe the issue might be created when using generic accounts, or duplicate accounts - if you are anything like me, when you create another user account, all you do is clone a default account and slap a new name on it for the next victim.

So, my final conclusion for now - probably nothing to be concerned with - I would chalk this one up to MS silliness.

But, I have thought of a way you could check this, but it would probably have to be tweaked. You could try duplicating another account, and see what you get in that ntuser.dat.log file. Who knows...
Back to top
View user's profile
EamonLandon
Newbie
Newbie


Joined: Sep 27, 2006
Posts: 4

PostPosted: Sat Sep 30, 2006 1:20 am    Post subject: Reply with quote

I opened my ntuser.dat and there is ---DIRT- the dashes represent characters that look like encryption gibberish.
Back to top
View user's profile
Precision
Newbie
Newbie


Joined: Sep 24, 2006
Posts: 20
Location: MD

PostPosted: Sat Sep 30, 2006 2:21 am    Post subject: Reply with quote

So, either all of us is infected with some weird obscure thing, or more likely, this is a normal windows "feature" and nothing out of the norm.
Back to top
View user's profile
EamonLandon
Newbie
Newbie


Joined: Sep 27, 2006
Posts: 4

PostPosted: Sat Sep 30, 2006 4:05 am    Post subject: Reply with quote

Yeah, seems to be on multiple files, multiple PCs, so I am guessing that it is windows related.

;DIRT

I actually think it is etc, etc, DIRT etc

I searched on it a little and haven't found much
Back to top
View user's profile
Precision
Newbie
Newbie


Joined: Sep 24, 2006
Posts: 20
Location: MD

PostPosted: Sat Sep 30, 2006 7:41 am    Post subject: Reply with quote

Did some experimenting on my own -

Clean system, never been hooked to the net, just formatted and the OS installed. Nothing else installed.

Created a user account besides admin named panther. Logged in once, then restarted the machine properly. Logged in via admin and took a look at the ntuser.dat.log file, and yet again, the dirty is there.

So, I started to wonder, and took a look at the ntuser.dat file. Seems it has a lot of these as well: .

So I got to thinking... maybe that is a control character, and what we are really seeing is just DIRT (like the above post mentions). Since the ntuser.dat file is nothing more than the hive of the user in the registry, those characters have to be in the registry somewhere. So, what to do.... search the registry. Only two keys found that contain DIRT, and they don't look promissing for anything. So, I could try DIR, but as you imagine, that would take forever to go through in the registry of just a regular install!

So hmm.... dunno where it comes from, but it definately is not anything malicious unless my CD from MS is bugged or the backdoor is so good it is hiding in my BIOS. (ok ok, I'm joking now..)

Now I am wondering about the now!

*EDIT

Thought to fire up the ol' hex editor and find the hex for the character, turns out to be FF - so I am guessing it is the end of a line or something. Rolling Eyes

Argh..

Good luck with things.
Back to top
View user's profile
SueInCincy
Newbie
Newbie


Joined: Jan 24, 2007
Posts: 3

PostPosted: Thu Jan 25, 2007 7:51 am    Post subject: Here's what I know about dirt Reply with quote

Please suspend your disbelief, or at least be kind to me when you tell me I am crazy. In short, I think this dirt thing is likely something to be concerned about.

For more than a year, I have been plagued with a security problem that no one can fix, and so pretty much everyone tells me it's not real--with the exception of a guy who leads a Computer Forensics seminar for mid-level IT guys from big companies. I won't get into the details of the problem here, but suffice it to say that I have reformatted five different computers a total of at least 100 times. (The definition of madness...)

Here's what I have recently observed about "dirt" in my world: I began to notice this five or six reformats ago in all of the three computers I own. I did a search for dirt *before* connecting to the Internet, and found three instances. Once I connected to the internet, there were more than a dozen of them.

What I believe about my security issue is that the hard drive isn't really being cleaned, even though I use methods including FDISK with a retail XPPro disk, DBAN, and other things besides the manufacturers' restore disk.

In short, I think this dirt thing is indeed something to be concerned about.

I am writing this from someone else's computer, with an e-mail address that I will not be accessing from my dirt computer.

If you are interested enough in this to know more, I will be greatly appreciative of your insights and opinions. Perhaps even your Experience, Strength, and Hope.

Cheers,
SueInCincy
hackergoaway@yahoo.com
Back to top
View user's profile
Prickaerts
Newbie
Newbie


Joined: Jan 03, 2006
Posts: 255
Location: The Netherlands

PostPosted: Thu Jan 25, 2007 4:53 pm    Post subject: Reply with quote

Hmm,

Sounds a bit to heavy on the paranoia mode to me.... Cool

Regarding the image, it was mentioned in the second post already, are you doing the investigation an a forensically sound image of the drive under investigation?

About the DIRT hyve issue. Was Windows event logging activated? Does it mention any issues regarding user profiles not being able to be unloaded during logout? How was the computer shutdown prior to making the forensic copy?

I would focus on the validity of browser logs and try to match any unwanted visits to other activity that might be attributed to an actual person. Otherwise all you have is a computer used to visit certain websites. You'd still have to prove beyond some form of certainty who was actually sitting at the keyboard during those visits.

Chris
Back to top
View user's profile Send e-mail Visit poster's website
clarkwgriswold
Newbie
Newbie


Joined: Dec 27, 2006
Posts: 89

PostPosted: Fri Jan 26, 2007 8:53 am    Post subject: Reply with quote

mentalhealth.org
Back to top
View user's profile
WO
Newbie
Newbie


Joined: Jan 15, 2007
Posts: 36

PostPosted: Sat Jan 27, 2007 12:09 am    Post subject: Reply with quote

oh my.... all I can do is grin..
Back to top
View user's profile
Towner19
Newbie
Newbie


Joined: Mar 12, 2007
Posts: 5

PostPosted: Sat Mar 17, 2007 3:14 am    Post subject: Reply with quote

Hey everyone,
As I said earlier I spend some time in the MaximumPC forums and they have been helpfull. They recomended I use Panda scan to find files which are of some concern, at least to the Panda. So, I have done that and Chumly in the Free Clinic room said there was a weird signature on one of the file it said this;

Quote:
Then there's a mystery host list that scares the crap out of me. O16-O17 should be noted. The "whois" on those IP's point to this address:

01110, Ukraine, Kiev, 20�, Solomenskaya street. room 201.


This came from this list Panda created;

Logfile of HijackThis v1.99.1
Scan saved at 5:16:14 PM, on 3/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Ringo\Hub.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\4608\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file : // C:\WINDOWS\System32/left.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
N4 - Mozilla: user_pref("browser.startup.homepage", "home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\"NAME"\Application Data\Mozilla\Profiles\default\bkns25hv.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\"NAME"\Application Data\Mozilla\Profiles\default\bkns25hv.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON PictureMate Deluxe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE /P24 "EPSON PictureMate Deluxe" /O6 "USB002" /M "PictureMate Deluxe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Ringo Launcher.lnk = C:\Program Files\Ringo\Hub.exe
O8 - Extra context menu item: &AIM Search - res : // C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: RemindU - file : // C : \Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file : // C : \Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{60690176-F958-45DD-9854-386211BC6B17}: NameServer = 85.255.113.195,85.255.112.108
O17 - HKLM\System\CCS\Services\Tcpip\..\{685BEF00-FC07-4365-A76D-82C114EF424B}: NameServer = 85.255.113.195,85.255.112.108
O17 - HKLM\System\CCS\Services\Tcpip\..\{D202FDEC-B726-43A4-B840-40660000FA8D}: NameServer = 85.255.113.195,85.255.112.108
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBD13807-29B2-41FF-B959-C2C5054AE926}: NameServer = 85.255.113.195,85.255.112.108
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.195 85.255.112.108
O17 - HKLM\System\CS1\Services\Tcpip\..\{60690176-F958-45DD-9854-386211BC6B17}: NameServer = 85.255.113.195,85.255.112.108
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.195 85.255.112.108
O17 - HKLM\System\CS2\Services\Tcpip\..\{60690176-F958-45DD-9854-386211BC6B17}: NameServer = 85.255.113.195,85.255.112.108
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.195 85.255.112.108
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608\SAService.exe

I know this takes up a lot of space, but I'm looking for answers before I wipe the hard drive. On that note how exactly do I go about doing that. I have already backed up my info and need to move or have some idea of where I am heading. Thanks everyone Very Happy . I don't even know where he saw that name and adress, but it is weird. He recommended I delete the weatherbug button and ASL (I think), I did any thoughts any one Confused .
Back to top
View user's profile
grooveydude
Newbie
Newbie


Joined: Dec 22, 2008
Posts: 1

PostPosted: Tue Dec 23, 2008 6:14 am    Post subject: Reply with quote

well shpuld i be worried then cuz none of my accounts have any of the above problems .. Shocked
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.