Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10
 Modules
 · Home · Content · FAQ · Forensic Downloads · Forensics Feedback · Forums · Members List · Recommend Us · Statistics · Surveys · Top 10 · Topics · Training Reviews · Web Links · Your Account

 Our Membership
 Latest: cameronmaybin New Today: 0 New Yesterday: 2 Overall: 28789

 Computer Forensics
 This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

 Recent Posts

 Pages Served
 We received41691523page views since August 2004

 Security Sources

 Computer Forensics World: Forums

Computer Forensics World :: View topic - ntuser.dat.log says "dirty"

 ntuser.dat.log says "dirty" Goto page 1, 2  Next
Author Message
CMH
Newbie

Joined: Sep 22, 2006
Posts: 2

 Posted: Thu Sep 28, 2006 12:08 am    Post subject: ntuser.dat.log says "dirty" We are inspecting a computer at work for potential abuse. We have found some graphic images and have run a few programs and noticed a lot of surfing to some questionable sites. We just checked the ntuser.dat.log under every username and all the files have the word "dirty" in them. I just looked at my computer and my ntuser.dat.log does NOT have that word in there. I'm assuming I have a big problem on my hand....any suggestions?
Precision
Newbie

Joined: Sep 24, 2006
Posts: 20
Location: MD

 Posted: Fri Sep 29, 2006 12:07 am    Post subject: I hope for your sake and that of the company you know what you are doing and/or can prove that when push comes to shove if the employee in question ever decides to pursue litigation. I assume everyone here knows that, but, just in case before offering my opinion on the matter. Since you haven't described exactly what you've done other than viewing a few graphic images and running a few programs and noticing a lot of surfing to some questionable sites, I wills start from the beginning. This is all assuming you are using a forensics copy/image to do the investigation: 1.) Ran antivirus/spyware software to determine any kind of infection. The reasons I state this are because: a) Questionable sites were visited - (although they shouldn't be questionable - it should be black and white - is the site appropriate or not - if not, then off limit sites were visted.) b) All the user accounts are showing the same thing, so, to me, it looks like a system wide problem, not just a user account. If that is the case, then some serious security issues comes to mind such as the privelages of the user account in question in the first place and why was the account with a high level or privelage (assuming this was the account that created the infection if there is an infection) surfing the net. BTW, if possible, I would isolate the machine as well since this seems like a system wide thing. 2.) The Ntuser.dot.log file says dirty. Where does it say this. For example, when I look at my ntuser.dat.log file, it has the following: Under name: ntuser.dat.LOG Size: Will vary Type: Text document Modified: Will vary So, is the dirty part of the file name, like ntuser.dat.dirty.LOG or is it under type, or where exactly is the word dirty showing up. I have never seen the issue before, so I am interested in what it looks like. 3.) Since the log file is questionable, I would assume the item it logs is also questionable, the NTuser.dat file. This file, along with the log file affect the HKEY_CURRENT_USER registry. Since this hive is the current profile loaded, unless you are logged in under the user, no point in looking there. What you want to look at is the HKEY_USERS, but it depends where to look. If the account is held at a domain controller, then you will have to find the SID of the user account, and I am assuming - never done this - look at the registry hive on the domain controller in which the account is local. If the account is a local account to the machine, then you could look at the HKEY_USERS there. My next step would be to analyze the hive to see what is going on. I would use the results from the antivirus/spyware scan to assist with this. Beyond those starting points, I would have to see it to understand what was going on. Just as a reminder, this is not an expert opinion, just my view on how I would go looking into things. Just remember the legal impacts if this goes any further - for example any discipline to the owner of the account in question.
gralfus
Newbie

Joined: Sep 30, 2004
Posts: 113

 Posted: Fri Sep 29, 2006 1:28 am    Post subject: "dirty" refers to the live system hive not being updated properly: scilnet.fortlewis.edu/tech/NT-Server/registry.htm When you make changes to the Registry that affect the HKEY_LOCAL_MACHINE\SYSTEM hive, the changes are first applied to the actual system hive, then to the alternate hive. If there is a system failure during the updates to the alternate hive, there is no problem, and after the system boots, NT updates the alternate hive to again be an exact copy of the actual system hive. However, if there is a failure during an update to the actual system hive, when NT reboots it detects that the system hive is dirty, so instead it boots using the alternate hive, which is in an older but stable state. It then rolls back changes to the original system hive.
CMH
Newbie

Joined: Sep 22, 2006
Posts: 2

 Posted: Fri Sep 29, 2006 11:41 pm    Post subject: More about the log... Thank you both for your posts. They are very helpful. To reply to Precision, here is some more information. The computer is isolated and has not affected any other machines in our network. We've run spyware/adaware/antivirus, etc and did not find anything. We are assuming the graphic images were brought in from an outside source i.e.-floppy, flash drive, cd, etc. These images are on only 1 machine. Here is the text from the ntuser.dat.log file on that computer: regf  \Lx    0  t t i n g s \ A d m i n i s t r a t o r \ N T U S E R . D A T DIRT We would definitely appreciate any and all replies. Thanks!
Precision
Newbie

Joined: Sep 24, 2006
Posts: 20
Location: MD

 Posted: Sat Sep 30, 2006 12:55 am    Post subject: Thanks for the info! Well, I don't know how your documents and settings folder looks, but I did a little looking in mine, and this is what I found. A while back, I had problems with my profile, but still had data I wanted to get (but I still have yet to go back and back it up - silly me) so I left the original profile in place and made another one with the same username. So, my documents and settings folder has the following: username username.domain So, I am logged in with the username.domain account, and can't view my ntuser.dat.log file because it is in use since I am logged in. But, I can go view my username ntuser.dat.log file, and to my suprise, I saw the same thing: username\ n t u s e r . d a t --- DIRTA (the dashes are parts I took out just in case they are something that could be revealing of my system - all me paranoid!) I then went and looked the the all users folder in Documents and Settings and got this: \ a l l u s e r s \ n t u s e r . d a t --- DIRT I logged out, checked my file from another account, it does not have this. I believe the issue might be created when using generic accounts, or duplicate accounts - if you are anything like me, when you create another user account, all you do is clone a default account and slap a new name on it for the next victim. So, my final conclusion for now - probably nothing to be concerned with - I would chalk this one up to MS silliness. But, I have thought of a way you could check this, but it would probably have to be tweaked. You could try duplicating another account, and see what you get in that ntuser.dat.log file. Who knows...
EamonLandon
Newbie

Joined: Sep 27, 2006
Posts: 4

 Posted: Sat Sep 30, 2006 1:20 am    Post subject: I opened my ntuser.dat and there is ---DIRT- the dashes represent characters that look like encryption gibberish.
Precision
Newbie

Joined: Sep 24, 2006
Posts: 20
Location: MD

 Posted: Sat Sep 30, 2006 2:21 am    Post subject: So, either all of us is infected with some weird obscure thing, or more likely, this is a normal windows "feature" and nothing out of the norm.
EamonLandon
Newbie

Joined: Sep 27, 2006
Posts: 4

 Posted: Sat Sep 30, 2006 4:05 am    Post subject: Yeah, seems to be on multiple files, multiple PCs, so I am guessing that it is windows related. ;DIRT I actually think it is etc, etc, DIRT etc I searched on it a little and haven't found much
Precision
Newbie

Joined: Sep 24, 2006
Posts: 20
Location: MD

 Posted: Sat Sep 30, 2006 7:41 am    Post subject: Did some experimenting on my own - Clean system, never been hooked to the net, just formatted and the OS installed. Nothing else installed. Created a user account besides admin named panther. Logged in once, then restarted the machine properly. Logged in via admin and took a look at the ntuser.dat.log file, and yet again, the dirty is there. So, I started to wonder, and took a look at the ntuser.dat file. Seems it has a lot of these as well: . So I got to thinking... maybe that is a control character, and what we are really seeing is just DIRT (like the above post mentions). Since the ntuser.dat file is nothing more than the hive of the user in the registry, those characters have to be in the registry somewhere. So, what to do.... search the registry. Only two keys found that contain DIRT, and they don't look promissing for anything. So, I could try DIR, but as you imagine, that would take forever to go through in the registry of just a regular install! So hmm.... dunno where it comes from, but it definately is not anything malicious unless my CD from MS is bugged or the backdoor is so good it is hiding in my BIOS. (ok ok, I'm joking now..) Now I am wondering about the now! *EDIT Thought to fire up the ol' hex editor and find the hex for the character, turns out to be FF - so I am guessing it is the end of a line or something. Argh.. Good luck with things.
SueInCincy
Newbie

Joined: Jan 24, 2007
Posts: 3

Prickaerts
Newbie

Joined: Jan 03, 2006
Posts: 255
Location: The Netherlands

 Posted: Thu Jan 25, 2007 4:53 pm    Post subject: Hmm, Sounds a bit to heavy on the paranoia mode to me.... Regarding the image, it was mentioned in the second post already, are you doing the investigation an a forensically sound image of the drive under investigation? About the DIRT hyve issue. Was Windows event logging activated? Does it mention any issues regarding user profiles not being able to be unloaded during logout? How was the computer shutdown prior to making the forensic copy? I would focus on the validity of browser logs and try to match any unwanted visits to other activity that might be attributed to an actual person. Otherwise all you have is a computer used to visit certain websites. You'd still have to prove beyond some form of certainty who was actually sitting at the keyboard during those visits. Chris
clarkwgriswold
Newbie

Joined: Dec 27, 2006
Posts: 89

 Posted: Fri Jan 26, 2007 8:53 am    Post subject: mentalhealth.org
WO
Newbie

Joined: Jan 15, 2007
Posts: 36

 Posted: Sat Jan 27, 2007 12:09 am    Post subject: oh my.... all I can do is grin..
Towner19
Newbie

Joined: Mar 12, 2007
Posts: 5

Posted: Sat Mar 17, 2007 3:14 am    Post subject:

Hey everyone,
As I said earlier I spend some time in the MaximumPC forums and they have been helpfull. They recomended I use Panda scan to find files which are of some concern, at least to the Panda. So, I have done that and Chumly in the Free Clinic room said there was a weird signature on one of the file it said this;

 Quote: Then there's a mystery host list that scares the crap out of me. O16-O17 should be noted. The "whois" on those IP's point to this address: 01110, Ukraine, Kiev, 20�, Solomenskaya street. room 201.

This came from this list Panda created;

Logfile of HijackThis v1.99.1
Scan saved at 5:16:14 PM, on 3/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Ringo\Hub.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file : // C:\WINDOWS\System32/left.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
N4 - Mozilla: user_pref("browser.startup.homepage", "home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\"NAME"\Application Data\Mozilla\Profiles\default\bkns25hv.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\"NAME"\Application Data\Mozilla\Profiles\default\bkns25hv.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [EPSON PictureMate Deluxe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9TA.EXE /P24 "EPSON PictureMate Deluxe" /O6 "USB002" /M "PictureMate Deluxe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Ringo Launcher.lnk = C:\Program Files\Ringo\Hub.exe
O8 - Extra context menu item: &AIM Search - res : // C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: RemindU - file : // C : \Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: RemindU - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file : // C : \Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{60690176-F958-45DD-9854-386211BC6B17}: NameServer = 85.255.113.195,85.255.112.108
O17 - HKLM\System\CCS\Services\Tcpip\..\{685BEF00-FC07-4365-A76D-82C114EF424B}: NameServer = 85.255.113.195,85.255.112.108
O17 - HKLM\System\CCS\Services\Tcpip\..\{D202FDEC-B726-43A4-B840-40660000FA8D}: NameServer = 85.255.113.195,85.255.112.108
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBD13807-29B2-41FF-B959-C2C5054AE926}: NameServer = 85.255.113.195,85.255.112.108
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.195 85.255.112.108
O17 - HKLM\System\CS1\Services\Tcpip\..\{60690176-F958-45DD-9854-386211BC6B17}: NameServer = 85.255.113.195,85.255.112.108
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.195 85.255.112.108
O17 - HKLM\System\CS2\Services\Tcpip\..\{60690176-F958-45DD-9854-386211BC6B17}: NameServer = 85.255.113.195,85.255.112.108
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.195 85.255.112.108
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608\SAService.exe

I know this takes up a lot of space, but I'm looking for answers before I wipe the hard drive. On that note how exactly do I go about doing that. I have already backed up my info and need to move or have some idea of where I am heading. Thanks everyone . I don't even know where he saw that name and adress, but it is weird. He recommended I delete the weatherbug button and ASL (I think), I did any thoughts any one .
grooveydude
Newbie

Joined: Dec 22, 2008
Posts: 1

 Posted: Tue Dec 23, 2008 6:14 am    Post subject: well shpuld i be worried then cuz none of my accounts have any of the above problems ..
 Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First
 All times are GMT + 10 HoursGoto page 1, 2  Next Page 1 of 2

 Jump to: Select a forum Computer Forensics----------------General Computer Forensic IssuesTechnical IssuesTechnical Issues: PeripheralsLegal IssuesForensic Software and Tools Education and Employment----------------Employment ForumTraining and EducationDigital Forensics: Getting Started Miscellaneous----------------General ForensicsMiscellaneous
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum