off topic but I need some help

[Burnsie]

One of our consultants got a virus on his company laptop, which should only be used for business purposes. I can't tell which service is running the virus and it is just bogging down the CPU so bad that it takes 5 minutes for Norton IS to open. He deleted all the history in his IE, is there a program that will retrieve his history so that I can try and pin down where he got this virus as well as nail his @$$ for misusing the laptop?

The trojan is "trojan.popper" and it constantly restarts Windows explorer, so no virus scan can finish running.

Thanks in advance.

 

[sluzbenik]

First you should go to this site:

Try here

Then after you feel chagrined, go here: Internet history viewer

 

[Gary_Busey]

I don't know about retrieving the history, but I use Spyware Doctor and it wipes out any spyware/malware I've ever had. Keeps my system spotless.

 

[Burnsie]

Hahahaha, Thanks for that one. I ask on the forums because I hope that someone has a quality program that works well, not something that happens to be named what I search for. Thanks

 

[Gary_Busey]

First you should go to this site:

Try here

Then after you feel chagrined, go here: Internet history viewer

He already deleted his IE history. Will that retrieve already deleted history?

 

[Burnsie]

Nope, just tested it to see if it would and it doesn't. I need something that is gonna retrieve the history. Any ideas?

 

[Gary_Busey]

Try reading this, it might help:

http://www.crimeupdate.net/crimebook/index.php?title=Internet_explorer_data_retrieval_evidence

Other than that, I have no idea.

 

[sluzbenik]

if the history is cleared you would have to use some data recovery software to get that index.dat file back. That article is pretty good...

 

[Gary_Busey]

Yeah, I knew there was some way to do it because computer forensics specialists do it all the time, but I never knew how. Very interesting article indeed.

 

[Burnsie]

Thanks for the article link. That's got a lot of great info in there. I don't think I am gonna need the actual list of the history. I got him to admit that he was downloading porn in morpheus and well as other programs. Bah!


At least it is hump day :twisted:

 

[yeason]

In regards to determining which process it is that's associated with the trojan have you tried ProcXP. It will list all of the processes, what they're doing, and what file they are associated with. You can also search for files that are being used, or are creating system processes. You can download it here: http://www.sysinternals.com/Utilities/ProcessExplorer.html

I've used it before and it's a pretty useful program, a lot more powerful than the built in windows Task Manager.

Best of Luck

 

[zornundo]

Thanks for the article link. That's got a lot of great info in there. I don't think I am gonna need the actual list of the history. I got him to admit that he was downloading porn in morpheus and well as other programs. Bah!

He's such a n00b. Give him the ol' tar and feather! :twisted:

What's his prize for unauthorized use?

 

[Guest]

One of the simplest way is to use Windows system restore, few pople think about it ! You restore to a previous state and all your history is there =). Unles he cleaned it regularly or if he doesnt keep any...

I personally use Winternals product, it recently been bought by Microsoft though.
Winternals ERD Boot Disk 2005 boot cd can be made with their software and you can add many tools, really usefull, one of them is for date recovery. The thing about those tools is the more you use the computer the more chance you have of having data being written over the old data so do it as quickly as possible!

Be carefull, they have 2 products that do it, on of them is pretty baisc and sucky but the other work fine. I dont rember the name and I dont feel like gooling it =).

Good luck, and pr0n aint that bad you know
LOL!

 

[viper84]

Just use a linux distro that is bootable from CD or pendrive with a virus scanner built in. Knoppix is good.

 

[zornundo]

Good luck, and pr0n aint that bad you know
LOL!

I think his point was that the unauthorized use rendered the laptop unusable.

Next time, instruct the employee on how to use file-sharing w/o getting burned by shiz. :roll:

 

[Gary_Busey]

Seriously though, who downloads porn at work?

Is this guy getting the axe or are you letting him keep his job?

 

[Guest]

Lol, i know....
The bootable Cd is a pretty good idea too, just wont help you backtrace the origin and prove it's actually linked to a mis-use

 

[Guest]

One of our consultants got a virus on his company laptop, which should only be used for business purposes. I can't tell which service is running the virus and it is just bogging down the CPU so bad that it takes 5 minutes for Norton IS to open. He deleted all the history in his IE, is there a program that will retrieve his history so that I can try and pin down where he got this virus as well as nail his @$$ for misusing the laptop?

The trojan is "trojan.popper" and it constantly restarts Windows explorer, so no virus scan can finish running.

Thanks in advance.

Looks like everybody else is helping on the virus part, so I'll give you a heading on tracking the usage.

Depending which version of the OS your using, you can look in the history file. Theres a shortcut in the start menu
You can look in the "temporary internet files" located in in the "local settings" file of the 'specific' "users" file
To track the Inet usage, after the temp files have been erased you can look at the the index.dat files using a dat file viewer.

You can find one here

http://www.freedownloadscenter.com/Utilities/Misc__Utilities/Index_dat_Analyzer.html


Peace

 

[turpit]

One of our consultants got a virus on his company laptop, which should only be used for business purposes. I can't tell which service is running the virus and it is just bogging down the CPU so bad that it takes 5 minutes for Norton IS to open. He deleted all the history in his IE, is there a program that will retrieve his history so that I can try and pin down where he got this virus as well as nail his @$$ for misusing the laptop?

The trojan is "trojan.popper" and it constantly restarts Windows explorer, so no virus scan can finish running.

Thanks in advance.

Looks like everybody else is helping on the virus part, so I'll give you a heading on tracking the usage.

Depending which version of the OS your using, you can look in the history file. Theres a shortcut in the start menu
You can look in the "temporary internet files" located in in the "local settings" file of the 'specific' "users" file
To track the Inet usage, after the temp files have been erased you can look at the the index.dat files using a dat file viewer.

You can find one here

http://www.freedownloadscenter.com/Utilities/Misc__Utilities/Index_dat_Analyzer.html


Peace

 

[redraider_gamer]

That's a great article