Need your help mates...fast

[Cybr1d]

Hi all....



I really need to know how to retreive cookies that were just cleared from internet options.

I'm suspecting someone of being a hacker who is trying to zombify one of the computers in my Internet Cafe. I allowed him to use a USB flash disk. I took screenshots of some of the screens he had opened because they were suspicious. He had an Explorer type softare which was showing him the details of the C drive...and on the other side it was showing his USB drive which in it had some programs a hacker would carry with him. I'll give more detail later on including screenshots.

Thnx for your help

[nihil]

Hi Cyber......

What OS are you running?

Why cookies I would have thought trojan/backdoor/keylogger given that they had physical access?

Also if the cookies are really gone, how can they be of any harm

The screenshots would be interesting

Cheers

[steve.milner]

IIRC windows stores cookies as text files, so an undelete utility might work.

If this is the case the less writes to the hard disk the greater the chance of recovering the files, so make sure the machine is switched off.

Take out the HDD and then use another machine to work with it.

Norton Disk Doctor could be your friend.

Hope this points you in the right direction.

Steve

[Cybr1d]

runnign WinXP home ed.

Well he had a folder called BugBear Virus...

A little research on bugBear shows that its a mass mailing worm, which drops a backdoor on the infected computer and allows the hacker to get into the infected machine through a GUI.

The reason why I asked for the cookies is because he went and deleted them for some reason (Maybe he didnt want anyone to see where he went?) He did visit some websites though..that weren't suspiciouis at all (music and shows).

Attached is a screenshot of the program that he was using.


It could be nothing but Its a little bit odd seing a 60 year old man with Viruses in his USB drive. What business would he have screwing around with my computer?

[Tedob1]

http://www.theabsolute.net/sware/dskinv.html

or

http://www.pcinspector.de/file_recovery/UK/welcome.htm i have pc-inspector installed here and you can definitly restore cookies you can even restore them to another directory for inspecting or archiving

[moxnix]

It could be nothing but Its a little bit odd seing a 60 year old man with Viruses in his USB drive.

I have got to get a couple of those usb drives.
If you were to explore my backup CD's, you would find several folders that contain various virus's and trojans I have collected. Most of these I have been moving to floppies for increased security, but I collect some of them for future study (future because I don't feel I know enough to explore them yet).
And I am 57.
As for deleting cookies, if I were using someone elses machine, I would delete all cookies and history (including all offline content) as I cleared off their machine. Simple security (privacy) policy.

[Cybr1d]

true that

Hey I bought 128MB ones for $20 dollars...

They had a huge sale one day...64MBs ones for 20 bucks...then a week later they put the 128MB ones for 20 bucks too YAY ME


Ok i'll just forget about the cookies. What i'm planning on doing is to install a PC-SPy program and monitor his activities next time he comes in. Anyone else got any other ideas?

[Tedob1]

may i ask? do you take screen shots on a regular schedule or did you do it becase you wanted to see what he was up to? if its the later youd be better off using slarty's gen control it uses rpc to start a vnc session without diplaying the systray icon. you could also install vnc on them all install the service and set it to manual start then psexec \\thebox net start winvnc. the server will start without diplaying the tray icon. periodic screen shots are a good idea only if you review them.

what are you useing for screencaps?

moxnix i thought you aroung that old by your name...nato, germany, circa 1970

[steve.milner]

If you are going to go to the trouble of monitoring activities, don't you need to display a sign or something saying 'You may be monitored for security reasons' or similar, otherwise couln't you be sued for invasion of privacy...

You could even be accused of stealing bank passwords etc.

HTH
Steve

[Tedob1]

anyone that would use a cc on a public computer should have it taken away by the cc company...theirs no patch for stupidity but ill betcha dollars to donuts the sign is already up.

just because theres a folder named bugbear does not mean it contains the virus. he could have been collecting info on it...maybe he or someone he knows caught it.