SOMEONE PLEASE HELP ME! I HAVE SUSPICIOUS TMP FILES IN APPLICATION DATA/INTERMUTE/SPYSUBTRACT. CONTENT IS SO SO STRANGE AND I HAVE TO KNOW WHERE IT CAME FROM. PLEASE HELP...
Printable View
SOMEONE PLEASE HELP ME! I HAVE SUSPICIOUS TMP FILES IN APPLICATION DATA/INTERMUTE/SPYSUBTRACT. CONTENT IS SO SO STRANGE AND I HAVE TO KNOW WHERE IT CAME FROM. PLEASE HELP...
Have Trend Micro installed per chance??
Google seach
http://www.intermute.com/products/spysubtract.html
Looks like a dumping place for spyware file found on your machine.....
Not sure how trend manages them....but I bet you you can clear them using the Trend Antispyware app????
MLF
A simple google search found that Spycontract is the new name for Trend Micro Anti-Spyware". I've never used it myself, so as long as you installed it I would assume it's legitimately suposed to be there. If not I suggest uninstalling it through add/remove programs then using Spybot-S&D and an some antivirus software of your choice and doing a scan of everything just to be sure your all clean.
The contents of the TMP files may be strange because it might have spyware in quarantine instead of deleting them, and I could only imagine the names or content of the spyware itself.
Hope this helps.
Sources:
http://www.intermute.com/products/spysubtract.html
http://www.spybot.info/
OFF TOPIC//
Jennifer.....lay off the cap lock
It is considered shouting....and rude in a forum.
oh yeah....and welcome to AO ;)
MLF
I'M SURE YOUR RIGHT. PROBLEM IS - TREND HAS ASSURED ME THAT THE ACTIVITY RECORDED THERE IS VALID BUT THEY WON'T HELP ME EXTRACT DATES FOR THE ACTIVITY, THEY SAY THAT SPYSUBTRACT IS NO LONGER SUPPORTED. YEAH I SHOULD PROBABLY GIVE UP BUT IF THE ACTIVITY RECORDED THERE IS VALID AS THEY SAY, THEN I NEED TO DO SOMETHING DRASTIC. (SERIOUSLY!) ALL I NEED IS THE DATES AND I HAVE NO IDEA HOW TO GET THIS FILE DECRYPTED ( IS THAT THE RIGHT WORD?) HONESTLY, IT IS REALLY IMPORTANT TO KNOW IF SOMEONE WHO LIVES HERE GENERATED THESE FILES. PLEASE HELP ME.
So sorry about the caps. Maybe I am shouting but I don't mean to, I'm just a little desperate at this point...
Greeting's
It would help if you can give us more information about your system. Like the OS, AV, other anti-malware software's on your system, is your system updated ? Do you have a firewall ?
Try view, details on the folder.....should give you some modified\created dates???
There has to be some way of removing these files....or else eventually your harddrive will fill up :eek:
And that is very bad....very very bad.
What are you trying to do...get dates??? So if you knew it was trend files....what are you REALLY asking :confused:
MLF
PS...lay of the caps...your gonna get negged :D
Again, sorry about caps. Don't mean to shout. I have windows xp and have all the firewalls etc activated that came with the package except I uninstalled Norton because it interfered with bellsouth broadband (?)... I have downloaded xoftspy and adware. I probably need to get more protection but that's another issue for now.
What I really have to know is when this activity took place - it appears to be over a long period as the files are very large but I performed a destructive recovery - reloaded factory settings from the harddrive on 3/24/06, so...could anything have survived that? Dumb question, but it's so strange - if you could see the files you'd understand.
Do I need to get some sort of file opener? I don't know what I need but I hope someone does.
Well...yes a factory reset probably dont format ...so those files would survive.
If you are not running Trend Micro or Intermute..why not just delete them????
Do any of your other applications find spyware\malware on your machine???
MLF
No.
So you're saying some info can survive a destructive recovery? If so, that could explain a few things, in fact, everything. Everyone I've spoken to has said that everything should have been gone...I'm confused. I was told that all old info would be gone, everything would be just as it was when I bought the computer. Nothing else from the old stuff seems to be there or am I not checking in the right places?
Greeting's
Is it possible for you to post a hijackthis log ?
I'd be happy to if you tell me how, sorry.
Well...I am not sure of a destructive recovery.......but unless it formatted the disk....those files could still survive.
Any way...why not just delete them???
MLF
Okay-the content in these files indicate at least gambling and at worst child porn. It's bad. I can delete them but if the content is valid, my kids and I need to leave home.
I have to go for now, kids are all home. I will be back begging for help asap -- thank you all
Jennifer my dear....
Grab a cold one or a nice glass of wine and chill for a minute...
There are a million files on your computer that have "odd looking" stuff in them. The question I have is what is soooo important about the contents of these specific files that you need to know their content? Explain that and we may just determine that there is no point in you knowing or we might be able to find a way to reveal the content for you. No point wasting your time over something that will not give you the results you expect.
Greeting's
Just post the Hijackthis log, so we can have all the steps ready once you come back.
Ok...now I see
Are you sure!!!!
How do you know it is child porn??? and not just regular porn???
What type of files are we talking about excatly...temp internet files???
Is this your husband you are talking about???
Is it your computer.....???
Be very careful...cause you are tampering with evidence............
and if you are concerned for the saftey of you and your children....then leave and contact a lawyer or the local law enforcement agencies...let them handle it
Its AMAZING what they can find on a computer....even after its been formatted
MLF
I'd be a little careful with leaving home because of this evidence unless there are other factors involved. This stuff can arrive in droves on a computer because of one misclicked link, a virus, a mis-firewalled computer or a host of other things.
Do me a favor, find one of the files that is small and contains the "evidence" and PM it to me so I can see what you are seeing please.
Greeting's
Even though you are busy, if you can just go to safety.live.com select
** FULL SERVICE SCAN **. Then in the options page that pops up select complete scan and you need administrator rights to scan the computer.
** REMEMBER TO DISABLE SYSTEM RESTORE BEFORE YOU SCAN YOUR COMPUTER **.
Start the scan and take your time getting back to us. The scan will take some time on a dial-up.
tiger shark-the smallest file is still rather large. I'm sorry but I have no clue how to send it, please tell me how and it will be on the way.
morganlefay-I've checked on the sites through Google and others (without actually visiting eck)and the more I check the worse it gets. I'm still around because I'm just not sure of what I'm seeing.
ByTeWrangler, I'll have to do that tomorrow and thank you so much. By the way, how do I disable system restore?
Go here, (click this) and let it download the file. If you are using Internet Explorer then tell it to open it, (ignore warnings about executable files being dangerous, this is a safe file), if you are using another web browser then you will have to work out how to find it and execute it yourself.
Once it is installed then find the file you want to send and _right_ click on it. One of the selections will be Winzip with a little arrow by it. When you put the cursor on it you will get a sub-menu. On that menu will be an option that says add to [the filename].zip. Select that and it will compress the file. Then remember where it is and send me a Private Message. While you are sending it you can scroll down and it will give the the opportunity to attach a file. Browse for the file and tell it to attach the file then send the Private Message.
I'll look at it and will probably have other questions... It won't be a "quick" process... But, unless you have other issues that I don't know about, then this is probably a sensible route to take for the time being.
ta da! Thank you all in advance...
I have had a look through your hijackthis log file and everything looks ok, the only thing i am suspicious about is the contentpurity.net i have not heard of it before... is this something you have put on intentionally, because it doesn't look very genuine? Other than that your PC looks clean.
Tiger Shark is right (as always) :rolleyes:
I am probably over reacting....being a mom too.... :(
These files can get onto a machine via various ways....through malware infections.
Trust Tiger.....he knows his stuff and would probably the best one on this site to advise you... ;)
You really need to be sure of what you are finding here......
MLF
oh and I forgot to mention, it is still worth running a decent anti-spyware program on your PC, my favourite is counterspy, you can get a free 15 day trial here http://www.sunbelt-software.com/CounterSpy-Download.cfm I have been googling and have found nothing to say that the contentpurity stuff is spyware, but nothing to say that it isn't either, personally I would remove it.
Get that cr@p off your computer. There's some very good imposters for removing spyware that actually install spyware. I'm not sure about these two, but it's tough to find anything via Google, which makes me leery.Quote:
I have downloaded xoftspy and adware.
Ad-Aware (note the spelling) and Spybot are the best FREE tools for removing spyware. Ewido is popular here and undoubtably very good. Spy Sweeper and Spyware Doctor are probably the best fee-based solutions.
As for unwanted content on your computer, i.e. child porn, you are better off not knowing any illegal content is there. Download and run a program called Ccleaner, and let it delete all the temporary files. It will most likely delete any porn files.
In my experience, you do not want to be involved in any kind of law enforcement action regarding child porn. Police officials do not typically differentiate between naive computer users who have some unwanted porn on their computers, and pedophiles who download that stuff intentionally. A judge will do that in a court of law, and that is an expensive proposition.
So just get the stuff off your computer, clean it up, and don't make a federal case out of it...
I'm sorry... Actually, I'm not.... But that is just plain _bad_ advice, Period!!!!Quote:
you are better off not knowing any illegal content is there. Download and run a program called Ccleaner, and let it delete all the temporary files. It will most likely delete any porn files.
You have _no_ idea of the surrounding circumstances. So to say "you don't want to know" is utterly irresponsible. The OP might _need_ to know. This might be the "last little detail" that helps her make a safe and sensible decision.
I will grant you that, for the most part, this "evidence" is innocuous and innocent - but without the surrounding information it is not up to you to decide what is good or not for the OP. That will be her decision with the "guidance" of others that may be able to better interpret it than she can coupled with her knowledge of the other factors.
Firstly, I would disagree with that statement, a lot!!! Secondly, why do you think the OP came here in the first place? Maybe to find out what it was she was looking at...Quote:
Police officials do not typically differentiate between naive computer users who have some unwanted porn on their computers, and pedophiles who download that stuff intentionally.
Jennifer:
An "OP" is the "Original Poster", ie: You... In case you were unsure. If you missed my response to my PM... You didn't get the file attached... I'm on EST time and am going to bed now. If you get it to me tonight I will look at it first thing tomorrow, (0500 EST), if not get it to me when you can... I don't think there is any rush on this unless you have other, more pressing, issues in the house. That's your decision... But let me look at the computer related stuff before you jump to a possibly very bad conclusion.
I understand what you were trying to say ( kind of: if you don't now it's there, it can't hurt you ), but there have been court cases where it was proven that the computer was own3d by a third party on a DoS, and that the real owner had nothing to do with it, thus being cleared of any chargesQuote:
As for unwanted content on your computer, i.e. child porn, you are better off not knowing any illegal content
( this could be a great theme for a discussion with the more forensics users here on AO, how to know that the offender didn't fake the infection himself to seem innocent - but I leave that to you guys ;) ).
And that being said, if you do have illegall content (child porn f.ex.), you could always go to the Tec. Division of your local police (if they have it) and report the situation, helping them to trace (via logs) the stuff back to the real bad guys... that's what I would advise.
You guys are amazing and I thank you for all suggestions! I'm anxious to hear from tiger shark, I sent the file. Going to bed now. Thanks again!
I'm not so sure that's bad advice, although it may indeed be. I do think there's one standard for men, and another for women, so our poster may well have an advantage.
I got involved in shutting down a child porn site a couple of years back and found out I could well have been arrested at any point. I turned the registrant's full whois over to the state highway patrol in his resident state and they emailed me back, asking me who this person was! Chit, I gave them his address and phone number, along with a link to his site, and they want to know who he is?! I also turned it into a child abuse site and never heard a word from them. I made two mistakes: one was saving a screenshot of the site, and two, calling the registrant and confronting him.
The first was a mistake because possession of child pornography can subject you to arrest, for whatever reason and whether or not you had anything to do with putting it there. There are numerous cases of do-gooders arrested for possession of child porn and ending up in federal court (usually those are found not guilty but it's going to cost you a lot of money).
The second was a mistake because, interestingly, the largest purveyor of child porn in the US is...the United States Postal Service! I've heard this from numerous law enforcement officials and academia. So I may have unwittingly interfered with official police business without even knowing it. Leading people into temptation may be good business, but it makes for bad law.
I found the whole experience so convoluted that I just go the other way now. I have nothing to do with child porn sites, and I prefer to have nothing to do with enforcing laws against them. The laws for computer crime are poorly written and even more poorly enforced. And there is so much porn on the internet it's ridiculous. Often there's no telling where it comes from and under what circumstances. I'm more than happy to help law enforcement officials, but not at the risk of subjecting me to arrest.
Jennifer, if you want to know what pictures are on your computer, you might download and install Google's Picasa software, which I do believe will search out all the pictures on your computer and make them viewable. If there is pornography on your computer, you have every right to be offended. I do not know the full circumstances of what's going on in your world, but I do know people often overreact.
I wish you all the best...
Jennifer ,
Might I suggest that you adopt a cautious approach at this point in time?
What you have is an anti-malware product that has stored stuff in its temporary files (probably its "quarantine"?)
Now, that suggests that it did its job and intercepted stuff it considered malicious. So that stuff never got through to the system itself?
Please do not misunderstand me, I am not saying that "everything is OK" or trying to lull you into a false sense of security. I just feel that you should stand back and think this through.
As has been suggested, there are various ways in which this stuff can get onto your machine. Not all of these would require someone at your location to be using it.
There are various history files on your computer of which Windows and your browser are probably the most significant.
If I found evidence in those I would be far more concerned, as they indicate the connections that "worked" rather than those that were blocked.
If there is nothing in your history files, this could be due to your windows/browser settings, or it could be that someone is making an attempt to cover their tracks. So if your settings are to keep 14 days history and there is none, you would appear to have some sort of problem. If you have the expected history and there is nothing questionable there you are probably OK as to selectively edit those history files would take a considerable degree of skill.
In the meantime, I would strongly suggest that you turn your machine OFF when it is not in use, and only connect to the internet when you need to. Not only will this save you money on your electricity and reduce fire risks, it will make your machine far less attractive as a "bot" ( a machine controlled by a remote third party).
Just a few thoughts ;)
Jennifer:
The file excerpt you sent me indicates that the file is some sort of history of malware, (any kind of content that is less than beneficial to the owner of the computer), that has been removed or intercepted. I can tell this because it documents the keys in the registry that it found or intercepted before they alter the registry. The example below implies that something was intercepted trying to alter the registry:-
I found numerous indications of either the interception or removal of trojans, (not the contraceptive - "Trojan Horses" - programs that purport to be helpful or good but that are actually bad;)), and Browser Helper Objects, (which is one of the most common ways to introduce spyware to your computer). I'd say two things about that. Firstly, having seen the Hijack This log I'd say that the spyware application you are using is doing quite a good job of protecting your computer - that's a good thing. Secondly, you need to sit down with the entire computer using portion of your family and discuss your surfing habits... Unless you have had this computer for several years you seem to get an awful lot of crap removed or intercepted indicating less than "safe surfing", (lots of "Free" sites, games sites etc. is usually going to get you stuff you don't want).Quote:
H K C U S o f t w a r e \ M i c r o s o f t \ W i n d o w s N T \ C u r r e n t V e r s i o n \ W i n d o w s C = S Z : e x p l o r e z . e x e ; S E T = S Z
Ok... On to the crux of the issue... The Porn... :D You can relax and I believe you owe hubby a nice big hug. You can relax because the "child" porn you suspected isn't child porn. It's exactly what I expected to find. The references I found did imply young, underage girls by using such terms as "teen" and "lolita". This points to the fact that you have never surfed the internet for porn yourself. Had you ever done so you would know that about half of the porn sites out there _claim_ to be using teens as models... They aren't... in fact most of the models have more wrinkles than me... But they like to dress them up young to attract us "nasty" men... :rolleyes:
I believe you owe hubby the hug because, unless you have tons and tons more examples of pornographic sites in the remainder of the file(s), there doesn't seem to be any indication of long term or regular "abuse" on the part of anyone in your family. The percentage of the file that might point to that is far too small to be of concern and almost certainly occurred without the users knowledge or as a simple "one time" curiosity thing.
Hope that helps.
Tiger Shark - Thank you for the encouragement. I am sending you a private message if you have the time...
Brokencrow, nihil, SmOkinPOt - you are all right. There are many factors involved...20 year marriage, 4 kids...I'm not sure what all this says about me but it's a lot more than I wanted to know about "him".
If anyone knows the answer to this:
Could these files/info have survived the destructive recovery I did on 3/24/06? Is there a way to look for other remnants if so? I was assured that nothing would still be there...feeling pretty dumb.
P.S. By "remnants" I mean ANYthing - not just this garbage - that would let me know that some data came through....
Jennifer:
If your "destructive" recovery involved a CD-ROM that came with the computer for "recovery" then yes, absolutely, these data files would most probably have survived. Usually, these recovery disks just re-install the operating system and any applications that came with the computer originally. In this case additional data files will go untouched.
Another reason why I'll state they survived is that the number of trojans etc. that appeared in the file fragment you sent me indicates one of two things. Either you are picking up trojans several times a day during your surfing or that the activity is from a long period. Unfortunately, if there are any dates in there they are encoded and I can't see where exactly they would be so I can't _prove_ my theory that this file contains data over several months but my experience in this field does lead me to believe so.
just a thought...
I have 4 kids also....2 of mine...2 of my sweeties ranging from 8 to 12
They are at the age where they are very curious about sex...to say the least.... :rolleyes:
And...I have found evidence of porn sites on thier computer.
Take Tigers advice.....have a talk with the whole family about appropriate internet use, and how going to inappropriate sites...not only compromises the secuity of your computer....but there will also be consequences ...like no computer access.....and ...how it is logged and that you can find it.
I warned the kids that if I find this again...that there will be no internet access....period
That was over a year ago....and the behaviour stopped.
BTW...I have seen many an adult blush when working on thier computer :eek:
Just thoughts
Geez....I even browsed porn just to see what all the hype was about :eek:
MLF
Thank you Tiger Shark. I didn't use any recovery disks, I used the utility in the computer that supposedly reformats from the hard drive. Does that change your opinion?