spysubtract (intermute)

[Tiger Shark]

Do you know the name of the utility?

This may be a bit technical but unless your hard drive has multiple partitions then it would be impossible to reformat the drive and then reinstall the operating system because the act of formatting would erase the files required to reinstall your operating system. If there are multiple partitions then a complete format would be possible. I still believe that the files are so big, (18 megs, and three files at 5 megs), that they haven't only been around since 3/24. If that were the case then these files would fill the hard drive completely thus making your computer unusable within a relatively short time unless they were purged regularly. Furthermore, there are several hundred instances of malware being intercepted or removed in the 152 kilobyte portion of the file you sent me. That would imply an "infection" rate on a daily basis in the hundreds or even thousands if the file had only been created on or after 3/24.

If I had to place money on when the file was created I would bet an awful lot, (without having seen the files), that they were created long before 3/24.

[jenniferaloette]

Morganlefay-I have spoken with the kids and feel sure there's no problem there. The computer sits facing the open kitchen-the busiest part of the house and I'm usually right there with them. The scope of these files indicates lots of usage...The question now is whether or not they survived the destructive recovery.
A little more info:
I bought the computer 7/05 (set up7/28) and did the destructive recovery on 3/24/06. The spysubtract program came with the computer as a free 60 day trial. When I performed the "DR", it came back as if the computer were brand new, as did Norton and the office program trials. It would be amazing if all this data was generated in the first 60 days and then in the 30 plus days since the DR...wow!
cObr4-thanks for the advice!

[jenniferaloette]

TigerShark-it was HP PC Recovery, which HP coached me through. As I said, nothing else seems to have survived but obviously these files did somehow. I may chat with HP again when I have time - they know me by name now -ha, ha.
I have looked for programs that will translate the data to human readable, the one I opened these files with is Notepad, and I've tried TedNotepad (doesn't work) and all the programs on my computer, Adobe, Microsoft Word, etc. Does anyone have a suggestion?

[Tiger Shark]

I've asked TrendMicro if there are dates present in the files and if they can be decoded. Their auto-response says they will get back to me in a day or two but I'm not holding my breath...

I'll let you know if they actually respond.

[jenniferaloette]

Thanks Tiger Shark, you're at the top of the food chain!

[metguru]

I have written a program that monitors the time that users are on a computer. The program gets the current users name, the date they logged on, the time they logged on, and how long they were on. This is all logged in a file you can place anywhere on your computer. You could use this to find out who did what if you find anything 'unwanted' on your computer. All you have to do is put it in your registy as a startup file, or you can just put it in Start/all programs/startup.

If you use this program, I wouldn't recommend you tell your family, as they could easily use ctrl alt del and stop the program, then delete the log. Also, if they find the log file and delete it (while the program is still running), the program will just continue what it was doing, and will make a new one, with all the information that was in the deleted one.

If you happen to be interested in ever using this program, just PM me

[ByTeWrangler]

Greeting's

Please correct me if i'm wrong. Why does most of the file's in her symantec (norton anti-virus) show up as missing in the hijackthis log. I do see the file name's but then its written file missing ? Anyone has any idea.

Is your Norton uptodate ??

[Tiger Shark]

Byte:

IIRC she said she uninstalled Norton at the beginning of the thread...

To be honest with everyone... This isn't a "how did this occur" issue... It's an "informal" forensic exercise... That comes from private conversations... Ideas as to how it happened aren't relevant... Ideas as to how to extract the dates of the events from the log files of the application mentioned are welcome, (if they even exist). I've asked Trend for assistance in extracting the dates... I'm not holding my breath... So if someone knows if they are there and how to decode them I'd appreciate it if you could clue me in...

[jenniferaloette]

Byte: yep, I uninstalled Norton because it kept interfering with Bellsouth DSL (?). I probably need to get AVG back - that's what I had before the destructive recovery (or whatever it was).

Metguru: Thanks for the info, sounds good, I'll think on it...

Tiger Shark: I've been on the road most of the day and I've had some time to contemplate--if you can stand another question: Could most of what I see in those files be intercepted data and not accessed data? That's another reason I think I really need to get them "translated". The porn is not even an issue compared to the gambling. Some of the info shows things like "firepay" and "dial-pass". Do you know what those are? From what I can tell they are some sort of pre-paid internet card type of things--??? Hope you're having a great day.

[Agent_Steal]

[1] Dialer.Dialpass
[2] FirePay