Where is the history folder location
A user on my workstation uses Firefox and has visited a site that installed "Win 7 Internet Security 2011" on this machine. I successfully identified and removed the Trojan virus software. The browsers where neutralized by this virus and are inoperable. I created a new user account for this person. This user has been reinfected with the new account.
I want to find out where this user has been to identify where this Trojan virus is coming from. The only way I know how to do this is by reviewing the history log file to see where this person has been. I want to review the history location as the administrator of the machine; not use the infected user account. If there is a better way to do this outside of the infected user account, I am open to suggestions.
Additional System Details
- User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 3.5.20706; .NET CLR 3.5.21022; Media Center PC 5.0; SLCC1; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0C; .NET4.0E; Zune 4.7; InfoPath.3)
Did that user use IE or only Firefox?
Did that user download on installed any new software?
Chances are fairly low to get infected with Firefox by visiting websites, provided that all plugins (Java, Flash, Adobe Reader) are up to date.
Firefox stores the history in an SQLite database file places.sqlite in the Firefox Profile Folder.
- SQLite Manager: https://addons.mozilla.org/firefox/addon/sqlite-manager/
The user only uses Firefox. I have version 4.0.1 installed. This user does not like IE.
From Malwarebytes' log the virus was located here the first time here: c:\Users\<user id>b\AppData\Local\sll.exe (Trojan.FakeAlert). I am still not sure how the virus was able to install the first time around since I have this user locked down - not able to install without admin privileges.
The second time here: c:\Users\<user id>\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\IUFEUHVK\info.exe (Trojan.FakeAlertRP.Gen) . This did not get installed.
I try to keep everything current with the latest version.
I still want to review the history logs to record the sites visited. Then try each site one at a time to see if virus appears. I know this is a painful process, but how else do I determine where the virus came from? Back to my original question, how do I reveiw Firefox history log by using the admin account?
You will have to copy the file places.sqlite from that user account to a Firefox profile folder in your account then you can see the history in the Library.
The locations where you found that trojan are not locations used by Firefox.
The file \Local\sll.exe is most likely placed there by running an installer.
The file in "temporary internet files\Content.IE5\IUFEUHVK\i" in the IE cache is either from using IE or saved from using a MS plugin like WMP or Silverlight.