I was accused of surfing the internet at work during work hours, but the truth is I havn't. My boss claimed to have facts and proof that I did - a cookies log. It showed that there were 4 cookies created or modified during work hours (ad.yieldmanager, trafficmp, vzwmail.vzwshop, ibm). I objected by saying that I have not been using the internet during work hours, and if adware were already on the computer, they will work in the background and possibly create these cookies. My boss called up the head of the tech department and he replied, "that's not possible, these will only be created if the user launched Internet Explorer or surfed online." My boss did not believe anything I said after that, but I do have one final chance at rebuttal by gathering up info and send an email to my boss.

So my question is: Is it possible for adware cookies to be created or modified without an Internet Explorer being launched, if adware, spyware, or adware cookies already exist on the computer?

The company does have policies against internet usage during work hours. However, during lunch or break it's ok to surf the net. I do use the internet during breaks, so that opens up chances for adware infection.

I'm pretty much the only one with access to my machine, other than administrators. However, this does not account for people who used my machine before I started working there. They could've gotten the computer infected and never cleaned it up.

The computer is on a network and permanently connected to the internet. I know for sure at least one other computer have been previously infected with adware/spyware before. The lady who sits in front of me complained about uncontrollable popups. She filed a helpdesk ticket to the tech department and they cleaned her computer after that.

My boss claims that according to the cookies log, 4 of them (ad.yieldmanager, trafficmp, vzwmail.vzwshop, ibm) were created or modified during hours that I was not suppose to use the internet. She is using that as proof even though I have not surfed the net during those times. Is there any way I can disprove that somehow (best with documentations or websites explaining how these adware cookies actually work)??

Sounds like you have a pretty anal rententive boss. 4 freaking cookies and she's busting your balls? Make friends with the IT guys and get them to let you install spysweeper or something else that will eliminate the cookies before the boss lady can find them.

If IT won't cooperate and doesn't have your system completely locked down, you should be able to manually delete the cookies from "[boot drive]:\Documents and Settings\[user name]\Cookies. Substitute the parts in brackets for your drive and your usere id. After your internet jaunt, Just sort the cookies by date modified and delete the ones that were created or modified within the timeframe you were on the internet.

If your IT department is doing packet sniffing and logging, that won't help you though, so you really need to figure out where she's getting her information from. Again, it's time to make friends with the guys in IT.

There's no way to talk her down from this stance if she's insistent on busting your balls over it, you just have to take the heat and make sure it doesn't happen again. If she were going to fire you for it, she probably already would have fired you, and you can only hurt your position in her eyes by trying to prove her wrong. Just don't let her find anything else.

The whole thing that puzzles me here is...."Why does your machine even have inet access if your job dosent require it?"

I ask that question because obviously if you are only allowed online during break and lunch hours...your job does NOT require inet access.

Being a SysAdmin myself...I dont know why an employer would tease workers with this service only to bust them when they stray. They should just disable inet altogether on machines that dont require it...OR...use an internet blocking application or appliance that restricts inet via workstation IP. This later scenerio is what I use on our network at work.

Gimme a break.....its like giving a mouse a job as security officer in a cheese factory. :D

hey thanks for the replies.

I'm actually current terminated from the company
already so I have no access to the machine anymore.
All I have is one last chance to clear my name with a
rebuttal email. I'm more afraid of this hurting my
chance for future employment than anything.

I am just going to be clear and honest with you. I
did NOT use the internet at all during those times the
4 cookies were logged. The way they tracked it was a
simple print screen on windows explorer of the cookies
folder shown with "time modified." That's why I'm
trying to find as much help and evidence how this can
happen without me using the internet at all.

If you know any documents, websites, or even just base
on your expertise, that shows how this is possible, it
will be apperciated greatly.

Thanks again!

Wesley

Did you open any email? I think those cookies can be created from an HTML email. Not certain 100% though. Plus to back this theory, they are advertising links, affiliate links, tracking you saw an ad. It looks like spam or spyware to me.

Your boss is out to get you, but I think she and the IT guy are under qualified to make the assertions they did. If they have time to find 4 cookies, they are out to get you IMO.

How you can get over their head and prove them wrong or just "out to get you" is beyond me.

Thank you very much for all you help.

One of my friend told me the verizon and ibm cookies could just be
spoofs that somehow ended up in there. Couple other people from
computer help forums also indicated that it's very likely for the
modified times to be inaccurate due to different core server time
zones. Are these true?

Also I'm not sure if this changes things, but one of the data entry
application we use in our company is launched through Internet
Explorer with a Javascript. We do need to keep that Internet Explorer
window open at all time to keep the progarm running. Does this create
more security holes for adware cookies to be accessed and modified
without me knowing or actually surfing the net?

Okay, I did a little research for you.

From the newsgroup postings I've been able to track down, ad.yieldmanager is a cookie created and modified by a trojan that slipped through your corporate firewall and onto your computer. It will track your usage of your box, and modify it's cookie any time it damn well feels like it whether you are attached to the internet or not. It appears that the cookie is modified every time you open and close a program and is used to report your computer usage when you do go online. Deleting the cookie will do no good, because the trojan will just re-create the cookie the next time you launch a program. None of the spyware or anti-virus utilities detect the trojan, and it can only be removed manually through meticulous digging through the registry, and special entries in the HOSTS file. It appears that a common source of this trojan is one of the language translation web utilities that allow you to convert a web site from a foreign language into a language that you understand. If you worked for an international company and have ever had to translate a foreign web site, that could be the source of that trojan/cookie.

Slack of the IT department to let it through in the first place, and lame that they would claim it couldn't happen.

Trafficmp is a cookie that allows multiple websites to share information on your surfing history. It's only modified when you actually surf, and isn't malicious. It could have been purposefully placed on your computer by your IT dept to track your surfing habits, or you could have picked it up from one of many websites. In either case, the date/time stamp on the cookie will coincide with the date/time your computer reports when you launch a website. If your servers don't utilize a clock syncronization server app to keep you and them in synch, and your pc is considerably off timewise comapred to the servers (ie you don't enable DST, or don't change to your local time instead of just using GMT, whereas the servers do the changes) then the files will show date/time stamps that could be minutes or hours off compared to the times the file was actually written.

vzmall.vzwshp is a cookie that tracks your personal preferrences on Verizon Wireless' web site. It will only be modified when you actually visit their site. It is used to keep your personal preferencess on their website, and is not malicious. The only excuse I can find for this cookie being modified during times you shouldn't be online is the same as for Trafficmp... your PC's clock is seriously out of synch with your actual time.

IBM is a tougher one. The only thing I can find on it is that if you do a web search on "computer repair" there are are about twenty different companies that will plop a cookie on your 'puter in order to increase traffic to their site. One of them is IBM... THE IBM.

If you really haven't been doing anything you shouldn't, then this information should help you. If they're just out to get you because they don't like you, then none of this will do any good for you. Any excuse to get rid of an employee is about all it takes.

Good luck.

Thank you very much! I still need to figure out how the verizon, ibm, and trafficmp were modified at the time they did.

could you possibly provide the link to the newsgroup posting about ad.yieldmanager please?

There's hundreds of links. Just do a google search on the keyword ad.yieldmanager. If you use Copernic (a utility that searches all the search engines for you automatically), by all means utilize it. You'll get more hits and more reports than you can imagine on all of the cookies you listed. I can't even begin to link everything to you, because the links are so many. You just have to read all of the posts, and pick out the ones that support your position... then give them to your boss.

None of the things I listed above were defined in a single post. It was an analysis of numerous websites and newsgroups postings that I went through to give you my opinion. I really can't link one post to support my findings, so giving you a single link would be of no more value to you than you utilizing my post to support your position.

Just do a search... you'll see what I mean.

Like everyone said looks like ya work for some real chicken do do's .Look for a better job. If they fired you over this I would get a lawyer ,scream ACLU .,and discrimantion.

Thank you very much for all you help.

One of my friend told me the verizon and ibm cookies could just be
spoofs that somehow ended up in there. Couple other people from
computer help forums also indicated that it's very likely for the
modified times to be inaccurate due to different core server time
zones. Are these true?

Also I'm not sure if this changes things, but one of the data entry
application we use in our company is launched through Internet
Explorer with a Javascript. We do need to keep that Internet Explorer
window open at all time to keep the progarm running. Does this create
more security holes for adware cookies to be accessed and modified
without me knowing or actually surfing the net?

Don't know about the Verizon and IBM cookies being spoofs... Sounds sort of suspicious to me. Do you use Verizon, and have you ever hit IBM's website? Any file modification time will be based on the time of your PC, not the time of the server. Lastly YES if your IT department is not properly handling the traffic to and from your PC, then keeping an open pipe to the internet can allow things to sneak through at any time.

What kind of PC is it? Is it an ACTUAL IBM box like a ThinkStation or such? If so then that is prolly where the IBM cookie comes from.

I forget what they call it but we have about 50 IBM Think Stations at work and they have like a built in "Message Bulletin" that grabs updates to it automatically and sends you an alert. I think its called "IBM Message Center".....

If not an IBM box...then I'm like everyone else....best guess as to where it came from.

Is the computer at work part of a domain? Do you access the internet through a corporate server and gateway? If it does, the company will have detailed logs on their server that will either incriminate you or clear you. They would know if you went online by looking at their logs on the server. As was mentioned before, if you want to clear your name with the company and expose your boss for the fraud that she is, I would hire a lawyer and demand to see some log files that proved you were using the internet during those times. In the end it's up to management to decide who gets hired and fired but, they only have paultry evidence against you. This can be fought.

This can be fought.vantim, It depends on what state you live in as to whether you can fight something like this or not. I live in Georgia, and the laws here state that an employee works at the pleasure of the employer. If you have an a**hole boss, he can walk in and say "You're fired". You look up and say "Whaa What did I do wrong?" And he can say "Doesn't matter. Just pack up your s**t and be out in one hour."

About the only time you can collect unemployment benefits in Georgia is if you have a decent boss who will admit to the unemployment officials that they had to lay you off because there wasn't enough work load to keep your position. If they claim that you looked at the boss crosseyed and that's why they fired you, you will be denied benefits.

wphuang, I would try to find out the laws of the state you live in before you spend money on an attorney. Do a google search on "right to work states" and follow the links from there. Where "right to work" generally is defined as your ability to work without joining a union, there will be links within those sites that will explain the details of your particular states laws when it comes to an employers ability to fire you for no reason. If you find that your state is strict on employers ability to fire you, then break out the big guns and fight them. If you find out that your state's laws are like Georgia's, cut your losses and find another job. I wouldn't waste 10 cents trying to fight a firing in Georgia... I'd just lose the 10 cents and still be unemployed.

Well that just sucks! Glad I'm happy at work.

I'm glad to be self employed. If I fire myself I know I really messed up.

Do it, then collect your own unemployment. Come on... it's only Fraud.

You'd never find anything like that over here in Australia.

What I do find interesting is that no-one has pointed out the inadequacies of using timestamps on files to prove anything. There is a good chance just the mere fact that the system admin was likely to be reading the cookies from a remote location on the network to get the so-called "proof" required would have altered the dates/times on any of the 3 different dates that a file in Windows has, or a virus scanner or a million and one other things....

The timestamps on the files prove nothing and wouldn't hold up as proof of anything, the log files that the system admin should be keeping on all activities would be far more accurate (though not without their discrepancies either).

Perhaps it is time to go back to basics.....

--------------------------------------------------------------------------
XXCOPY TECHNICAL BULLETIN #15
--------------------------------------------------------------------------
From: Kan Yabumoto tech@xxcopy.com
To: XXCOPY user
Subject: Windows File Date and Time
Date: 2000-06-07
================================================== ========

File time in DOS

The good old DOS had just one file date value which keeps track of a file in your storage (hard disk and floppy). To be precise, the value has two parts, the date part (year, month, and day) and the time part (hour, minute, second ---- measured in two second interval), but we will call it just "file date" in this discussion.

Whenever a file is created, the current system time is stamped to the file which would remain constant even if it is copied or moved to a new directory. A complete rewrite, partial rewrite, or partial deletion would update the file date value. Therefore, the DOS file date represents the last-write (or, last-modified) time. It was quite simple and well.

File time in Win32:

The new so-called Win32 environments (Windows 95, 98, NT, 2000) expanded the file date to hold more information about the history of the file. Win32 maintains three distinct time stamps on every file. Inside Windows Explorer, you can examine these values in the property sheet for a file.

1. Created: It is the time when the file is created in the current directory. When the file is copied to a new directory, a new value will be set.

2. Modified: It is the time when the file is last modified. When the file is copied to elsewhere, the same value will be carried over to the new directory.

3. Accessed: It is the time when the file is last accessed. This value is set by the application program that sets or revises the value. Unfortunately some applications do not revise this value.

The file date value commonly referred to under Win32 is the "Last-modified" value (2nd one in the list above) whose behavior is consistent to the DOS file date value. The Win32 file date values are stored in much finer resolution than the DOS time stamp (16 bits for the date and 16 bits for time). The Win32 file date value is a 64-bit quantity which represents the time elapsed from January 1, 1601 (the first date of the current quadri-century) in 100 nsec granularity. For the compatibility's sake, even WinNT/2K uses the same 2-second granularity for the "Last-modified" time for FAT-based file system (does not apply for NTFS files).

XXCOPY's file date treatments:

XXCOPY provides the following switches to select one of the three timestamps as the filedate value for time comparison.

/FC File-Create time
/FW Last-Modify (Last-Write) time (default)
/FA Last-Access time

These switches do not perform any action by themselves. They are used to modify the semantics of other switches which use the file date parameters in the file selection process. For example, /DA and /DB are often modified by the /FC switch.

The file date (Last-Modify date):

The common file date value (more precisely, the Last-Modify-date) is the most intuitive and probably the easiest to use. So, by default, XXCOPY's file date functions use the Last-Modify date by default. For example,

XXCOPY c:\mydir\ d:\backup\ /DA#7

The /DA#7 switch selects files which are last modified within the last 7 days. This selection includes files which are created or modified elsewhere and brought to the source directory by either a copy or move operation. The COPY or MOVE operations carried out by practically all file copy utilities (i.e., Drag-and-drop, COPY, XCOPY, MOVE, or XXCOPY) preserve the file's Last-Modify date.

The file creation date (File-Create date):

Another useful date value is the File-Create date. Unlike the Last-Modify date, this value represents the date the particular copy of the file is created in the directory. Here, the meaning of creation includes both the case of a newly created file, and an existing file brought in to the directory by a copy operation. So, the File-Create date is often newer than the Last-Modify date. Note that sometimes, the "File-Create" date could be a little misleading. But, in this article we use the "File-Create" date consistent with the way Microsoft calls it.

With XXCOPY, you may use this creation-date value instead of the more common Last-Modify date. Here is an example:

XXCOPY c:\mydir\ d:\backup\ /S /FC /DA:.

This command copies all the files which are either made in or brought into their present directory today regardless of the age of the file. With the /FC switch, XXCOPY uses the File-Create date rather than the Last-Modify date. The /DA:. switch selects files of today or a future date.

Since the use of the File-Create date has serious problems, we generally discourage the use if this date

Problems with the file creation date (File-Create date):

The problems of the File-Create date can be traced back to the inconsistency in Microsoft's various file management utilities. It seems that the purpose of three distinct variations in the file date values were never clearly defined by the designer of the feature. We as software developers have not come across any official documents on this subject. So, we conduct a few experiments using Microsoft's programs which are part of Windows 95. Then, you will find many inconsistent usages in the File-Create date.

Observation 1: When you perform a copy operation of a file which results in a new physical copy in the destination, the File-Create date is set to the current date.

Observation 2: When you move a file within a volume, the operation is translated to the more efficient renaming operation. Since renaming a file does not involve in a newly created file, the File-Create date will not be updated.

Observation 3: When you move a file across the volume boundary (e.g., from C: to D:), the move operation is carried out as a file copy action followed by a file delete action, the file in the new location will receive a new File-Create date.

Observation 4: Edit a file using either NotePad.exe, WordPad.exe or WinWord.exe (word), and save the file. The newly update file will have the same File-Create date, but a new Last-Modify time.

The inconsistencies listed above make the File-Create date unfit for a general-purpose file selection criterion by XXCOPY. On the other hand, if you have full control of the file creation process in a given directory (say, you always use one of the file copy operations to manage files in the directory), you may still use it with caution.

The case with the Last-Access date:

This parameter is also a very controversial value that goes with every file in the Win32 system. The Last-Access date is set whenever the file is "Accessed" by a program. Then, the next question is what really constitutes an "Access" to a file?

Is opening the file by a program, by any program, treated as an "Access"? Thank God, the answer is no. If that were the case, whenever the Windows Explorer displays an executable file using its icon (which is stored inside the file), the Last-Access date would be set to the current date. That is because display of the icon involves fist opening the file and reading the contents to locate the internal icon. In this case, although the treatment of the icon is rather elaborate under the cover, it is not regarded as an "Access". On the other hand with .EXE and .DLL files, executing the program constitute the Last-Access. That makes sense.

But, there are plenty of silly mistakes committed by Microsoft's programmers which makes the Last-Access date of little use. The possibly the worst program mistake with this value is by Windows Explorer.

As shown above, when you click the right button on an icon of a file and select the properties menu, you can examine the Last-Access date (in this case you get only the date without time) along with the other two file date values. But, if you are alert, you will notice that the Last-Access date is always today's date. Yes, the very act of examining the Last-Access date value triggers the update of the value. That is sad. Very sad.

When a system administrator makes a regularly scheduled backup, he usually performs a full backup every so often, copying every file in a drive. Now, that is an act of Access. Copying a file will also update the Last-Access date.

[FONT=Verdana]What I do find interesting is that no-one has pointed out the inadequacies of using timestamps on files to prove anything.All valid information, and it's even more simple to change create/modify date-time stamps with simple utilities such as touch.exe that are freely available all over the web.

Virus and spyware scanners won't modify the time stamps on cookies just by a simple scan. They will only modify the time stamps if you quarantine them to a different partition.

I think the whole concept of the time stamp checking of the cookies in question is to confirm or deny a just cause for firing him over this. If the cookies are still in their original location on his box, and the date-time stamps on the cookies show that they were created/modified at times he wasn't supposed to be on the internet, then there are really only two possibilities:

1: It's an attempt by one or more persons in the company to find a reason to fire him, or
2: He's lying about not using the internet when he wasn't supposed to.

Only the parties involved will know the truth, and proving it one way or the other is going to be a case of "he said, she said". The employer will most likely win in an argument like that, whether they are right or not.