Weird Logins

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
one of our users is complaining that someone is loging in to her computer.
when she leaves she locks her computer but sometimes when she comes back
it is unlocked. Noone else knows her password. Even if i it was reset
through active
directory it would show since then she would know that someone changed it.
To me that leaves only one option and that is that someone has installed a
like spector to get her password. System is running Symantec Corporate
Antivirus 9.1
but those keylogger have a way of avoiding detection. What are other things
that could
be causing this. What are other ways of troubleshooting this problem.

thanx a million for all the responses.

Re: Weird Logins

Quoted text here. Click to load it

How about someone using the LOCAL logins that you forgot to disable or
that you didn't use a strong password on?

9.1 should detect a keylogger if you have expanded threats turned on.

Check the local user accounts and disable all except administrator, and
change the local administrator password.

(Remove 999 to reply to me)

Re: Weird Logins

thank you for replying.
as i mentioned however, the person claims that someone unlocks her
computer not just logs into it with their own account. If she is correct
in her claims someone manages to get her password.

I'll give that 'expanded threats' suggestion a shot though.

thank you
Quoted text here. Click to load it

Re: Weird Logins

Hmm, you said "One of our" so I guess this is a company network.

Maybe you have thought of this but it's not a case of someone using Remote
Desktop is it? I know this is a 2000 group but as people move to XP I
figured the question worth asking, just in case it is XP on that machine.
(You can easily install the RDP client on 2000 by copying msts something
..exe into system 32 and the dll that goes with you can't rely on the
fact that 2000 doesn't come with it for protection. The client will work on
95 up :)

Just a thought,


Quoted text here. Click to load it

Re: Weird Logins

Quoted text here. Click to load it
Until you can find the trojan, create a BIOS passwd and let her shutdown
when she leaves.
Look in the registry for the trojan. The first place is

Re: Weird Logins

Enable auditing of logon events on her computer in Local Security Policy and
then view logon entries in the security log to see what is going on and
proceed from there.  The events will have a logon type and a timestamp. Type
7 shows the computer was unlocked.  Make sure you reset her password ASAP
and you may need to do a clean install of the operating system.   --- Steve

Quoted text here. Click to load it

Re: Weird Logins

she is already changing her pass once a week.
thats why i think that it's a keylogger or similar.

Quoted text here. Click to load it

Re: Weird Logins

asdf wrote:
Quoted text here. Click to load it
You can spend hours running this to ground.  You should check to see if
the system has a rootkit via system internals rootkitrevealer

You should do as previously suggested and turn on full logging, and
reveiw the logs.  You should examine the system for alternate data
streams and examine communications.  Stick a sniffer in the closet and
record everything and have user contact you immediately at the next

Use process explorer to examine all processes and the children procs who
kicked them off.  Look for ADS files.

Network system passwords could be their entry point or local machine
logins that for example belong to your help desk.

Truthfully you can spend hours looking for a replaced DLL and validating
that all is copacetic. There are a number of shortcuts and some good
scripts you can use to collect system information along with looking for
the known culprits.  Some toolkits can be found here:

Another consideration that must be considered is no one is involved and
the user is creating excuse that someone is deleting my files, usually
the day some deadline is due.  It often happens to the same user
repeatedly.  Either way this has to be documented for management and
reported if this is occurring.

The recommendation to re-image the system is not a bad suggestion,
depends a bit on the criticality/sensitivity of the information the user
is processing.

Inside network abuse is the majority (80%) of all hacks occurring on
corporate networks.  You have many facets that have to be examined and I
  have no idea what network rules exist in your environment.  In our
network all of our clients have the same base image with some users with
unique software requirements having additional software.  We don't allow
users to install their favorite screen saver (they must live with
generics) nor are they allowed to download or install software of any
type on their system without going through the security manager and sys
admin.   The more you deviate from the above the more difficult it will
be to determine what is going on.

Good Luck, these are the pains that must be looked at but have many
potential answers.  Without knowing your working environment, I am not
sure what more advice to provide.


Re: Weird Logins

Quoted text here. Click to load it

You don't say which version of Micropsoft Windows -on some the keyboard
lock can be bypasssed and awakened by inserting, for instance, a CD (if
autorun is enabled).


Site Timeline