Weird Logins

A

asdf

one of our users is complaining that someone is loging in to her computer.
when she leaves she locks her computer but sometimes when she comes back
it is unlocked. Noone else knows her password. Even if i it was reset
through active
directory it would show since then she would know that someone changed it.
To me that leaves only one option and that is that someone has installed a
keylogger
like spector to get her password. System is running Symantec Corporate
Antivirus 9.1
but those keylogger have a way of avoiding detection. What are other things
that could
be causing this. What are other ways of troubleshooting this problem.

thanx a million for all the responses.
 
L

Leythos

one of our users is complaining that someone is loging in to her computer.
when she leaves she locks her computer but sometimes when she comes back
it is unlocked. Noone else knows her password. Even if i it was reset
through active
directory it would show since then she would know that someone changed it.
To me that leaves only one option and that is that someone has installed a
keylogger
like spector to get her password. System is running Symantec Corporate
Antivirus 9.1
but those keylogger have a way of avoiding detection. What are other things
that could
be causing this. What are other ways of troubleshooting this problem.

thanx a million for all the responses.
Click to expand...

How about someone using the LOCAL logins that you forgot to disable or
that you didn't use a strong password on?

9.1 should detect a keylogger if you have expanded threats turned on.

Check the local user accounts and disable all except administrator, and
change the local administrator password.
 
A

asdf

thank you for replying.
as i mentioned however, the person claims that someone unlocks her
computer not just logs into it with their own account. If she is correct
in her claims someone manages to get her password.

I'll give that 'expanded threats' suggestion a shot though.

thank you
 
C

Charlie Tame

Hmm, you said "One of our" so I guess this is a company network.

Maybe you have thought of this but it's not a case of someone using Remote
Desktop is it? I know this is a 2000 group but as people move to XP I
figured the question worth asking, just in case it is XP on that machine.
(You can easily install the RDP client on 2000 by copying msts something
..exe into system 32 and the dll that goes with it.so you can't rely on the
fact that 2000 doesn't come with it for protection. The client will work on
95 up :)

Just a thought,

Charlie


asdf said:
thank you for replying.
as i mentioned however, the person claims that someone unlocks her
computer not just logs into it with their own account. If she is correct
in her claims someone manages to get her password.

I'll give that 'expanded threats' suggestion a shot though.

thank you
Click to expand...
 
D

Donnie

asdf said:
thank you for replying.
as i mentioned however, the person claims that someone unlocks her
computer not just logs into it with their own account. If she is correct
in her claims someone manages to get her password.

I'll give that 'expanded threats' suggestion a shot though.
Click to expand...
#################################
Until you can find the trojan, create a BIOS passwd and let her shutdown
when she leaves.
Look in the registry for the trojan. The first place is
HKLM
Software
Microsoft
Windows
CurrentVersion
Run
 
N

nemo_outis

asdf said:
one of our users is complaining that someone is loging in to her
computer. when she leaves she locks her computer but sometimes when
she comes back it is unlocked. Noone else knows her password. Even if
i it was reset through active
directory it would show since then she would know that someone changed
it. To me that leaves only one option and that is that someone has
installed a keylogger
like spector to get her password. System is running Symantec Corporate
Antivirus 9.1
but those keylogger have a way of avoiding detection. What are other
things that could
be causing this. What are other ways of troubleshooting this problem.

thanx a million for all the responses.
Click to expand...


You don't say which version of Micropsoft Windows -on some the keyboard
lock can be bypasssed and awakened by inserting, for instance, a CD (if
autorun is enabled).

Regards,
 
S

Steven L Umbach

Enable auditing of logon events on her computer in Local Security Policy and
then view logon entries in the security log to see what is going on and
proceed from there. The events will have a logon type and a timestamp. Type
7 shows the computer was unlocked. Make sure you reset her password ASAP
and you may need to do a clean install of the operating system. --- Steve

http://www.windowsecurity.com/articles/Logon-Types.html
 
A

asdf

she is already changing her pass once a week.
thats why i think that it's a keylogger or similar.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

XP, Linux and Keyloggers 6
How did this happen 9
How was user able to (accidentally) change an unlocked cell to loc 1
Lockdown Outlook EXE with a password 2
Weird keyboard problems / Possible keylogger? 1
DST and Palm Pilot issue 1
profile password 5
administrator problems 9

Top