Join 3,433 readers in helping fund MetaFilter (Hide)


My computer is being locked randomly
June 21, 2007 6:16 AM   Subscribe

Windows XP Pro randomly being locked by unknown users. Is my computer being hijacked?

I recently moved halfway across the country and my company kept me on staff as a telecommuter. I brought my work computer with me and connect to their network via a dedicated VPN.

During these last three months I have experienced some odd behaviour with my computer. About two weeks after I set up shop here is when it first started. I was actively working on the computer when everything would suddenly start to shut down and the default blue CTRL-ALT-DEL login screen would appear.

It read: "This computer is in use and has been locked" and then listed computername\guest. It gave me an opportunity to put in my username and password, but I never could get in. I would have to hard boot my computer. Just when I got freaked out enough to call IT, it mysteriously stopped.

Now it's happening again. Sometimes I'll come into work and it's happened during the night (such as last night). I've only been here for a half hour this morning and it already happened while I was in the middle of drafting an e-mail to IT. Things are a little different this time, though. It appears to be adding Windows users. They are usually nonsense names ending with a dollar sign. Today when it locked it displayed computername\xiake$. Indeed, there are several new accounts under control panel. My fiance deleted most of them but a few remain that we weren't sure about, such as "admis" and "HelpAssistent" (sic). Also now I am able to login from the locked screen whereas I wasn't able to before.

I am not running a screensaver and when I did, it was not password protected. I'm on XP Pro. I'm running Norton Antivirus but no firewall (as the request of IT for purposes of the VPN I suppose). AdAware found nothing. There is no consistency with anything I'm doing or running when it happens. It seems completely random. I always turn the VPN connection off when I'm not here.

I hope someone here has an idea what's going on and if I'm at risk. I have recently paid for items with credit cards on this computer and checked my bank accounts. This is starting to freak me out a little!

Thanks!
posted by bristolcat to Computers & Internet (28 answers total) 2 users marked this as a favorite
 
I feel like I should add that my VPN line mysteriously slowed down to a crawl during the last week and there seems to be no cause. Perhaps these things are related?
posted by bristolcat at 6:17 AM on June 21, 2007


Run RootKit Revealer, Autoruns and AVG and see what they turn up would be my advice. Especially Autoruns if this problem persists through reboots.
posted by dance at 6:31 AM on June 21, 2007 [1 favorite]


If this is a compnay-issued PC, supporting it is the responsibility of your Corporate IT department, and really, really NOT YOURS. I recommend you do not try any DIY fixes but insist on immediate and drastic action on the part of your IT support people. It's easy to imagine that both your own and your company's sensitive information have been compromised. Continuing to work on a PC that seems clearly and thoroughly penetrated by unknown persons is foolish.

In your shoes I would insist and demand they completely wipe the system's hard drive and re-install all software. Or, they could send you a replacement or a loaner PC for while they service your machine.

Don't attempt to service this yourself - you'll never be able to use the machine in confidence again. I fix PCs for a living and if my PC acted like this I would format it immediately and reinstall from scratch, regardless of whether I had current backups of my data to use. I would not bother with scans or other measures - you can never be sure you got it all, and the level of penetration indicated by the symptoms you describe is significant.

That said, report any Credit Card numbers you used on the PC to the issuing banks as possibly stolen and have new cards/numbers issued to you IMMEDIATELY. Consider ANY information you stored or entered on that machine to be stolen and act accordingly. Your issuing banks should be able to assist in this process.

Good luck.
posted by BigLankyBastard at 6:54 AM on June 21, 2007


Jesus. well and truly hacked. Unplugged from network, format, reinstall. Get a firewall if you havent. Dont go unline until patched fully.
posted by daveyt at 7:01 AM on June 21, 2007 [1 favorite]


First, turn off Remote Assistance. As far as I can tell it's the most likely attack vector.

Second, you're running Windows XP without a firewall. Even Microsoft would tell you that this is a Very Bad Idea.

You are definitely at risk. I don't know any benign reason for new Windows accounts being created, especially with obvious typos. I would agree with the other posters:

1. Yank your internet connection NOW.

2. Consider your computer compromised. Copy vital data to a removable drive, then reformat and reinstall Windows XP.

3. On the new install, disable Remote Assistance.

4. Run a firewall. Norton is useless. XP's built-in firewall is adequate. If your corporate IT insists you can't have a firewall, they have no idea what they're doing.

5. Consider credit card numbers, bank accounts, and anything else private you've ever done on that machine compromised too.

If it's a corporate machine, insist on nothing less than #1-#4. Seriously.
posted by mmoncur at 7:09 AM on June 21, 2007


Someone is connecting to your computer via remote desktop. Call your IT department.
posted by damn dirty ape at 7:38 AM on June 21, 2007


i hope you don't work for the gov'ment
posted by Salvatorparadise at 8:01 AM on June 21, 2007


Unless the computer is your own personal property, you probably shouldn't do anything to it. Copy your data from it, stop using it immediately, turn it over to your IT staff and request an immediate replacement. Do not reformat, etc, unless you are the owner of the computer or you've been given permission to do so by your IT department. But do stop using it immediately.
posted by me & my monkey at 8:34 AM on June 21, 2007


"Indeed, there are several new accounts under control panel. My fiance deleted most of them but a few remain that we weren't sure about, such as "admis" and "HelpAssistent" (sic). Also now I am able to login from the locked screen whereas I wasn't able to before."

"Sometimes I'll come into work and it's happened during the night (such as last night)."

"Just when I got freaked out enough to call IT, it mysteriously stopped."

Are you sure its not your IT department remotely accessing your computer?

If its a work computer back up any data you cannot afford to lose job related or personal and write a LETTER to your supervisor / IT department saying you are constantly being locked out of your computer, as such cannot perform your job, and are worried about the security of any data that the company might have on that computer.

Do not try to fix this yourself, it is not your problem.
posted by outsider at 8:52 AM on June 21, 2007


I recommend contacting your IT people immediately.
posted by voltairemodern at 9:09 AM on June 21, 2007


Thanks everyone for the advice. I stupidly had no idea how urgent this was. I really should know better.

My company (not gov't heehee) is rather small and we have a IT consultant rather than a full time IT staff. He is spread thin between a few companies so it's hard to get his full attention and assistance, especially being halfway across the country. So I really have no choice but to do some work on it myself.

Our IT guy really does not want to reinstall Windows because of my situation of telecommuting in. I don't have the CDs for any of my graphics programs so I'll have to find a way to reinstall all those if I do have to reinstall. He wants to try to clean it up instead. So, we'll see how that goes.

I ran a full system scan with Symantec Antivirus and found nothing. I called them and they said, "Whoa. That's bad." Ha! So now I'm downloading and upgrading Symantec and we'll try it again and see how that goes.

Thanks everyone for your input!
posted by bristolcat at 9:48 AM on June 21, 2007


Yeah: It's definitely remote desktop, but it doesn't sound like professional hackerly behaviour. Tell IT. It could be that someone else in the same situation as you (work from home worker) is wandering around playing on other peoples computers,

If you've got rights, you can also switch remote destop off.
- Start --> Right Click "My Computer"
- Click the Remote Tab.
- Untick "Allow users to connect remotely to this computer"
- Click OK.

Also...
- Delete / disable all guest & help accounts.
- Accounts can be found in the control Panel --> Administrative Tools --> Computer Management --> Users.

If you can't switch off remote desktop, changing the password of logging in accounts to blank (although this is frankly an unwise thing to do) will stop people being able to log on to those accounts using remote desktop.
posted by seanyboy at 9:54 AM on June 21, 2007


The guest and helpAssistant accounts are standard accounts BTW.
Plus, Personally I suspect your IT manager is the one playing around on your PC.
posted by seanyboy at 9:56 AM on June 21, 2007


It's definitely not the IT manager.
posted by bristolcat at 10:00 AM on June 21, 2007


Ouch....actually Symantec won't help much if it has been compromised. You might find the initial security hole or trojan that was initially used, but you're going to have to lock down the parts were used aftwards up until now. Here's a checklist you will need to go through asap and while you're offline:

1.) Disable remote assistance (remote desktop).
You can right-click my computer and disable it there under properties/remote. Or you can click start/run and type services.msc and disable the service.

2.) Disable the guest account. There's no need for this account to be enabled. Everyone that connects to your PC should be authenticating.

3.) Download a program called HiJackThis from merjin.org and run it. Look for anything suspicious or post your results here (I'll check back periodically).

4.) It is possible that other tweaks were made that compromise security....so finish your symantec scans with the latest DATs, and follow that up with Microsoft's Baseline Security Analysis available from microsoft.com's download section.
posted by samsara at 10:02 AM on June 21, 2007


If your IT guy doesn't want to take the time to wipe the PC and secure it properly, he doesn't want to take the time to deal with the situation appropriately. His failure to properly secure your PC may well cost you a stolen identity, and his ongoing half-assed approach to fixing the issue is going to cost more time and money than just doing it right the first time.

Really, really talk to your manager, or the Main Boss and let him know that your computer is compromised by something the scanning tools are not finding, and needs to be wiped.

I am an IT professional and would do nothing else in this situation. Folks can speculate about remote desktop or remote assistant all they want, but there are scores of applications and tools out there that could be planted on your PC and used by a hacker to effect control. Follow the advice of mmoncur and insist it be done right.
posted by BigLankyBastard at 10:06 AM on June 21, 2007 [1 favorite]


I love MeFi. I want to mark you all best answer.

I really agree with most everything said here. I did talk to my manager but they are really loathe to spend the time copying the disks, overnighting the disks to me and then waiting for me to get everything wiped and reset. The IT guy says that just the reinstall would be a 6-8 hour task. They want to see if they can solve the problem rather than eliminate it. I can see their reasoning but I am really nervous about it and like BLB said above, I might have risked my identity.

My fiance is here helping me today and he's disabled remote assistance and the guest account. After we run Symantec we'll probably run HijackThis. He's looking through my system event viewer log right now. He's suspicious of a log that states "Driver Tencent Virtual Printer Driver required for printer Tencent Virtual Printer is unknown. Contact the adminstrator to install the driver before you log in again." So he's looking into that.

I also don't think that anyone in my company has the know-how or time to poke around other people's computers. I'm the only one in the work-from-home situation.

Well, we'll probably log off here as we have some nasty storms coming in and it is lunchtime. Thanks everyone. The IT guy and my boss have been shown this thread. Maybe they are still following it.
posted by bristolcat at 10:19 AM on June 21, 2007


re: "Driver Tencent Virtual Printer Driver required for printer Tencent Virtual Printer is unknown. Contact the adminstrator to install the driver before you log in again."

This means that someone who logged in was running
posted by seanyboy at 10:57 AM on June 21, 2007


oops...
Ignore that. I pressed post by accident.
posted by seanyboy at 10:57 AM on June 21, 2007


Well we ran another scan and found something called Backdoor.Graybird. I'm guessing that's it.
posted by bristolcat at 12:08 PM on June 21, 2007


Many, many machines have a missing or crappy password on the Administrator account. That makes it trivial to log in remotely if remote Desktop is running. After the reformat, rename the Administrator account, and not just to Admin. CompanyNameAdmin is okay. It, and all accounts on the machine, must have a 12+ character password with numbers. Get a combination home router/firewall.

There are several steps involved in securing Remote desktop. This article details them nicely. Hackers scan the Internet, looking for machines with Remote Desktop available, then bruteforce the Administrator or guest account. The IT dept. should apply the lessons learned here to other telecommuters.
posted by theora55 at 12:11 PM on June 21, 2007


Also, you may want to get comodo firewall once you've re-loaded the OS (I would suggest trying to root out the problem, but unless you're intimately familiar with what should and should not be on your PC it could take days).
You're pretty much stuck waiting for the OS disk and doing the reload. Re-installing should take nowhere near 6 hours, WTF? This is XP we're talking about here, not Vista. Think ONE hour, man.
posted by IronLizard at 12:16 PM on June 21, 2007


Well we ran another scan and found something called Backdoor.Graybird. I'm guessing that's it.

You think you've found the problem. Well, you found one of the problems. Today's malware not only infects your PC, it allows other malware to infect it. Some of these little suckers are so good they actually download updates to the latest version of slime. If you're seeing one, it's almost certain there's another your AV can't find. But don't take my word for it. Run HiJackThis and get a good firewall.
(The comodo alpha will actually block a program from accessing your keyboard if you let it).
posted by IronLizard at 12:24 PM on June 21, 2007


"I did talk to my manager but they are really loathe to spend the time copying the disks, overnighting the disks to me and then waiting for me to get everything wiped and reset. The IT guy says that just the reinstall would be a 6-8 hour task. They want to see if they can solve the problem rather than eliminate it."

I work in the IT department of a company with lots of remote salesmen with company-issue laptops and VPN connections, just like you've got. I'd expect to be fired if I took that attitude towards your problem, and my boss would be right to fire me for it.

Their attempt to "solve the problem rather than eliminate it" is total gibberish. You cannot solve this problem without wiping everything off the hard drive and starting over.

Why? Look at it this way: You can no longer trust your computer, because the computer is no longer yours. It belongs to a hacker, now. And this hacker has doutbless installed all sorts of back doors and other ways for him to get back into your system even after you've removed all the viruses. You know this is true, because you've seen some of them. How do you expect to get rid of the ones you don't know about?

The whole IT security community pretty much agrees that, in cases like this, the only way you can ever trust this computer again is by completely erasing the hard drive, and starting over from scratch. Even your documents are suspect, because everything from Word files to images have been able to harbor viruses.

"The IT guy and my boss have been shown this thread."

I hope they're still reading it. Hi, guys! Have I gotten the gravity of this situation across to you? Why are you even allowing a PC that's known to be heavily compromised access to your local network (via the VPN)? You're letting all these viruses have direct access to your company's servers? What are you thinking? Fixitfixitfixit! And do it right!
posted by CrayDrygu at 12:56 PM on June 21, 2007


Your computer is compromised by at least one hacker, possibly multiple. By not re-installing the OS from the ground up you are basically depending on that hacker to not be sophisticated enough to employ a rootkit after the initial compromise. No anti-virus software can detect a rootkit by definition, excepting a scan on startup before the OS loads. Even then, the accepted cleanup methodology would be to re-install the OS from scratch. I have a serious bias against McAfee and Norton AV as being inferior virus/malware scanners.

Whether or not you decide to go for the proper solution (complete re-install, including latest patches before reconnecting to the Internet), you should invest in a hardware firewall, lock down ports you aren't using, and only allow trusted IP addresses to access your machine.
posted by BrotherCaine at 3:39 PM on June 21, 2007


I just want to add that I think part of the reasoning behind wanting to avoid reinstall is that it would be necessary to reinstall Great Plains which is a PITA and some sophisticated weaving software. Perhaps 6 hrs is an exaggeration on IT's part but it does take some time to load those on a machine along with the rather large Adobe CS2 and whatever else I'd need.

Nonetheless, we've wasted 6-8 hrs on it already.

We'll see what happens. I hope we end up reinstalling. Based on everyone's input I'd feel safest that way.
posted by bristolcat at 4:20 PM on June 21, 2007


Just a suggestion, have your IT department make a Ghost image of your laptop once they reinstall, and get that image on a DVD. That way you can always fall back to the original install if something goes awry (takes 5 mins compared to hours...a handy poor man's rescue kit).
posted by samsara at 10:02 AM on June 22, 2007


I'm not sure about Great Plains or your other software, but if you have a machine new enough to run Adobe CS2, the installation will take about 10 minutes.

Since it looks like they're not going to do the right thing here, I would highly recommend you take some steps yourself:

1. Get your own computer. (A Mac, if you want to worry a bit less about security.) Use the compromised work computer for work and nothing else.

2. Get a good hardware firewall. This can at least block many of the ports that would allow further invasion of your work computer.

3. Take those early drafts of the new Harry Potter novel off your work computer before more people read them and spoil it for everybody. :)
posted by mmoncur at 2:57 AM on June 25, 2007


« Older Really simple windows 2000 ser...   |  What do I do with all these un... Newer »
This thread is closed to new comments.