Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Login Picture Changed on its own?


  • Please log in to reply
18 replies to this topic

#1 mischik

mischik

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 24 October 2010 - 09:39 PM

Hi everyone..

I'm fairly technical and was a network and tech Director for a few years so have some familiarity with prior Windows versions but Win 7 is a bit new to me. I went to login today, and my login picture had been changed. Looking in Windows Event Viewer under Security, I can see it occurred at 12:25 in the morning. I was on another computer at that time, and running a utility from Microsoft on the PC in question that just collects system information.

I was trying to figure out why it changed and reviewing the event logs. I don't see the reason, only that an account change occurred. I replicated it by changing my picture again to another one, and the same system event occurred confirming its identity.

So basically, I had a flower as the login picture. On its own, it changed to a fish. I didn't make the change. I wasn't even using this machine at that time; however a Windows utility from MS was running -- but -- I reran that same utility tonight (it's one that just reports system usage) and it did not change the picture so I believe that is coincidence.

So my question is, why would Windows 7 change the default logon picture for a user on its own to something else? To help with information the utility that MS had me run was the Microsoft Product Support Reports.

There are also multiple instances on this computer, the one where the picture changed on its own, of another PC that was running Windows 2000 logging into it as a SYSTEM, and then logging back out, then in and out continuously but not in a pattern that would make me think it was a process. My other machines on the network do not have that issue in the log file.

I checked the McAfee Firewall, and it was enabled. It has been catching attempts to login to VNC but they've been denied. VNC is also disabled.

Other pieces of info:
The Firewall is the latest edition of MCAfee Antivirus Plus. Same with the Antivirus.

UAC has been disabled.

The machine has been running for about a year and a half on Windows 7 Ultimate 64 with no issues until the last 5 days.. and in the last 24 hours the "fish" became the default picture for my login ID. (I have two, my user ID and Admin, both with Admin rights). There are no shares on it. No other users beyond those two.

What is odd is that the time stamp on the change in the Security Event Manager is a time I was actually using the PC. If someone had remotely managed it or logged into it, wouldn't I have known? I was on it!

I can't figure out how Windows 7 would have changed the default login picture on its own. It seems it may be a hacker trying to make his or her presence known. Do I need to hire a computer forensics specialist?

I'm a little freaked out about what could have caused this. Any thoughts?

Thanks,
Danielle

BC AdBot (Login to Remove)

 


#2 keyboardNinja

keyboardNinja

    Bleepin' Ninja


  • BC Advisor
  • 4,815 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh interwebz
  • Local time:01:12 PM

Posted 26 October 2010 - 12:38 AM

Bizzare.... :huh:

I've never heard of that happening before...
PICNIC - Problem In Chair, Not In Computer

Posted Image Posted Image

20 Things I Learned About Browsers and the Web

#3 Martel

Martel

    Drfixup Human Internet Solutions


  • Members
  • 1,466 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina U.S.A.
  • Local time:02:12 PM

Posted 26 October 2010 - 12:54 AM

Do I need to hire a computer forensics specialist?

like Abby Sciuto

Bizzare.... :huh:

I've never heard of that happening before...


Same here.

I was watching this topic wondering the same thing. :huh:

#4 mischik

mischik
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 26 October 2010 - 01:06 AM

I hear you all for sure.. a bit more info has been figured out since then. My primary computer in the same office had WebWatcher installed on it. I'm working with their fraud investigation team to find out who and when. The person who keylogged it had my pc login ID, and used it most likely to change the picture while I was sitting here using a registry editor. Creepy, and a crime.. so I'll get this figured out. It was done intentionally, just not by me. Microsoft actually helped me figure it out. One concern I have is how to determine whether WebWatcher is completely off of the computer.. I have hired a forensics specialist to help with that. StopZilla is supposed to remove it and it did detect it, but whether it's gone with certainty is still in question - and how many more computers it is on is in question as well. It's tough to get off of computers (if any of you have any experience with that, please let me know. I've used forums to validate registry keys are gone and so on). If you have any other thoughts I'd greatly appreciate it.. the entire thing is stalker-city-like.

d


Do I need to hire a computer forensics specialist?

like Abby Sciuto

Bizzare.... :huh:

I've never heard of that happening before...


Same here.

I was watching this topic wondering the same thing. :huh:


Edited by mischik, 26 October 2010 - 01:06 AM.


#5 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:02:12 PM

Posted 26 October 2010 - 05:53 AM

Please keep us posted on all the details. This should be a good learning process.

#6 mischik

mischik
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 26 October 2010 - 01:49 PM

Definitely. So far, StopZilla is analyzing the log to see if I got it all. The forensics guys will be here tomorrow to image my drive and catch the mofo. Police are being remarkably helpful. If anyone knows how to make sure I removed it in the meantime please let me know.. this is pretty critical. Thanks..

d

Please keep us posted on all the details. This should be a good learning process.



#7 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:02:12 PM

Posted 27 October 2010 - 09:03 AM

I wouldn't do any thing until your forensics specialist tell you to. Then I would use Super Anti Spyware and Malwarebyte Anti Malware free on demand programs.

#8 mischik

mischik
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 27 October 2010 - 12:45 PM

I wouldn't do any thing until your forensics specialist tell you to. Then I would use Super Anti Spyware and Malwarebyte Anti Malware free on demand programs.


OK do you know if that fixes WebWatcher?

#9 keyboardNinja

keyboardNinja

    Bleepin' Ninja


  • BC Advisor
  • 4,815 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh interwebz
  • Local time:01:12 PM

Posted 27 October 2010 - 11:35 PM

WebWatcher isn't textbook malware, so MBAM and SUPER won't bother with it (if they can detect it at all).

http://www.removeadware.com.au/articles/webwatcher/

Because WebWatcher can capture every keystroke, it is possible for your passwords, credit card numbers, bank account numbers, and other sensitive information to be obtained by unscrupulous users with remote access.


It is also designed to bypass antivirus scans and firewalls so it does not trip any alarms.


PICNIC - Problem In Chair, Not In Computer

Posted Image Posted Image

20 Things I Learned About Browsers and the Web

#10 mischik

mischik
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 28 October 2010 - 01:55 PM

Ironically, I ran StopZilla which is what found WebWatcher. It found it in template.exe in Adobe Air. hehe I emailed StopZilla my log files and they said they dont "check for WebWatcher as it is a commercial product." Microsoft, a forensics guy and the police dept are now looking at all the files...

:huh:

That article is the reason I bought StopZilla to try to find it.. and it did seem to find it... but in a rather odd location?

#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:07:12 PM

Posted 28 October 2010 - 06:13 PM

Ironically, I ran StopZilla which is what found WebWatcher. It found it in template.exe in Adobe Air. hehe I emailed StopZilla my log files and they said they dont "check for WebWatcher as it is a commercial product." Microsoft, a forensics guy and the police dept are now looking at all the files...



I gotta ask this, are you using a 100% Legit version of Adobe Air?

#12 mischik

mischik
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 28 October 2010 - 07:22 PM

As far as I know.. it came with Tweetdeck..


Ironically, I ran StopZilla which is what found WebWatcher. It found it in template.exe in Adobe Air. hehe I emailed StopZilla my log files and they said they dont "check for WebWatcher as it is a commercial product." Microsoft, a forensics guy and the police dept are now looking at all the files...



I gotta ask this, are you using a 100% Legit version of Adobe Air?



#13 coxchris

coxchris

  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atwater
  • Local time:12:12 PM

Posted 28 October 2010 - 07:23 PM

I would contact the main support page for that program at http://www.webwatcherkids.com/contact.php and ask them to trace the ip back to the host

Some removal information for that program. Admins and moderators i have found some information on "how to" for this type of spy ware

http://www.ehow.com/how_5020305_remove-webwatcher.html

http://forums.spybot.info/showthread.php?t=39778 Manuel removal instructions for web-watcher

http://forums.pcworld.com/index.php?/topic/81716-web-watcher-removal/-forum that found the instructions

Please be advise take extreme precautions unless otherwise direct

I hope this helps in your investigation

AA in Computer Networking Technology

BS in Information Technology 

Comptia A+, Project+, L+

Renewable:  N+,S+

CIW Web Design Specialist, JavaScript Specialist,  Database Design Specialist 

LPIC-1, SUSE 


#14 Romeo29

Romeo29

    Learning To Bleep


  • BC Advisor
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:02:12 PM

Posted 28 October 2010 - 08:02 PM

I do not know how effective StopZilla is. But malware removal experts at BleepingComputer advise Malwarebyte's Anti-Malware and Superantispyware mostly.

#15 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:07:12 PM

Posted 29 October 2010 - 12:48 AM

I just installed Adobe Air, and there was no mention of WebWatcher anywhere during the installation.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users