PDA

View Full Version : Another user is still logged on to this computer???



Billy T
10-05-2013, 01:37 PM
Hi Team

I've been doing some maintenance work on Billy Jnr's computer, which is now used only by Mrs T, and a couple of days ago there was a warning on her Gmail that somebody in Tunisia was trying to access the computer, so we changed the password, but got the same message again yesterday, so we changed it again.

I had previously run a routine scan with Spybot and MWB, with both picking up a single problem each. Spybot dealt with the first one, which sounded innocuous, and MWB had quarantined the second which had a name like Agent4 or very similar. Last night we got the same Tunisia warning again from Gmail, so we changed the Gmail password yet again, and since the computer had been acting a bit clunky for quite some time I decided to do some housekeeping.

I ran full scans with MSE, the online version of Nod32, then Spybot and MWB, then I emptied the temp file and defragged the disk. It is working a lot better after that, but when I shut it down, it tells me that there is somebody else logged on and asks if I wish to continue. It has been doing that for some time actually, but I wasn't concerned because there had been no apparent problems and since I was shutting down, it was going to terminate the connection anyway.

Now I think I should try to find out who or what is allegedly still logged on after I have logged out, but I don't have a clue where to start looking. The two computers are not networked, but they are both connected to the net via a NAT Router with a very strong password, and Shields Up has always given the system a clean bill of health as well.

OS is XP Pro, and any insights or advice would be welcome.


Cheers

Billy 8-{)

wainuitech
10-05-2013, 02:31 PM
If you go into the Control Panel / users Accounts, apart from the Guest how many other accounts are showing.

WarNox
10-05-2013, 02:58 PM
If you open up the Task Manager (right click the task bar or CTRL+ALT+DEL), click on the Users tab it should show you the logged on users.

gary67
10-05-2013, 03:22 PM
Are you sure they were not trying to enter Gmail i would change that password

Billy T
10-05-2013, 03:56 PM
If you go into the Control Panel / users Accounts, apart from the Guest how many other accounts are showing.

Thanks WT. There were only two accounts, Mrs T's and his (with administrator rights) but the guest account was open, so I have closed it. Hopefully that will be the end of it.

We left rellies staying here while we were in Oz at Xmas, and they were less than cooperative on a number of fronts. A few days before we left, I came back from a job and found one of them in my office trying to use my colour laser to print a heap of personal stuff. I locked my office, but left them with guest access for emails on Billy Jnr's computer, so maybe I didn't get it right, or perhaps they fiddled with it. When I shut it down tonight I'll soon know if it is OK or not.

Cheers

Billy 8-{)

wainuitech
10-05-2013, 04:00 PM
Hopefully its sorted it Billy -- you have to remember - No ones touched anything -- Honest ;)

Lurking
10-05-2013, 04:02 PM
If you go into the Control Panel / users Accounts, apart from the Guest how many other accounts are showing.

Wai, had a bit of trouble with GMail here.

Notice there is a ASP.NET in the Users Account, Dr Google states it's a Microsoft facility, should it be deleted if possible ?.

Thanks,

Lurking.

Billy T
10-05-2013, 04:05 PM
I think they were trying to enter Gmail, that was the gist of the Gmail alert so far as I was concerned, and to crack the changed password would not have been hard, Mrs T only changed the location of two numbers.
It now has an alphanumeric password that is quite different.

One of the reasons I leave my computers off at night is because the bad guys on the other side of the World probably start up in the early hours of our morning, so their opportunities to work on stuff in our time zone is limited. It wouldn't stop the pro's but it might slow down the wannabe's.

Cheers

Billy 8-{)

fred_fish
10-05-2013, 07:25 PM
They are not trying to get into your PC.
They are trying to access your account on googles server.
Your PC being on or off makes no difference.

coldot
10-05-2013, 09:40 PM
Billy,
Are you sure Billy Junior isn'r still using his PC from some far away place!

However, at the RUN prompt enter: control userpasswords2 and you will see the list of users including the odd ones setup by the installer (and maybe by the cleaning lady, visiting plumber and half a dozen relies).
Installers may have set up an access so that they can respond to your service call remotely - sometimes they don't bother to tell you about it - it should be on the basis that you have to be there to agree to remote access.
Take care while in the depths of user control as a false step may plunge you into the darkest abyss - or no access!
I suggest Google 'control userpasswords2' or 'How to find hidden users'.
And yes, once a pirate has stolen your current gmail password he/she doesn't need your computer, until you change the password again.

wainuitech
10-05-2013, 10:20 PM
Wai, had a bit of trouble with GMail here.

Notice there is a ASP.NET in the Users Account, Dr Google states it's a Microsoft facility, should it be deleted if possible ?.

Thanks,

Lurking. ASP.NET is installed by .Net Framework 1.1, it's need it to allow the install to happen. In the past I have removed it without any problems happening. Saying that I don't do any projects that require ASP either.

A bit more info about it: http://answers.microsoft.com (http://answers.microsoft.com/en-us/windows/forum/windows_7-security/windows-7-home-premiumaspnet-sign-in-account/b03815df-f895-49bf-b3e2-e5aa82b7934a)

Billy T
10-05-2013, 11:06 PM
Billy, Are you sure Billy Junior isn't still using his PC from some far away place!

Yes, I am sure, he is in Fance at present and all communication is via his smartphone.

I ran 'control userpasswords2' and nothing extra showed up.

I have also found the note I made of the trojan name. It was 'trojan.agent.a1' and MWB had it in quarantine.

I have read up about this trojan virus on the web and it sounds nasty (see below), but MWB had quarantined it so I am assuming that it was caught on entry. It was not detected by Eset/nod32 or any of my other subsequent scans since (in total about three hours of scanning), so I am assuming that MWB must have caught it on entry.

Cheers

Billy 8-{)

Found this for Trojan.agent.a1: The description fits with the Tunisia/Gmail experience and we may have had a narrow escape.

Trojan.Agent.AI is categorized as a Trojan virus that antivirus programs may pick up on your computer when it’s infected. This Trojan virus is not very friendly to your computer and will start bringing chaos once it’s in. Created by PC hackers, it has the ability to fail many antivirus programs and sneak into vulnerable systems without consent from PC owners. If you happen to get this Trojan alert popping up on your computer, please watch out. Your computer is already vulnerable because of this piece of Trojan and will become worse if the virus cannot be removed in time! It is believed that a Trojan like this can be associated with different kinds of malware and even third parties. It helps them open the door to many computers around the world.Trojan.Agent.AI virus is not that easy to be removed since it’s associated with PC hackers. But do you have any idea of where you picked up this virus? Have you always behaved yourself online and been well protected by your antivirus?

This Trojan infection is believed to be able to hide among many suspicious or fishy web sites; be bundled with free unknown software; or spread among computers with the assistance of removable devices. Even though the computer has been protected by antivirus software, it’s still vulnerable to this Trojan virus. Once Trojan.Agent.AI virus is in, security alerts may keep popping up from antivirus to warn you that the computer is in troubles. These security pop ups may include fake alerts created by this Trojan infection to get you confused. What’s worse, system loopholes could be created in order to bring other malware and spyware in! In other words, you may be experiencing other troubles on the computer if this Trojan virus cannot be removed fast.

Lurking
10-05-2013, 11:10 PM
ASP.NET is installed by .Net Framework 1.1, it's need it to allow the install to happen. In the past I have removed it without any problems happening. Saying that I don't do any projects that require ASP either.

A bit more info about it: http://answers.microsoft.com (http://answers.microsoft.com/en-us/windows/forum/windows_7-security/windows-7-home-premiumaspnet-sign-in-account/b03815df-f895-49bf-b3e2-e5aa82b7934a)

Wai, thanks for that, will delete user ASP.NET as I don't use Framework 1.1.

If it's daughter doing, she can put it on her own home machine.

Lurking.