Windows Loginpassword shown - Page 3
Page 3 of 3 FirstFirst 123
Results 21 to 28 of 28

Thread: Windows Loginpassword shown

  1. #21
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Hi,

    I've also noted, that safe mode just hangs for me, it's not working.
    That is NOT good news, and certainly points to the reformat and reinstall route

    You might have one last shot with EWIDO:

    http://www.ewido.net/en/

    There is a 14 day trial of the whole thing, but you can update and use the on demand scanner after that.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  2. #22
    Junior Member
    Join Date
    Jun 2005
    Posts
    16
    Originally posted here by nihil
    Not quite true. A strong Windows password would take an inordinate amount of time to crack, so a thief will just reset it. That provides you with a good line of defence if the machine is used for something illegal. It would provide "reasonable doubt" and could generally be forensically proven.
    For the average Joe, but I can own that thing in the time it takes to boot Austrum Latvijas Linukss and type three commands. Always plan for the worst case scenario and use strong encryption on any sensitive information stored locally.
    sudo

  3. #23
    Junior Member
    Join Date
    Feb 2006
    Posts
    14
    Sandcraft, this is not quite my scenario. At home, my password mostly serves the purpose that my visitors cannot easily enter my PC while I'm not in the same room monitoring them. This is mainly true for people I don't know about.

    So my problem is, that my login password is visible to ANYONE standing next to me. And asking them for "uh, could you turn around, my password is shown" isn't exactly implying a good sense of security / "knowing what's going on" on my side.

    My company notebook is a different story. We have a strict password-policy there and a help-line that would guide us through problems like this one. I don't have such a help-line at home. I rely on advice like yours to build up a good opinion about the current situation.

  4. #24
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Hi rck

    Did EWIDO find anything? I am afraid that I am starting to run out of ideas so I will summarise on my thinking so far (such as the process might be described as "thought" )

    1. Your password is displayed as plain text. I have never actually seen that without using a tool to do it. If that is malware/spyware it is not working properly as it is advertising itself totally promiscuously? It is obvious that there is a problem, as malware tries to hide itself.

    2. You have used some quite respectable detection tools for all sorts of malware and they have found nothing? All I can suggest there is that you review the settings and run them again. Make sure that heuristic detection is set to maximum and that you enable "detect security threats" where that is available (A-Squared I think?).

    That last setting will detect stuff like John the Ripper, nmap, Cain & Abel, and so on, which are NOT malware but would be malicious if you had not installed them yourself. That may throw up a password revealer.

    3. I am afraid that I am starting to lean towards Morgana~'s way of thinking, and that you have some sort of corruption or conflict. Please do not misunderstand me, Morgana~ is a very astute analyst and I would generally follow her line of thought, were it not that the only solution is save your stuff, reformat and reinstall.................which is a pain?

    4. If you cannot get into safe mode, this also implies a corruption situation to me. OK I know some malware does this, but it really advertises itself when it does so. Stuff that crude should have been detected in the scans that you have run.

    5. So, my conclusion is that unless you have some weird setting that I am totally unaware of, you would be best served by biting the bullet and reinstalling your operating system.

    I presume that you have already tried restore and repair to no avail?

    sandcraft

    I think that you misunderstand me old chap. I already clearly stated that without physical security there is NO security. My comment was that there was a degree of protection in that no one would bother to CRACK the existing password, they would just reset it............which is what NT admins do anyway?...........unless you are envisaging some sort of MI5/MI6/GCHQ "fit up"?

    I can tell you that in the defence/security sectors, we use removable hard drives so your little CD is useless

    It is also useless with some laptops............just set the boot password, admin password and the HDD password. The first two are on an independent EEPROM chip (probably a 24C) and the last is on the HDD which is encrypted. OK I know how to, and have circumvented the first two, but the last one is a killer
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #25
    Howdy.

    Just a thought, but have you tried to Clear the Page File at System Shutdown

    Default settings allow process memory files to be paged to the hard disk in clear text form at shutdown. Although this allows more
    rapid recovery of this information the next time the system is started, it’s a great place for an intruder to look for any sensitive
    information, and it is displayed in plain text form.

    To clear the Page File at shutdown, follow this procedure:

    1.Click Start and go to settings and open the Control Panel

    2.Open ‘Administrative Tools, and choose ‘Local Security Policy’ followed by ‘Local Policies’ in the left pane, and then ‘Security Options’

    3.In the right pane, right click on ‘Clear virtual memory pagefile when system shuts down’ , left click ‘Security’, and choose ‘Enabled’

    4.Left click ‘OK’ to save your settings, and close all open windows.

    Then do a restart of the system and see if that clears it up.

    And if the above does not work then this should defiantly work.


    1. Place your Windows XP CD in your cd-rom and start your computer (it’s assumed here that your XP CD is bootable – as it should be - and that you have your bios set to boot from CD)

    2. Keep your eye on the screen messages for booting to your cd Typically, it will be “Press any key to boot from cd”

    3. Once you get in, the first screen will indicate that Setup is inspecting your system and loading files.

    4. When you get to the Welcome to Setup screen, press ENTER to Setup Windows now

    5. The Licensing Agreement comes next - Press F8 to accept it.

    6. The next screen is the Setup screen which gives you the option to do a Repair.

    It should read something like “If one of the following Windows XP installations is damaged, Setup can try to repair it”

    Use the up and down arrow keys to select your XP installation (if you only have one, it should already be selected) and press R to begin the Repair process.

    7. Let the Repair run. Setup will now check your disks and then start copying files which can take several minutes.

    8. Shortly after the Copying Files stage, you will be required to reboot. (this will happen automatically – you will see a progress bar stating “Your computer will reboot in 15 seconds”

    9. During the reboot, do not make the mistake of “pressing any key” to boot from the CD again! Setup will resume automatically with the standard billboard screens and you will notice Installing Windows is highlighted.

    10. Keep your eye on the lower left hand side of the screen and when you see the Installing Devices progress bar, press SHIFT + F10. This is the security hole! A command console will now open up giving you the potential for wide access to your system.

    11. At the prompt, type NUSRMGR.CPL and press Enter. Voila! You have just gained graphical access to your User Accounts in the Control Panel.

    12. Now simply pick the account you need to change and remove or change your password as you prefer. If you want to log on without having to enter your new password, you can type control userpasswords2 at the prompt and choose to log on without being asked for password. After you’ve made your changes close the windows, exit the command box and continue on with the Repair (have your Product key handy).

    13. Once the Repair is done, you will be able to log on with your new password (or without a password if you chose not to use one or if you chose not to be asked for a password). Your programs and personalized settings should remain intact.
    f2B

  6. #26
    Junior Member
    Join Date
    Feb 2006
    Posts
    14
    Originally posted here by nihil
    [B]Hi rck

    Did EWIDO find anything?
    Well, yes. 709.278 objects, 8.659 infected. Hmmm.

    Will post a follow-up, just came home from my office to see this result.

    -edit- most of them tracking cookies except one. EWIDO thinks, one of my Photoshop-pattern files is a trojan (?)

  7. #27
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    Originally posted here by .:front2back:.
    Howdy.

    Are you using the default login screen, the blue one that says welcome?
    If so then you've been hit with a trojan that puts up a fake welcome screen thus your password is seen in plain text, and then stored. Once you connect to the internet it sends your credentials via email.


    cheers
    f2B
    Why would a trojan give itself away so easily? I believe you, it just seems strange to me.

  8. #28
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Well, yes. 709.278 objects, 8.659 infected. Hmmm.
    Please be a trifle cautious old chap, some of these tools are "over sensitive"

    I actually posted a warning about A-Squared a few days ago.................it is OK now folks, they have fixed it and version 2.0 is available..............still free to private users

    I am not involved with ANY free software that I might suggest, other than possibly as a beta tester ; I certainly receive NO remuneration

    rck

    Try just renaming that one for the moment, and see what happens?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •