Windows Loginpassword shown

[nihil]

Hi,

I've also noted, that safe mode just hangs for me, it's not working.

That is NOT good news, and certainly points to the reformat and reinstall route

You might have one last shot with EWIDO:

http://www.ewido.net/en/

There is a 14 day trial of the whole thing, but you can update and use the on demand scanner after that.

[sandcraft]

Originally posted here by nihil
Not quite true. A strong Windows password would take an inordinate amount of time to crack, so a thief will just reset it. That provides you with a good line of defence if the machine is used for something illegal. It would provide "reasonable doubt" and could generally be forensically proven.

For the average Joe, but I can own that thing in the time it takes to boot Austrum Latvijas Linukss and type three commands. Always plan for the worst case scenario and use strong encryption on any sensitive information stored locally.

[rck]

Sandcraft, this is not quite my scenario. At home, my password mostly serves the purpose that my visitors cannot easily enter my PC while I'm not in the same room monitoring them. This is mainly true for people I don't know about.

So my problem is, that my login password is visible to ANYONE standing next to me. And asking them for "uh, could you turn around, my password is shown" isn't exactly implying a good sense of security / "knowing what's going on" on my side.

My company notebook is a different story. We have a strict password-policy there and a help-line that would guide us through problems like this one. I don't have such a help-line at home. I rely on advice like yours to build up a good opinion about the current situation.

[nihil]

Hi rck

Did EWIDO find anything? I am afraid that I am starting to run out of ideas so I will summarise on my thinking so far (such as the process might be described as "thought" )

1. Your password is displayed as plain text. I have never actually seen that without using a tool to do it. If that is malware/spyware it is not working properly as it is advertising itself totally promiscuously? It is obvious that there is a problem, as malware tries to hide itself.

2. You have used some quite respectable detection tools for all sorts of malware and they have found nothing? All I can suggest there is that you review the settings and run them again. Make sure that heuristic detection is set to maximum and that you enable "detect security threats" where that is available (A-Squared I think?).

That last setting will detect stuff like John the Ripper, nmap, Cain & Abel, and so on, which are NOT malware but would be malicious if you had not installed them yourself. That may throw up a password revealer.

3. I am afraid that I am starting to lean towards Morgana~'s way of thinking, and that you have some sort of corruption or conflict. Please do not misunderstand me, Morgana~ is a very astute analyst and I would generally follow her line of thought, were it not that the only solution is save your stuff, reformat and reinstall.................which is a pain?

4. If you cannot get into safe mode, this also implies a corruption situation to me. OK I know some malware does this, but it really advertises itself when it does so. Stuff that crude should have been detected in the scans that you have run.

5. So, my conclusion is that unless you have some weird setting that I am totally unaware of, you would be best served by biting the bullet and reinstalling your operating system.

I presume that you have already tried restore and repair to no avail?

sandcraft

I think that you misunderstand me old chap. I already clearly stated that without physical security there is NO security. My comment was that there was a degree of protection in that no one would bother to CRACK the existing password, they would just reset it............which is what NT admins do anyway?...........unless you are envisaging some sort of MI5/MI6/GCHQ "fit up"?

I can tell you that in the defence/security sectors, we use removable hard drives so your little CD is useless

It is also useless with some laptops............just set the boot password, admin password and the HDD password. The first two are on an independent EEPROM chip (probably a 24C) and the last is on the HDD which is encrypted. OK I know how to, and have circumvented the first two, but the last one is a killer

[.:front2back:.]

Howdy.

Just a thought, but have you tried to Clear the Page File at System Shutdown

Default settings allow process memory files to be paged to the hard disk in clear text form at shutdown. Although this allows more
rapid recovery of this information the next time the system is started, it’s a great place for an intruder to look for any sensitive
information, and it is displayed in plain text form.

To clear the Page File at shutdown, follow this procedure:

1.Click Start and go to settings and open the Control Panel

2.Open ‘Administrative Tools, and choose ‘Local Security Policy’ followed by ‘Local Policies’ in the left pane, and then ‘Security Options’

3.In the right pane, right click on ‘Clear virtual memory pagefile when system shuts down’ , left click ‘Security’, and choose ‘Enabled’

4.Left click ‘OK’ to save your settings, and close all open windows.

Then do a restart of the system and see if that clears it up.

And if the above does not work then this should defiantly work.

1. Place your Windows XP CD in your cd-rom and start your computer (it’s assumed here that your XP CD is bootable – as it should be - and that you have your bios set to boot from CD)

2. Keep your eye on the screen messages for booting to your cd Typically, it will be “Press any key to boot from cd”

3. Once you get in, the first screen will indicate that Setup is inspecting your system and loading files.

4. When you get to the Welcome to Setup screen, press ENTER to Setup Windows now

5. The Licensing Agreement comes next - Press F8 to accept it.

6. The next screen is the Setup screen which gives you the option to do a Repair.

It should read something like “If one of the following Windows XP installations is damaged, Setup can try to repair it”

Use the up and down arrow keys to select your XP installation (if you only have one, it should already be selected) and press R to begin the Repair process.

7. Let the Repair run. Setup will now check your disks and then start copying files which can take several minutes.

8. Shortly after the Copying Files stage, you will be required to reboot. (this will happen automatically – you will see a progress bar stating “Your computer will reboot in 15 seconds”

9. During the reboot, do not make the mistake of “pressing any key” to boot from the CD again! Setup will resume automatically with the standard billboard screens and you will notice Installing Windows is highlighted.

10. Keep your eye on the lower left hand side of the screen and when you see the Installing Devices progress bar, press SHIFT + F10. This is the security hole! A command console will now open up giving you the potential for wide access to your system.

11. At the prompt, type NUSRMGR.CPL and press Enter. Voila! You have just gained graphical access to your User Accounts in the Control Panel.

12. Now simply pick the account you need to change and remove or change your password as you prefer. If you want to log on without having to enter your new password, you can type control userpasswords2 at the prompt and choose to log on without being asked for password. After you’ve made your changes close the windows, exit the command box and continue on with the Repair (have your Product key handy).

13. Once the Repair is done, you will be able to log on with your new password (or without a password if you chose not to use one or if you chose not to be asked for a password). Your programs and personalized settings should remain intact.

f2B

[rck]

Originally posted here by nihil
[B]Hi rck

Did EWIDO find anything?

Well, yes. 709.278 objects, 8.659 infected. Hmmm.

Will post a follow-up, just came home from my office to see this result.

-edit- most of them tracking cookies except one. EWIDO thinks, one of my Photoshop-pattern files is a trojan (?)

[skiddieleet]

Originally posted here by .:front2back:.
Howdy.

Are you using the default login screen, the blue one that says welcome?
If so then you've been hit with a trojan that puts up a fake welcome screen thus your password is seen in plain text, and then stored. Once you connect to the internet it sends your credentials via email.


cheers
f2B

Why would a trojan give itself away so easily? I believe you, it just seems strange to me.

[nihil]

Well, yes. 709.278 objects, 8.659 infected. Hmmm.

Please be a trifle cautious old chap, some of these tools are "over sensitive"

I actually posted a warning about A-Squared a few days ago.................it is OK now folks, they have fixed it and version 2.0 is available..............still free to private users

I am not involved with ANY free software that I might suggest, other than possibly as a beta tester ; I certainly receive NO remuneration

rck

Try just renaming that one for the moment, and see what happens?