System installations with non admin account.

[ngboot]

I work in a computer lab for my university. The computers have all been set up now to require us students to logon to the domain, using our student ids. Our birthday is our password by default, but we can have it changed. When we logon to the workstations we have limited accounts, but whatever we download to that workstation, will save on that workstation - no deepfreeze.

Whatever changes we make on the system will only affect our account, that's the jist of it.

Someone has managed to do a system wide install, so their files and spywares, etc are affecting my productivity. Sure I can just change workstations, but I want to know how this works. I'm gonna get back in there and try to see what's going on.

[nihil]

OK mate, you don't say which OS but I would guess Win2000 or XP?

So, you will login to your account and presumably be authenticated by the server? this then lets you use the workstation, which I presume has your user profile on it?

A quick guess is that the attack is coming through the default user profile that loads for anyone logging into the machine?

What happens if you unplug the desktop from the network? can you still login as a local user?

[jockey0109]

@nihil: Since he is talking about domains, the primary OS that will be used will be either Win2000 or Win XP (leaving the integration of Linux in a Windows network). Once again, a system wide install which has some sort of spyware or other virus increases the chancesof the OS belonging to the Windows family!

@ngboot: I am not sure how your domain has been setup and how everything works. But keeping it simple, I would say that a system wide change can be made only by an administrator. Now, if the admin had installed (or has allowed) some virus or other spyware, the virus/spyware at the time of installation had full privileges and must have infected as many parts of the OS as it could. Of course the primary target is as said by nihil, the DEFAULT user profile. You can check the startup settings from the registry from HKU/.default . I think that something must be present there. If it is not, i would request you to kindly tell what type of disturbances does it create to you. This would help someone zero down on the error.