Sounds like you might possibly have a rootkit of some sort on the workstation. In that case the following sites have great resources for detecting many of the more well known rootkits: http://www.systernals.com (RootkitRevealer, ProcExp, TCPView) http://www.rootkit.org (General infor and some specialized rootkit detection tools) http://www.foundstone.com (fport and other assorted tools) My personal opinion would be to just backup the hard drive. Re-setup the PC (format then reinstall) and restore any data, but make sure to only restore data and not anything that might re-compromise the PC. ________________________________________________ Stephen Bogdanski Network Support, MSU-CVM Michigan State University [log in to unmask] A227 VetMed Center Phone: (517) 353-5551 East Lansing, MI 48824 Fax: (517) 432-2937 >>> Loren LaLonde <[log in to unmask]> 12/20/05 11:02AM >>> Is there a VNC service installed on the workstation? Maybe a PcAnywhere installation? -----Original Message----- From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of David K McFarlane Sent: Tuesday, December 20, 2005 11:01 AM To: [log in to unmask] Subject: [MSUNAG] Windows Logon Type 2 We have an intruder repeatedly breaking in to a main office computer(deleting firewalls & antivirus, enabling telnet, installing pirated movies, etc.). The most recent incident was Thursday night/Friday morning. The Windows XP security log shows a logon type 2 early Friday morning. This is supposed to mean a console logon, which would mean that the intruder was in the office directly at the keyboard of the attacked computer, instead of breaking in over the network. Question: Is there any other way to get a logon type 2 in the security log? Or let's take a poll: How many of you think that our intruder is coming in the door, and how many think he is coming over the network? -- David McFarlane Systems Designer Michigan State University, Dept. of Psychology [log in to unmask]