Sounds like you might possibly have a rootkit of some sort on the workstation. In that case the following sites have great resources for detecting many of the more well known rootkits:
http://www.systernals.com (RootkitRevealer, ProcExp, TCPView)
http://www.rootkit.org (General infor and some specialized rootkit detection tools)
http://www.foundstone.com (fport and other assorted tools)
My personal opinion would be to just backup the hard drive. Re-setup the PC (format then reinstall) and restore any data, but make sure to only restore data and not anything that might re-compromise the PC.
________________________________________________
Stephen Bogdanski Network Support, MSU-CVM
Michigan State University [log in to unmask]
A227 VetMed Center Phone: (517) 353-5551
East Lansing, MI 48824 Fax: (517) 432-2937
>>> Loren LaLonde <[log in to unmask]> 12/20/05 11:02AM >>>
Is there a VNC service installed on the workstation? Maybe a PcAnywhere
installation?
-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of David K McFarlane
Sent: Tuesday, December 20, 2005 11:01 AM
To: [log in to unmask]
Subject: [MSUNAG] Windows Logon Type 2
We have an intruder repeatedly breaking in to a main office
computer(deleting firewalls & antivirus, enabling telnet, installing pirated
movies, etc.). The most recent incident was Thursday night/Friday morning.
The Windows XP security log shows a logon type 2 early Friday morning. This
is supposed to mean a console logon, which would mean that the intruder was
in the office directly at the keyboard of the attacked computer, instead of
breaking in over the network.
Question: Is there any other way to get a logon type 2 in the security log?
Or let's take a poll: How many of you think that our intruder is coming in
the door, and how many think he is coming over the network?
-- David McFarlane
Systems Designer
Michigan State University, Dept. of Psychology
[log in to unmask]
