Win2K/XP: Does there happen to be malware around which can change ADMIN PASSWORD?

Win2K/XP: Does there happen to be malware around which can change ADMIN PASSWORD?

am 03.03.2006 18:36:15 von Andreas Eibach

Hi,

I have no time to reinstall at the moment (yes, sorry) so i'm seriously
worried about my pc's security.

Might there be any malware around able to change the password for
'Administrator'?
If so, it would require a rootkit to do so.

I was in the office from yesterday 8:30 AM in the morning until 7:30 PM
in the evening, coming home at around 9 PM.

I was unable to log on with Administrator, and
c:\winnt\system32\config\SAM showed 03/02/2006, 3:25PM in the
afternoon!!!

Hell, what is this? Someone hacked into my PC? You might assume this
easily, but I doubt it, as some days ago (end-january-ish) I used a
horde of gibberish for my password (even noted it down somewhere) and
was unable to log on again on 01/30/2006. 'SAM' was changed again.

Is there an easy way to monitor who might have accessed my account from
outside?
Or is that rubbish and the culprit is ON the machine?

Lastly, did anyone of you guys encounter this too?
Thanks for your time,

-Andreas

Re: Win2K/XP: Does there happen to be malware around which can changeADMIN PASSWORD?

am 06.03.2006 18:42:00 von Sebastian Gottschalk

Andreas Eibach wrote:

> Might there be any malware around able to change the password for
> 'Administrator'?

If it knew the original password, this is a trivial task. It's a default
feature of most modern malware.

> Is there an easy way to monitor who might have accessed my account from
> outside?

Yes, as well as someone can easily circumvent it.

Re: Win2K/XP: Does there happen to be malware around which can change ADMIN PASSWORD?

am 07.03.2006 20:39:16 von bournejason

I have no time to reinstall at the moment (yes, sorry) so i'm seriously
worried about my pc's security.

Might there be any malware around able to change the password for
'Administrator'?
If so, it would require a rootkit to do so.

I was in the office from yesterday 8:30 AM in the morning until 7:30 PM
in the evening, coming home at around 9 PM.

I was unable to log on with Administrator, and
c:\winnt\system32\config\SAM showed 03/02/2006, 3:25PM in the
afternoon!!!

Hell, what is this? Someone hacked into my PC? You might assume this
easily, but I doubt it, as some days ago (end-january-ish) I used a
horde of gibberish for my password (even noted it down somewhere) and
was unable to log on again on 01/30/2006. 'SAM' was changed again.

Is there an easy way to monitor who might have accessed my account from
outside?

>>> you can use the event viewer to view the logon events for the administrator account.

Or is that rubbish and the culprit is ON the machine?

Lastly, did anyone of you guys encounter this too?
Thanks for your time,

>>> To reset you administrator password (in case you have forgotten it..) you can use third party tools.. there is one online service http://www.loginrecovery.com/ which is pretty good at this wrk.. have tried it myself..