[vernod]

I have a Toshiba laptop with Windows XP Professional. One night, I left my laptop on so I could download a few things (I just close my lid and the broadband connection remains on – when the lid is opened, there is no requirement to enter a password to log on or anything like that).

I was out of the office for a few days. But during that time, someone tried to access my laptop to print a document by inserting a pen drive into the USB port. He later claimed to a colleague that he could not access the laptop because it prompted him for a password, which is not possible normally since I did not password protect the computer when opening the lid. However, I went through the Event Viewer and noticed that Windows had downloaded and installed a security update the same night I left it on. Apparently, this required a system restart.

I thought I was lucky, because normally if the system is restarted, it will ask for a password to log on. However, when I looked at the Event Viewer in closer detail, I noticed that Windows Defender still conducted the daily scans even after the restart and when I looked at my AVG Antivirus log, it showed that the daily scheduled scans occurred even after the apparent system restart.

My questions are as follows:

1. When Windows initiates a restart, would it go to the screen where it asks me for my password or for a restart due to installation of a security update, does it take you directly to the desktop without asking for a log in password?

2. If it does ask for the password before logging in, then how can Windows Defender and AVG still run if not logged in? When I got back, I tried restarting my laptop moments before the scheduled daily AVG scan and just left the screen at the place where it prompts for the log in password (I did not enter it though). Then, after 20 minutes, I entered my password to log in to see if AVG had initiated and it turns out that it had not. Which leads me to believe that after the system was restarted due to the Windows security update, it automatically logged my back in without a password, and that is the only way AVG and Windows Defender could have run after that. If that is the case, I am worried about someone accessing my files and/or placing malicious software. I had run AVG antispyware and Panda Activescan after the incident, but it did not find anything. However, a few days later, I downloaded Spyware Doctor and it found Trojan-PWS.OnlineGames.KW which made me even more nervous.

Do I have anything to worry about?

[Advertisements]

Hi there,

1. Yes it should prompt you for your password when you press your user icon whenever the computer boots If you had set a password for it.

2. If you are detecting a virus or are worried you may have someone accessing your computer I suggest you head over to the malware forums. Read this thread first. Following what is outlined there you will get rid of at least the majority of your malware problems. If the problem still persists post a Hijack this log HERE for the experts to analyze. If it has been 3 days and you haven't received help, post in the waiting room and someone will get to you.

[Mike]

Hi there,

1. Yes it should prompt you for your password when you press your user icon whenever the computer boots If you had set a password for it.

2. If you are detecting a virus or are worried you may have someone accessing your computer I suggest you head over to the malware forums. Read this thread first. Following what is outlined there you will get rid of at least the majority of your malware problems. If the problem still persists post a Hijack this log HERE for the experts to analyze. If it has been 3 days and you haven't received help, post in the waiting room and someone will get to you.

[vernod]

Hi Suerte,

My comments:

1. Well, if it did go back to the logon screen and nobody could then access my desktop without a password, it makes things a bit better. Are you sure about this though?

2. If it did go to the logon screen as you feel, then how did AVG and Windows Defender keep running for their scheduled daily scans when I was not logged in?

Thanks,

Vern

[Mike]

Hi, I'm getting a bit confused.

He later claimed to a colleague that he could not access the laptop because it prompted him for a password, which is not possible normally since I did not password protect the computer when opening the lid.

I thought I was lucky, because normally if the system is restarted, it will ask for a password to log on.

Do you or do you not have a password on your computer?

If you have a password then you should be confronted with the logon screen where you have to click your user icon and enter your password. If not it usually (If I remember correctly since all my comps are password protected) goes straight to the desktop if you only have one user account on that computer.


Anyways you can test it, logon to your account and then restart, does it bring you to the logon screen or desktop?

About the Trojan spyware doctor has found: Ussually when an antispyware programs detects a trojan it can also remove it but with trojans there is a chance that you may be infected by other stuff hence I really suggest you go over to the malware forums following my instructions above. This, if anything, will give you peace of mind of having the experts take a look for you as there is not much more we can do here.

Good luck,

Mike

[vernod]

Hi Mike,

Sorry for the confusion.

When I start my computer up, it does require a password to log on and then go to the desktop.

However, when I just close the lid, and then open it later, it does not require a password.

So, if windows initiated a restart on its own (which according to this link is possible http://www.updatexp....ic-updates.html - see third para under Installation), then is it safe to say that it would have prompted for a password to log on? If so, then seems to be ok as nobody could have accessed anything.

By the way, my event viewer log for that date is as follows:

Logs from event viewer (Application) indicating that there was an automatic restart:

Product: Microsoft Office Professional Edition 2003 -- Configuration completed successfully.

Product: Microsoft Office Professional Edition 2003 - Update 'Update for Outlook 2003: Junk E-mail Filter (KB947944): OUTLFLTR' installed successfully

The Windows Installer initiated a system restart to complete or continue the configuration of 'Microsoft Office Professional Edition 2003'.

Product: Microsoft Office Professional Edition 2003 -- Configuration completed successfully.

Product: Microsoft Office Professional Edition 2003 - Update 'Security Update for Outlook 2003 (KB945432): OUTLOOK' installed successfully.

Product: Microsoft Office OneNote 2003 -- Configuration completed successfully.

Product: Microsoft Office OneNote 2003 - Update 'Security Update for Office 2003 (KB947355): MSO' installed successfully.

Product: Microsoft Office Professional Edition 2003 -- Configuration completed successfully.

Product: Microsoft Office Professional Edition 2003 - Update 'Security Update for Office 2003 (KB947355): MSO' installed successfully.

Product: Microsoft Office Professional Edition 2003 -- Configuration completed successfully.

Product: Microsoft Office Professional Edition 2003 - Update 'Security Update for Excel 2003 (KB943985): EXCEL' installed successfully.

Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Windows saved user ADMINISTRATOR\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.
This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

The Windows Security Center Service has started.

In Event Viewer, under System, it shows that Windows Defender still ran at 11 AM (scheduled time) even after the restart (around 3AM the same day). How did that happen if I was not logged in?

Thoughts?


I have also followed the malware removal guidelines and will post the log as you have suggested.


Thanks,

Vern

[Ztruker]

AVG and Windows Defender both run as services. They do not require a someone to be logged on to do their updates.

[vernod]

Actually, Windows Defender and AVG ran their scheduled scans (not just updates).....is that also possible if not logged in?

[Ztruker]

Yes, as I mentioned, most of what they do runs as a service so as long as the system is booted they will do their thing.