Thanks Robbert, I think I need to clarify some things. I know the name the folder had previously been the name of the perpetrators login because I see evidence of this in the "USER.DAT" file located at the root of this folder. I have no idea why the folder didn't retain it's original name. I need to identify the method used to access my PC. I need to identify what the perpetrator had access to when they logged onto my PC. I need to discern whether or not this access was authorized or intended for malicious purposes. In other words, I need to get all my ducks in a row before making any accusations. Thanks On Sun, 2002-10-06 at 06:55, Robbert Helling wrote: > run cmd, go to the documents and settings folder and do a dir, now you see > the full name, try a rename, windows is buggy with ansi chars :) > > At 15:34 5-10-2002, you wrote: > > > >Hi, > > > >The other day I noticed a strange folder had been created > >on my W2K Pro machine at work. > > > >The folder had been created in C:\Documents and Settings and > >didn't have an account name but four or five odd looking square > >block characters instead. When I right click on the folder and > >choose "properties", it displays the name as "rrrrr". When I click > >on the "Security" tab, it shows my account with "Full" access and > >somebody else who shouldn't have access to my PC with "Full" access. > >I don't know who this person is but they aren't located in our office > >and wouldn't have physical access to my PC. > > > >I had previously restricted access to my machine to only myself and > >the administrator account. No other account besides administrator or > >my account has access to C:\ or any other drives. > > > >I religiously keep my PC up to date on all security patches. > > > >I had security logging turned on and it shows where this person connected > >to my machine via NTLM on the same day the weird folder was created > >but it doesn't show anything other than the logon/logoff session was > >successful. > > > >Has my account/PC been compromised? > > > >AFAIK, the only way a new folder would be created in C:\Documents and > >Settings\ > >is for "first time" logins. > > > >Can anyone help clear this up for me? > > > >Thanks > > > > > >---------------------------------------------------------------------------- > >This list is provided by the SecurityFocus ARIS analyzer service. > >For more information on this free incident handling, management > >and tracking system please see: http://aris.securityfocus.com > -- Maryel brought her bat into Exit once and started whacking people on the dance floor. Now everyone's doing it. It's called grand slam dancing. -- Ransford, Chicago Reader 10/7/83 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Oct 06 2002 - 13:54:58 PDT