So I work in IT for a school district and the other day I got a call from my boss saying that a computer was reporting a virus. So I go to look at it and the first thing I notice is that the login screen looks different. It still looks like a windows 7 login screen but with a couple added features that I didn't recognize. Anyway I disregarded it and went about normal procedure. I restored the hard drive to about a month ago and ran a virus scan which came up with a few flagged files that I got rid of. I was just about to put this computer back but the login screen keeps troubling me. I have done extensive googling and I have found nothing that looks like it. So I just wanted to get your guys opinion before I put it back. The computer is running windows 7 professional and it is connected to an active directory domain.
Yeah that looks like a login grabber that was lazily done.
Did you notice that XP style button? :P
@almightykingofgeeks Probably should have whoever has used the machine change their passwords
Thats my red flag
Ok yeah thats what I thought. The real question now is how do I get rid of it. The rollback and the antivirus software didn't help. The only thing I can think of is reinstalling windows. And for the passwords its not that difficult. All the students have a randomly generated password that is used for multiple things besides this like gmail and another server account. The admin password might be a bit easier to change though since it's only on those 30 machines. I'll just discuss it with my boss.
Sometimes a reinstall is the best thing to do.
You don't use Active Directory or the like?
Yeah a reinstall is likely the best option.
run wireshark on another machine and enter some bogus passwords to see if it phones home and where.
This sort of thing is why reinstall is pretty much the go-to option when a computer has been compromised. There are a few key points in your story.
- A computer was reporting a virus. Not the user.
- The virus was caught by the anti-virus that you use, when you rolled back 1 month, the anti-virus detected nothing, but the login screen still looks like this.
This tells us two important things.
- The virus and the login screen are not related.
- The user has been using the computer this way for over a month, and thought nothing of it.
If your institution hasn't done anything to alter the login screen, it's time to consider sending out that screenshot to the staff to alert you immediately if their login screen looks like that.
This is a not too uncommon tactic for snarfing up usernames and passwords. Have an application that looks like the Windows login screen (hell, it could even be a website that puts your browser in full screen mode), rebind Win+L to launch your application, and then pick your favorite delivery method and start collecting information. Never, ever, ever, ever, ever, ever use Win+L to lock your computer.
Consider that this machine, and perhaps others, may have been compromised for the last month at least. But make sure you cover the basics first. Is this weird login screen the result of some stupid piece of software that thinks it's doing you a favor? Has anyone else in your department seen this login screen? What about the user? When did they first notice this login screen? Often times you'll get the shoulder shrug and a "It's been like this for as long as I remember using the computer," but you may get lucky and get a "Oh, about two months ago. I thought maybe it was new software that IT rolled out," or a, "That comes with my favorite torrent client."
Wait, what's the process that deals with the login screen...
i don't remember
I just want to pat whoever wrote this on the head and say, "You tried." lol
and succeeded for a month apparently...
Have you tried booting into safe mode?
There's a couple of brands that have their own baked in logon screens. Lenovo and Fujitsu are the first that come to mine, and that logon screen looks like the Fujitsu one.
That said, if it was reporting a virus, just format and reinstall.
HP does the same on 7 for their fingerprint readers and CAC login methods. I worked at a DOD contractor for a bit, they used CAC and needed a custom baked login system to handle the login system. If only windows used PAM...
Yeah the fujitsu laptops we used at my last job had some really crazy security software that took over all of the login screen, even after I joined the laptops to the domain. IIR they even had the green button like OP's picture.
They had face recognition, fingerprint as well which is probably the reason behind the enhanced security software though.
I imagine most vendors have something similar.
I think it depends if Windows supports all the auth methods that the vendor wants. Windows 10 is getting much better about this, so I'd say we'll see this less and less going forward.