Unicode Popup Window prior to CTL-ALT-DEL window

There are a few systems exhibiting a unique behavior. Where as you normally
see the CTL-ALT-DEL "window" to login first, these systems are showing a
window (white with blue border, OK button) with various (random?) unicode
characters in the window - usually 5-7 characters. Once you click on the
"OK", the normal login screen (CTL-ALT-DEL) is presented.

-full sophos AV check completed with nothing found
-Microsoft malware & spyware utilities run and check clean
-Ad-Aware ran and clean

The system was placed on a isolated network, and monitored for external
access attempts (my initial thinking was a keystroke logger trojan) but it
has not once attempted to "talk" on the network. I did launch IE, thinking
maybe it used a kick-start, but no irregular traffic was identified (by
reviewing capture).

The window does not appear on every login, or reboot. "Autoruns" was run
but nothing was identified as out of the ordinary in the startup of the
system.

A list of files used prior to the login screen being offered may help in
identifying the process that is instigating this window.

I've compared web activity across the systems and nothing in common (such as
a common web site visited).

Any body see this, or have ideas on how to proceed?

Sounds like someone set a logon banner. Run secpol.msc from the command
prompt, and check "Interactive logon: Message text........"
Chris


"flynhi-at-oregon" <flynhi-at-oregon@discussions.microsoft.com> wrote in
message news:82692621-F821-4060-9F4A-628E327A9F21@microsoft.com...
> There are a few systems exhibiting a unique behavior. Where as you
> normally
> see the CTL-ALT-DEL "window" to login first, these systems are showing a
> window (white with blue border, OK button) with various (random?) unicode
> characters in the window - usually 5-7 characters. Once you click on the
> "OK", the normal login screen (CTL-ALT-DEL) is presented.
>
> -full sophos AV check completed with nothing found
> -Microsoft malware & spyware utilities run and check clean
> -Ad-Aware ran and clean
>
> The system was placed on a isolated network, and monitored for external
> access attempts (my initial thinking was a keystroke logger trojan) but it
> has not once attempted to "talk" on the network. I did launch IE,
> thinking
> maybe it used a kick-start, but no irregular traffic was identified (by
> reviewing capture).
>
> The window does not appear on every login, or reboot. "Autoruns" was run
> but nothing was identified as out of the ordinary in the startup of the
> system.
>
> A list of files used prior to the login screen being offered may help in
> identifying the process that is instigating this window.
>
> I've compared web activity across the systems and nothing in common (such
> as
> a common web site visited).
>
> Any body see this, or have ideas on how to proceed?
>
>

"Chris Weber [Security MVP]" <chris@dev.nul> wrote in message
news:ef0hZpWcFHA.3184@TK2MSFTNGP15.phx.gbl...
> Sounds like someone set a logon banner. Run secpol.msc from the command
> prompt, and check "Interactive logon: Message text........"
> Chris

The fabled: w32.grrr@admin.s virus

--
- Mark Randall
http://zetech.swehli.com

This is not set.

"Mark Randall" wrote:

> "Chris Weber [Security MVP]" <chris@dev.nul> wrote in message
> news:ef0hZpWcFHA.3184@TK2MSFTNGP15.phx.gbl...
> > Sounds like someone set a logon banner. Run secpol.msc from the command
> > prompt, and check "Interactive logon: Message text........"
> > Chris
>
> The fabled: w32.grrr@admin.s virus
>
> --
> - Mark Randall
> http://zetech.swehli.com
>
>
>