General Registry question, not sure I am in the right place??

Discussion in 'other software & services' started by lost&confused, Jan 18, 2006.

Thread Status:
Not open for further replies.
  1. lost&confused

    lost&confused Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    12
    Hi ya'll,
    First off, in case you need to know, I have a Dell Inspiron laptop with DSL and it runs WindowsXP.
    My son was using my computer in ways I had no clue of. He had put on some sort of ghost program so everything he did was hidden. Security logs showed he would log on for 6 seconds and then sign off. He had a limited account with controlled access by my settings on my computer, and yet he was able to download and change program settings. He denies doing anything and says that I am "paranoid".
    Thanks to the security group here, I did a clean windows reinstall, so whatever he had on here is gone. But he is claiming innocence, that he never used the computer except to check email.
    I am trying to figure out some "proof" to be able to stand up to him with (I am a wuss). When I was figuring out something was wrong, I noticed that the registry listed both administrator and administrators. When I did a safe mode boot, "administrators" would show up with the icon of a kid on a skate board, yet every other administrator icon I have seen that's by default is the chess pieces. When I would try and enter the tech areas of Dell from his account, I couldn't access them, and yet he had all sorts of temp files from them.
    When I did the clean reboot, I kept a couple files that showed that he changed some settings in July. The reason I kept them is that they had the same date as most files that had to do with configuration did. I also know that whatever he had on here, it took up so much space that I kept running out of virtual memory.
    I decided that he had a partition when I (a) found a short cut to command prompt in his documents, and (b) when I ended up in this weird twilight zone kind of place with a safe boot one time. He and the administrator with the skateboard were the only 2 that existed in this other area.
    I was crying and asking if he knew what I could do to get my stuff back, and all he did was look at me with a flat face and tell me that I could get the pictures of my grandson back from my son again, so it wasn't a big deal. I took it to a computer person and she said I had a spy program on called hotkey, and that she had taken it off. She told me she couldn't tell where it came from or when it was put on, yet she also told me a half a dozen times that she couldn't believe how fast I had found it.
    I am just really confused, is there any chance he is telling the truth and he never did anything but use his limited account to check emailso_O Can a limited user turn off all the history/cookies local settings type stuff, because he had absolutely none of that in his local settings.
    The local settings had lots of users, there was:me, administrator, administrators, NT local, NT authority, Default user, All users, and me. The computer is only used by my son and myself. The guest account is turned off. Does any of this sound as suspicious to anyone else as it does me? Does XP come with a ghost program (I think it was called GhostPad, and it was in the gtny folder, which I assumed was a normal folder in XP.
    Any help would be SOoooooooooooooooo appreciated. My son has been out of town with his job (yes, he is an adult, but he was so into porn stuff, that it got bad enough I put him on the limited account, as I wont have porn in my house) but gets home tonight. I need some sort of ammunition or I am sunk.
    Thanks for any help at all that ya'll can give me,
    just`i
    PS-I dont know if this means anything, but the security guys had me put zone alarm on for a firewall, and there was a computer that kept trying to get access to mine, until I finally told zone alarm to deny them always.
     
  2. pvsurfer

    pvsurfer Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    1,400
    Location:
    California - USA
    Re: Gneral Registry question, not sure I am in the right place??

    For goodness sake, believe in your son! Since your Inspiron most likely has a wireless connection to your DSL gateway and since ZA has already alerted you to an intruder, your recent problem was probably inflicted by someone tapping into your network. Secure it (and secure the trust between you and your son)! ~pv
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Re: Gneral Registry question, not sure I am in the right place??

    Hello,
    Again.
    First, I must admit your post is a bit confusing.
    Now, what was before the reformat and install? Difficult to know or prove without reading lots of logs - if there are any. So this will probably leave you with a doubt.
    When you bought your pc - did it come preinstalled with OS? Sometimes, the tech guys who install the Windows do all sorts of crap in the shop, counting on unknowing users not to understand what happened. Most likely, some of these user accounts were not passworded, and this allowed your son to use them - and maybe password them himself.
    Like I told you before, you need to boot in safe mode - and password the original administrator account. Otherwise, he will be able to log in without password and create himself user accounts.
    Yours and the original acc should be passworded with a strong password. And plus, guest acc enabled / disabled if you like.
    Mrk
     
  4. lost&confused

    lost&confused Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    12
    Re: Gneral Registry question, not sure I am in the right place??

    Hi ya'll,
    PV surfer,
    Easier to trust until said son has abused that trust, told lies in order to get money, yelled and cussed me out a few times, etc. Believe me, I wish more than anyone that I could return to that level of trust with him. I love him, very much, I just dont like his actions of late. Loving him means I have to deal with him. Which means I have to deal with his temper (he has put his fist through more than one wall) if I dont have something, anything, that I can say this could not have happened without you doing it. I am not out to get him, I am out to protect myself, thats all. Sorry I offended you.
    Mrk,
    I thought you "belonged" to the other forum, or I would have asked there. I had no clue where to ask. This whole thing didnt come up until I got a f*** you, I didnt do anything wrong,etc email today. I had assumed (silly me) that when I had told him no computer before he left, he would expect the same thing when he got home.
    I put the BIOS passwords on, so he cant get on the computer, but that doesnt help me keep his temper in check. If I can tell him this (fill in the blank) could not have happened if you hadnt done it, then I can justify my reason to him. I know I shouldnt need to justify myself, but if it can save me from one of his rages, I will.
    I plan on keeping him off the computer if I have to take the dang thing every where I go. I had given him 3 chances to get his act together before the time that you know about. It would just make my life a heck of a lot easier if I just had something, anything, that I could say "you did this" that he couldnt say that it was built into the system.
    And yes, Windows came preinstalled, and yes, the system passwords werent in place because I had no clue that such things existed. There was just a password to my account, thats all.
    Thank you again for all your help in getting the computer cleaned up. It runs a ton better, and the programs you had me download were great. The reinstall was pretty uneventful, so you did a fantastic job walking me through the whole thing.
    Everyone,
    I am sorry for being a pain in the butt. I had hoped for some sort of "it could only have been you" proof before he got home, but he is here now. So I bugged you guys for no reason. I am really very very sorry for wasting your time.
    Be Blessed.
    just`i
     
Loading...
Thread Status:
Not open for further replies.