I am getting suspicious that my PC might have been accessed by someone unauthorized. Like I am seeing my bookmarks of browser getting changed etc etc.
So, what can I do to monitor my PC activity? I am using Windows 7 but I would like to know what Linux users could do in this case.
Don't mention changing password or simple suggestions. I am looking for some tool or a way to monitor the activities of my PC. A log(file) basically.
Basically, you can't know this (not for certain) without a full audit of the PC. By definition, someone who has control of your PC has control of what you see on the PC.
What you can do to be reasonably sure, is examine (root kit scan, virus scan, check for files you didn't install / create, etc.) the PC using a Linux live CD, since it bypasses what's on the computer when booting. Don't trust a windows live CD for this; the unofficial sources that windows live CDs come from, along with issues like autorun, make that unreliable.
Alternatively to a live CD, check the network traffic going in/out of the machine externally from the machine itself. In other words, look to your router, or put a hub or a network tap (not a switch) between the machine and the rest of the network, then examine the packets going back and forth, the protocols being used, the ip addresses / domains being accessed, ports being contacted, etc. Ideally, you do this with a cable that only allows traffic 1 way (i.e, has its return wires cut), so that the machine examining the traffic can't be compromised too. Wireshark is the kind of tool you want for actually examining the traffic from a PC/laptop.
If the machine you actually want to check is a virtual machine, that's much easier -- just run wireshark on the host and examine the appropriate (usually virtual) interfaces, or scan the virtual partition (perhaps after converting it to a raw file or mounting it with the linux/unix noexec flag, and no autorun-like features active) from the host.
BUT, having said all that, if it gets so far that you can't trust your machine any more, you should probably just consider it toast and start over: Reinstall the machine, then check and restore the DATA (NOT programs; make sure your backups separate the two).
Really, you want to have proper privilege separation and control over apps: non-admin rights on your normal user account, two-way (in AND out) firewall authorization to prevent rogue apps from just opening ports with UPNP, NoScript (the firefox plugin), Adblock, etc. In a business situation, a proper external firewall & filtering proxy, intrusion detection system, monitoring system, etc. should all be used to make sure you KNOW what's going in and out of your machine, without needing to audit.
Look in the Windows Security Logs. There you can see detailed information about logons. If you see a logon at a time you were there, then you know someone else used it.
Right click the my computer icon, select manage, event viewer, windows logs, then security.
Perhaps not answering your question fully but maybe you find this useful regardless: If you are really suspicious you can always use the windows built in search and scan for modified files. Windows key + S and then enter "modified:13/8/2011 .. 14/8/2011" to find all files that have been modified. From here on you have to figure out if some of your files has been modified while you where away and if it is likely that it is a intruder who is responsible. Other that that I suggest you read through what Lee wrote here as well. This is method will perhaps not be of much use depending on the skills of the possible intruder. Also just for your information Microsoft provides a program called autoruns (sysinternals) to help you figure out what programs start automatically.
