There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
audio avg avg 8 bios boot browser bsod computer cpu crash css dell desktop driver dvd email error excel explorer firefox firefox 3 freeze game graphics hard drive hardware help please hijackthis hjt install internet internet explorer itunes javascript lan laptop malware missing monitor msn network networking openoffice outlook outlook 2003 outlook express php popups problem problems router seo slow sound sp3 spyware startup trojan usb video virtumonde virus vista vundo windows windows vista windows xp winxp wireless word
General Security
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > General Security >
Solved: Suspicious logon/logoff entries in event viewer


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

 
Thread Tools
Laura.B's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Apr 2008
Experience: Beginner
13-Apr-2008, 08:35 PM #1
Solved: Suspicious logon/logoff entries in event viewer
Hi there,
I have dozens of logon/logoff entries in my event viewer when I turn on my PC, most of which are supposedly done by NT AUTHORITY or NETWORK SERVICE. What's also weird is that I get some failed logon attempts as well. This happens every time. I should say that I do suspect someone on the same network (I am one of two clients hooked up to a router+modem that connects to the internet) of malicious activity. But I don't know if this is related. I have turned on logon/logoff auditing. The following is what I see upon waking up my PC from standby. You can see my actual logon occurring a few seconds after all the 'network services' have logged on.

Quote:
4/12/2008 11:38:20 PM Security Success Audit Logon/Logoff 538 YOUR-699C5579F9\Laura YOUR-699C5579F9 "User Logoff:
User Name: Laura
Domain: YOUR-699C5579F9
Logon ID: (0x0,0x56CA957)
Logon Type: 7
"
4/12/2008 11:38:20 PM Security Success Audit Privilege Use 576 YOUR-699C5579F9\Laura YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x56CA957)
Privileges: SeChangeNotifyPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege"
4/12/2008 11:38:20 PM Security Success Audit Logon/Logoff 528 YOUR-699C5579F9\Laura YOUR-699C5579F9 "Successful Logon:
User Name: Laura
Domain: YOUR-699C5579F9
Logon ID: (0x0,0x56CA957)
Logon Type: 7
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: YOUR-699C5579F9
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:20 PM Security Success Audit Account Logon 680 NT AUTHORITY\SYSTEM YOUR-699C5579F9 Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Laura
Source Workstation: YOUR-699C5579F9
Error Code: 0x0

4/12/2008 11:38:20 PM Security Success Audit Privilege Use 576 YOUR-699C5579F9\Laura YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x56C7CA2)
Privileges: SeChangeNotifyPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege"
4/12/2008 11:38:20 PM Security Success Audit Logon/Logoff 528 YOUR-699C5579F9\Laura YOUR-699C5579F9 "Successful Logon:
User Name: Laura
Domain: YOUR-699C5579F9
Logon ID: (0x0,0x56C7CA2)
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: YOUR-699C5579F9
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:20 PM Security Success Audit Account Logon 680 NT AUTHORITY\SYSTEM YOUR-699C5579F9 Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Laura
Source Workstation: YOUR-699C5579F9
Error Code: 0x0

4/12/2008 11:38:20 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:20 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:20 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:20 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:20 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:20 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:16 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:16 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:16 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:16 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:16 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:16 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:16 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM YOUR-699C5579F9 "Logon Failure:
Reason: Unknown user name or bad password
User Name: Laura
Domain: YOUR-699C5579F9
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: YOUR-699C5579F9"
4/12/2008 11:38:16 PM Security Failure Audit Account Logon 680 NT AUTHORITY\SYSTEM YOUR-699C5579F9 Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Laura
Source Workstation: YOUR-699C5579F9
Error Code: 0xC000006A

4/12/2008 11:38:15 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM YOUR-699C5579F9 "Logon Failure:
Reason: Unknown user name or bad password
User Name: Laura
Domain: YOUR-699C5579F9
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: YOUR-699C5579F9"
4/12/2008 11:38:15 PM Security Failure Audit Account Logon 680 NT AUTHORITY\SYSTEM YOUR-699C5579F9 Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Laura
Source Workstation: YOUR-699C5579F9
Error Code: 0xC000006A

4/12/2008 11:38:15 PM Security Failure Audit Policy Change 615 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.

"
4/12/2008 11:38:14 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:14 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
Sorry about that but yes, that many entries on logon. As a side question, what's the surest method of preventing any sort of remote logins or remote control of a PC (ie. in terms of disabling services, firewall options etc..)?
PLACEBOID's Avatar
Junior Member with 11 posts.
  
Join Date: Jan 2008
Location: Sydney
Experience: Self Taught
13-Apr-2008, 10:06 PM #2
I hate to be a cynic but the surest method of avoiding unauthorised access is to disconnect yourself from the network when you are not using it. I had a quick scan through the event log and their is some dubious looking stuff going on here....Have you run hijack this and posted the log yet? This could be malware or some kind and I would eliminate this as an option before looking for human operated hacking threats.

Unfortunately I'm not an expert in this field but this report here is of concern:

4/12/2008 11:38:15 PM Security Failure Audit Policy Change 615 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.

It seems like some of your ports might have been opened...do you use peer to peer sites like emule or limewire?

Please upload a log from hijack this as this will allow someone to eliminate malware from the equation.

Good luck with this!
Laura.B's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Apr 2008
Experience: Beginner
13-Apr-2008, 10:32 PM #3
Thanks for the reply.

I don't use any p2p programs or any networking apps at all. The computer is solely used for the internet. It does however go through a router which another computer is connected to - hence the suspicion.

Here is the HJT log (I'm running WinXP Tablet edition):

Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:41 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\digtizer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Fujitsu\updnavi\updnavi.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\windows\system32\KADxMain.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Notebook Hardware Control\nhc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\mmc.exe
F:\Software\Sec\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pc-ap.fujitsu.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.monash.edu.au
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] "C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe"
O4 - HKLM\..\Run: [FjStrtAp] "C:\Program Files\Fujitsu\Utils\FjStrtAp.exe"
O4 - HKLM\..\Run: [KADxMain] C:\windows\system32\KADxMain.exe
O4 - HKLM\..\Run: [LoadBtnHnd] "C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [McAfee Online Virus Scanner] avp.exe
O4 - HKLM\..\RunServices: [McAfee Online Virus Scanner] avp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User '?')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User '?')
O4 - HKUS\S-1-5-21-1941494055-3217071479-4106037145-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User '?')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Digitizer Service (Digitizer) - WACOM - C:\WINDOWS\System32\digtizer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7856 bytes
PLACEBOID's Avatar
Junior Member with 11 posts.
  
Join Date: Jan 2008
Location: Sydney
Experience: Self Taught
13-Apr-2008, 10:59 PM #4
I see your tablet PC has biometrics...although this does not totally eliminate physical unauthorized log-in to your PC is does significantly reduce the likelihood.

If the other user of the router is doing something dodgy they would be foolish to do it from your PC as ultimately it could be tied back to the same router (even if they were using your machine to hijack a MAC address elsewhere it seems pretty pointless) so if you are concerned about the other preson using the router I can only assume that you are concerned about them compromising your privacy (and of course your security)

From a quick scan of the log I see that you have processes running for both AVG and McAfee...I had an issue a while back with a trojan masquerading as McAfee which was next to impossible to uninstall and it took me many hours to remove all traces of it's processes. It is generally not reccomended to have more than one anti-virus program running.

Can anyone out there in TSG land who is more familiar with detecting hacks have a squizz at this one?
PLACEBOID's Avatar
Junior Member with 11 posts.
  
Join Date: Jan 2008
Location: Sydney
Experience: Self Taught
13-Apr-2008, 11:04 PM #5
Sorry was in a bit of a rush...the AVG is the antispyware not the antivirus yeah?

These two are also a bit suspect...can you thing of anything that you have installed that would automatically port info to excel?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

If nobody posts in the next little while bump me and I will look into it more deeply (sorry have stacks on my plate!) :-)
Laura.B's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Apr 2008
Experience: Beginner
13-Apr-2008, 11:15 PM #6
Thanks for your comments PLACEBOID. Yeah biometrics is there but I use it more for convenience - I haven't figured out how to make it compulsory to pass the fingerprint scanner to login.

Yes, AVG is for antispyware. I have not installed Mcafee myself, I always assumed it got installed with my internet browser. When I open active connections in Komodo firewall, avp.exe is always there and I have no idea why.

Quote:
so if you are concerned about the other preson using the router I can only assume that you are concerned about them compromising your privacy (and of course your security)
Yes privacy is the main concern.

Quote:
These two are also a bit suspect...can you thing of anything that you have installed that would automatically port info to excel?
I have installed the Excel data analysis Toolpak. I'm not sure if it is this though.
Laura.B's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Apr 2008
Experience: Beginner
16-Apr-2008, 06:02 AM #7
Anyone else have any ideas?
hairbender1950's Avatar
Computer Specs
Junior Member with 18 posts.
  
Join Date: Sep 2007
Location: Oklahoma
Experience: Beginner
12-May-2008, 09:07 PM #8
A couple days ago, I was offered an upgrade from NAV. After the install, I checked the Event ID to see if all looked good and what I saw, scared me to death.
I came to the techguys and did a search for Failure Audit, Event ID 529 and found your thread.
What I saw of your log was almost the same as mine.
I just found this online and I think it might answer your questions.
I hope it is ok to post the link. It eased my feelings and I hope it does yours too.

http://www.pcreview.co.uk/forums/thread-250761.php
the gentleman explains what happened.
PLACEBOID's Avatar
Junior Member with 11 posts.
  
Join Date: Jan 2008
Location: Sydney
Experience: Self Taught
12-May-2008, 09:40 PM #9
Good one Hairbender!
Laura.B's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Apr 2008
Experience: Beginner
14-May-2008, 04:39 AM #10
Hey thanks for that, hairy.
hairbender1950's Avatar
Computer Specs
Junior Member with 18 posts.
  
Join Date: Sep 2007
Location: Oklahoma
Experience: Beginner
14-May-2008, 07:57 AM #11
I am just glad I found my answers and happy I could help others.

Techguy forum has helped me to solve my computer problems so many times. I am a self taught granny, with the help of others.

Laura,
What about marking this thread as solved?

Thanks Techguys!
Reply

« Previous Thread | General Security | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are Off
Refbacks are Off

Related Sites: Support.com | Tech Gift Ideas | Mobile TechGuy | Advertise on TSG
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 10:44 AM.
Copyright © 1996 - 2008 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Powered by Cermak Technologies, Inc.