Solved: Suspicious logon/logoff entries in event viewer

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Laura.B

Thread Starter
Joined
Apr 3, 2008
Messages
22
Hi there,
I have dozens of logon/logoff entries in my event viewer when I turn on my PC, most of which are supposedly done by NT AUTHORITY or NETWORK SERVICE. What's also weird is that I get some failed logon attempts as well. This happens every time. I should say that I do suspect someone on the same network (I am one of two clients hooked up to a router+modem that connects to the internet) of malicious activity. But I don't know if this is related. I have turned on logon/logoff auditing. The following is what I see upon waking up my PC from standby. You can see my actual logon occurring a few seconds after all the 'network services' have logged on.

4/12/2008 11:38:20 PM Security Success Audit Logon/Logoff 538 YOUR-699C5579F9\Laura YOUR-699C5579F9 "User Logoff:
User Name: Laura
Domain: YOUR-699C5579F9
Logon ID: (0x0,0x56CA957)
Logon Type: 7
"
4/12/2008 11:38:20 PM Security Success Audit Privilege Use 576 YOUR-699C5579F9\Laura YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x56CA957)
Privileges: SeChangeNotifyPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege"
4/12/2008 11:38:20 PM Security Success Audit Logon/Logoff 528 YOUR-699C5579F9\Laura YOUR-699C5579F9 "Successful Logon:
User Name: Laura
Domain: YOUR-699C5579F9
Logon ID: (0x0,0x56CA957)
Logon Type: 7
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: YOUR-699C5579F9
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:20 PM Security Success Audit Account Logon 680 NT AUTHORITY\SYSTEM YOUR-699C5579F9 Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Laura
Source Workstation: YOUR-699C5579F9
Error Code: 0x0

4/12/2008 11:38:20 PM Security Success Audit Privilege Use 576 YOUR-699C5579F9\Laura YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x56C7CA2)
Privileges: SeChangeNotifyPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege"
4/12/2008 11:38:20 PM Security Success Audit Logon/Logoff 528 YOUR-699C5579F9\Laura YOUR-699C5579F9 "Successful Logon:
User Name: Laura
Domain: YOUR-699C5579F9
Logon ID: (0x0,0x56C7CA2)
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: YOUR-699C5579F9
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:20 PM Security Success Audit Account Logon 680 NT AUTHORITY\SYSTEM YOUR-699C5579F9 Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Laura
Source Workstation: YOUR-699C5579F9
Error Code: 0x0

4/12/2008 11:38:20 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:20 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:20 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:20 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:20 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:20 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:19 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:19 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:16 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:16 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:16 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:16 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:16 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:16 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
4/12/2008 11:38:16 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM YOUR-699C5579F9 "Logon Failure:
Reason: Unknown user name or bad password
User Name: Laura
Domain: YOUR-699C5579F9
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: YOUR-699C5579F9"
4/12/2008 11:38:16 PM Security Failure Audit Account Logon 680 NT AUTHORITY\SYSTEM YOUR-699C5579F9 Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Laura
Source Workstation: YOUR-699C5579F9
Error Code: 0xC000006A

4/12/2008 11:38:15 PM Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM YOUR-699C5579F9 "Logon Failure:
Reason: Unknown user name or bad password
User Name: Laura
Domain: YOUR-699C5579F9
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: YOUR-699C5579F9"
4/12/2008 11:38:15 PM Security Failure Audit Account Logon 680 NT AUTHORITY\SYSTEM YOUR-699C5579F9 Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Laura
Source Workstation: YOUR-699C5579F9
Error Code: 0xC000006A

4/12/2008 11:38:15 PM Security Failure Audit Policy Change 615 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.

"
4/12/2008 11:38:14 PM Security Success Audit Privilege Use 576 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege"
4/12/2008 11:38:14 PM Security Success Audit Logon/Logoff 528 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}"
Sorry about that but yes, that many entries on logon. As a side question, what's the surest method of preventing any sort of remote logins or remote control of a PC (ie. in terms of disabling services, firewall options etc..)?
 
Joined
Jan 27, 2008
Messages
11
I hate to be a cynic but the surest method of avoiding unauthorised access is to disconnect yourself from the network when you are not using it. I had a quick scan through the event log and their is some dubious looking stuff going on here....Have you run hijack this and posted the log yet? This could be malware or some kind and I would eliminate this as an option before looking for human operated hacking threats.

Unfortunately I'm not an expert in this field but this report here is of concern:

4/12/2008 11:38:15 PM Security Failure Audit Policy Change 615 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.

It seems like some of your ports might have been opened...do you use peer to peer sites like emule or limewire?

Please upload a log from hijack this as this will allow someone to eliminate malware from the equation.

Good luck with this!
 

Laura.B

Thread Starter
Joined
Apr 3, 2008
Messages
22
Thanks for the reply.

I don't use any p2p programs or any networking apps at all. The computer is solely used for the internet. It does however go through a router which another computer is connected to - hence the suspicion.

Here is the HJT log (I'm running WinXP Tablet edition):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:41 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\digtizer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Fujitsu\updnavi\updnavi.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\windows\system32\KADxMain.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Notebook Hardware Control\nhc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\mmc.exe
F:\Software\Sec\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pc-ap.fujitsu.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.monash.edu.au
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] "C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe"
O4 - HKLM\..\Run: [FjStrtAp] "C:\Program Files\Fujitsu\Utils\FjStrtAp.exe"
O4 - HKLM\..\Run: [KADxMain] C:\windows\system32\KADxMain.exe
O4 - HKLM\..\Run: [LoadBtnHnd] "C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [McAfee Online Virus Scanner] avp.exe
O4 - HKLM\..\RunServices: [McAfee Online Virus Scanner] avp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User '?')
O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User '?')
O4 - HKUS\S-1-5-21-1941494055-3217071479-4106037145-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User '?')
O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Digitizer Service (Digitizer) - WACOM - C:\WINDOWS\System32\digtizer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7856 bytes
 
Joined
Jan 27, 2008
Messages
11
I see your tablet PC has biometrics...although this does not totally eliminate physical unauthorized log-in to your PC is does significantly reduce the likelihood.

If the other user of the router is doing something dodgy they would be foolish to do it from your PC as ultimately it could be tied back to the same router (even if they were using your machine to hijack a MAC address elsewhere it seems pretty pointless) so if you are concerned about the other preson using the router I can only assume that you are concerned about them compromising your privacy (and of course your security)

From a quick scan of the log I see that you have processes running for both AVG and McAfee...I had an issue a while back with a trojan masquerading as McAfee which was next to impossible to uninstall and it took me many hours to remove all traces of it's processes. It is generally not reccomended to have more than one anti-virus program running.

Can anyone out there in TSG land who is more familiar with detecting hacks have a squizz at this one?
 
Joined
Jan 27, 2008
Messages
11
Sorry was in a bit of a rush...the AVG is the antispyware not the antivirus yeah?

These two are also a bit suspect...can you thing of anything that you have installed that would automatically port info to excel?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

If nobody posts in the next little while bump me and I will look into it more deeply (sorry have stacks on my plate!) :)
 

Laura.B

Thread Starter
Joined
Apr 3, 2008
Messages
22
Thanks for your comments PLACEBOID. Yeah biometrics is there but I use it more for convenience - I haven't figured out how to make it compulsory to pass the fingerprint scanner to login.

Yes, AVG is for antispyware. I have not installed Mcafee myself, I always assumed it got installed with my internet browser. When I open active connections in Komodo firewall, avp.exe is always there and I have no idea why.

so if you are concerned about the other preson using the router I can only assume that you are concerned about them compromising your privacy (and of course your security)
Yes privacy is the main concern.

These two are also a bit suspect...can you thing of anything that you have installed that would automatically port info to excel?
I have installed the Excel data analysis Toolpak. I'm not sure if it is this though.
 
Joined
Sep 6, 2007
Messages
53
A couple days ago, I was offered an upgrade from NAV. After the install, I checked the Event ID to see if all looked good and what I saw, scared me to death.
I came to the techguys and did a search for Failure Audit, Event ID 529 and found your thread.
What I saw of your log was almost the same as mine.
I just found this online and I think it might answer your questions.
I hope it is ok to post the link. It eased my feelings and I hope it does yours too.

http://www.pcreview.co.uk/forums/thread-250761.php
the gentleman explains what happened.
 
Joined
Sep 6, 2007
Messages
53
I am just glad I found my answers and happy I could help others.

Techguy forum has helped me to solve my computer problems so many times. I am a self taught granny, with the help of others.

Laura,
What about marking this thread as solved? :D

Thanks Techguys!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top