1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Suspicious logon/logoff entries in event viewer

Discussion in 'General Security' started by Laura.B, Apr 13, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Laura.B

    Laura.B Thread Starter

    Joined:
    Apr 3, 2008
    Messages:
    22
    Hi there,
    I have dozens of logon/logoff entries in my event viewer when I turn on my PC, most of which are supposedly done by NT AUTHORITY or NETWORK SERVICE. What's also weird is that I get some failed logon attempts as well. This happens every time. I should say that I do suspect someone on the same network (I am one of two clients hooked up to a router+modem that connects to the internet) of malicious activity. But I don't know if this is related. I have turned on logon/logoff auditing. The following is what I see upon waking up my PC from standby. You can see my actual logon occurring a few seconds after all the 'network services' have logged on.

    Sorry about that but yes, that many entries on logon. As a side question, what's the surest method of preventing any sort of remote logins or remote control of a PC (ie. in terms of disabling services, firewall options etc..)?
     
  2. PLACEBOID

    PLACEBOID

    Joined:
    Jan 27, 2008
    Messages:
    11
    I hate to be a cynic but the surest method of avoiding unauthorised access is to disconnect yourself from the network when you are not using it. I had a quick scan through the event log and their is some dubious looking stuff going on here....Have you run hijack this and posted the log yet? This could be malware or some kind and I would eliminate this as an option before looking for human operated hacking threats.

    Unfortunately I'm not an expert in this field but this report here is of concern:

    4/12/2008 11:38:15 PM Security Failure Audit Policy Change 615 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.

    It seems like some of your ports might have been opened...do you use peer to peer sites like emule or limewire?

    Please upload a log from hijack this as this will allow someone to eliminate malware from the equation.

    Good luck with this!
     
  3. Laura.B

    Laura.B Thread Starter

    Joined:
    Apr 3, 2008
    Messages:
    22
    Thanks for the reply.

    I don't use any p2p programs or any networking apps at all. The computer is solely used for the internet. It does however go through a router which another computer is connected to - hence the suspicion.

    Here is the HJT log (I'm running WinXP Tablet edition):

     
  4. PLACEBOID

    PLACEBOID

    Joined:
    Jan 27, 2008
    Messages:
    11
    I see your tablet PC has biometrics...although this does not totally eliminate physical unauthorized log-in to your PC is does significantly reduce the likelihood.

    If the other user of the router is doing something dodgy they would be foolish to do it from your PC as ultimately it could be tied back to the same router (even if they were using your machine to hijack a MAC address elsewhere it seems pretty pointless) so if you are concerned about the other preson using the router I can only assume that you are concerned about them compromising your privacy (and of course your security)

    From a quick scan of the log I see that you have processes running for both AVG and McAfee...I had an issue a while back with a trojan masquerading as McAfee which was next to impossible to uninstall and it took me many hours to remove all traces of it's processes. It is generally not reccomended to have more than one anti-virus program running.

    Can anyone out there in TSG land who is more familiar with detecting hacks have a squizz at this one?
     
  5. PLACEBOID

    PLACEBOID

    Joined:
    Jan 27, 2008
    Messages:
    11
    Sorry was in a bit of a rush...the AVG is the antispyware not the antivirus yeah?

    These two are also a bit suspect...can you thing of anything that you have installed that would automatically port info to excel?

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    If nobody posts in the next little while bump me and I will look into it more deeply (sorry have stacks on my plate!) :)
     
  6. Laura.B

    Laura.B Thread Starter

    Joined:
    Apr 3, 2008
    Messages:
    22
    Thanks for your comments PLACEBOID. Yeah biometrics is there but I use it more for convenience - I haven't figured out how to make it compulsory to pass the fingerprint scanner to login.

    Yes, AVG is for antispyware. I have not installed Mcafee myself, I always assumed it got installed with my internet browser. When I open active connections in Komodo firewall, avp.exe is always there and I have no idea why.

    Yes privacy is the main concern.

    I have installed the Excel data analysis Toolpak. I'm not sure if it is this though.
     
  7. Laura.B

    Laura.B Thread Starter

    Joined:
    Apr 3, 2008
    Messages:
    22
    Anyone else have any ideas?
     
  8. hairbender1950

    hairbender1950

    Joined:
    Sep 6, 2007
    Messages:
    53
    A couple days ago, I was offered an upgrade from NAV. After the install, I checked the Event ID to see if all looked good and what I saw, scared me to death.
    I came to the techguys and did a search for Failure Audit, Event ID 529 and found your thread.
    What I saw of your log was almost the same as mine.
    I just found this online and I think it might answer your questions.
    I hope it is ok to post the link. It eased my feelings and I hope it does yours too.

    http://www.pcreview.co.uk/forums/thread-250761.php
    the gentleman explains what happened.
     
  9. PLACEBOID

    PLACEBOID

    Joined:
    Jan 27, 2008
    Messages:
    11
    :) Good one Hairbender!
     
  10. Laura.B

    Laura.B Thread Starter

    Joined:
    Apr 3, 2008
    Messages:
    22
    Hey thanks for that, hairy.
     
  11. hairbender1950

    hairbender1950

    Joined:
    Sep 6, 2007
    Messages:
    53
    I am just glad I found my answers and happy I could help others.

    Techguy forum has helped me to solve my computer problems so many times. I am a self taught granny, with the help of others.

    Laura,
    What about marking this thread as solved? :D

    Thanks Techguys!
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved Suspicious logon
  1. cwwozniak
    Replies:
    8
    Views:
    1,124
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/703462

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice