Ok a couple of days ago i formatted my computer and started again because i believed someone had hacked into my machine and played around with a few things, now i think i was right.
After installing xp pro sp2 again and downloading all the upgrades, installing mcafee security suit and running ad aware and and spybot search and destroy, i have been unable to find anything "dangerous". What i do think though is that someone is logging onto my machine and giving themselves access rights, BUT, they have not created any other user names than what i have installed.
After searching all over the place for information, i come here begging for help.
Alright, in my event logs under security, i recieved one when i first logged onto the internet as this (there have been a few of these since) -
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x10011)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}
and then later after this -
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege
then followed by this -
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x1019A)
Logon Type: 3
now i'm going to admit i i dont know much about xp security, but from what i was reading a logon type 3 is a network logon, and i am not on any type of network, so i figured it was an internet logon??
ok, after this there have been many (and i mean as soon as i log on to the internet) of these events -
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}
which are very soon followed by lots of these -
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege
ok, am i barking up the wrong tree?? is this normal windows procedure or is someone logging into my system??
if so what can i do to stop them?? and is there anyway to know what they have changed??
thanks