[Kylestern]

Greetings everyone, i'm back again

Ok a couple of days ago i formatted my computer and started again because i believed someone had hacked into my machine and played around with a few things, now i think i was right.

After installing xp pro sp2 again and downloading all the upgrades, installing mcafee security suit and running ad aware and and spybot search and destroy, i have been unable to find anything "dangerous". What i do think though is that someone is logging onto my machine and giving themselves access rights, BUT, they have not created any other user names than what i have installed.

After searching all over the place for information, i come here begging for help.

Alright, in my event logs under security, i recieved one when i first logged onto the internet as this (there have been a few of these since) -
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x10011)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

and then later after this -
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege


then followed by this -

User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x1019A)
Logon Type: 3

now i'm going to admit i i dont know much about xp security, but from what i was reading a logon type 3 is a network logon, and i am not on any type of network, so i figured it was an internet logon??
ok, after this there have been many (and i mean as soon as i log on to the internet) of these events -
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

which are very soon followed by lots of these -

Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege


ok, am i barking up the wrong tree?? is this normal windows procedure or is someone logging into my system??

if so what can i do to stop them?? and is there anyway to know what they have changed??

thanks

[Advertisements]

you have been 0wned....you definitly need a firewall...well...relatively definite...(i really need to start reading these a little more before answering)...that system service might be something...i see you reading gerry....any clues?

Edited by dsenette, 12 July 2005 - 09:42 AM.

[dsenette]

you have been 0wned....you definitly need a firewall...well...relatively definite...(i really need to start reading these a little more before answering)...that system service might be something...i see you reading gerry....any clues?

Edited by dsenette, 12 July 2005 - 09:42 AM.

[Kat]

Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE .

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post a hijackthis log in THAT forum.

If you are still having problems after getting a clean bill of health from the malware expert, please return to this thread.

[gerryf]

chuckle...I do not think you are owned.

In fact, I think that is your own PC talking to itself

Logon GUID: {00000000-0000-0000-0000-000000000000}

that is your system partition ID....in other words, your own harddrive.

Gonna see if I can figure it out...

[gerryf]

clear your security event log, then reboot, log in...

open the security event log...are those event there again?

And they occured at the time of your logon?

Right click the event log, and export it as a text file, attach it to your next post.

From what I can discern, this is all part of you logging into your machine, but I'd like to see the log.

[Kylestern]

ok, first off i'll show you the logs, but i also think something really screwy is going on, might put a hjt log in the malware section, since i've run all the right scans, and found that my hjt was infected with a worm, and i only found it after i reinstalled mcafee again. hmmm meaning something or someone is bypassing my security! bah!!

Anyway i'm putting in two logs, the first is from when i installed xp up until i cleared the log, the second is everything that happend after. I didnt save the second though until two hours after i cleared the log, just to give you an indication of whats happening. anyway, tell me what you think.



and the second



oh yeh if you need the actual event log file i can post them aswell.

Edited by Kylestern, 12 July 2005 - 03:21 PM.

[ukbiker]

, since i've run all the right scans, and found that my hjt was infected with a worm, and i only found it after i reinstalled mcafee again. 

Hiya Kylestern, dont worry about that, it is a known False Positive with McaFee. HJT is Extremely unlikely to be infected.

UKBiker

[Kylestern]

Thanks, just in case though i deleted it and downloaded it again.

Can anyone spell P A R A N O I D ? ? ? ?

[Kat]

Hi Kylestern. While you wait for Gerry to come back online...if you want, you can go ahead and post your HijackThis log in THIS thread, and I'll take a quick look for you. Then, if you're Malware free...gerry can continue and get you fixed up.

I don't blame you for the "paranoid". I get that way too!

[gerryf]

was hoping for the log, not list

[Kylestern]

ok there is a problem! my attatchments cache has 2mb free and my log file is 1,152 kb, yet when i try to upload it says i have no room in my cache???

i'm uploading the secong log file only as the other one wont load, this is the file after i cleaned the logs. BTW i changed the ext to .txt so you will have to change it back to .evt or when you open log viewer view all files.......but you already knew that

anyway here it is, and if you can figure out a way to get the first one to upload let me know.

Oops my bad you can only load 500k per post guess i cant load the first one unless you know how to get around that?

 secondlog.txt   351.39KB   108 downloads

Edited by Kylestern, 13 July 2005 - 03:03 AM.

[Karl666]

Hi,

I was wondering if you ever got an answer to your problems. I am having the same problems but can not find an answer anywhere. Ive been trying to resolve this issue for weeks. I just need to know if its normal system behaviour or something more sinister ?

Regards
Karl.