Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hacker access?


  • Please log in to reply

#1
Kylestern

Kylestern

    Member

  • Member
  • PipPip
  • 21 posts
Greetings everyone, i'm back again :tazz:

Ok a couple of days ago i formatted my computer and started again because i believed someone had hacked into my machine and played around with a few things, now i think i was right.

After installing xp pro sp2 again and downloading all the upgrades, installing mcafee security suit and running ad aware and and spybot search and destroy, i have been unable to find anything "dangerous". What i do think though is that someone is logging onto my machine and giving themselves access rights, BUT, they have not created any other user names than what i have installed.

After searching all over the place for information, i come here begging for help.

Alright, in my event logs under security, i recieved one when i first logged onto the internet as this (there have been a few of these since) -
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x10011)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

and then later after this -
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x3E5)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege


then followed by this -

User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x1019A)
Logon Type: 3

now i'm going to admit i i dont know much about xp security, but from what i was reading a logon type 3 is a network logon, and i am not on any type of network, so i figured it was an internet logon??
ok, after this there have been many (and i mean as soon as i log on to the internet) of these events -
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

which are very soon followed by lots of these -

Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege


ok, am i barking up the wrong tree?? is this normal windows procedure or is someone logging into my system??

if so what can i do to stop them?? and is there anyway to know what they have changed??

thanks
  • 0

Advertisements


#2
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
you have been 0wned....you definitly need a firewall...well...relatively definite...(i really need to start reading these a little more before answering)...that system service might be something...i see you reading gerry....any clues?

Edited by dsenette, 12 July 2005 - 09:42 AM.

  • 0

#3
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE .

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post a hijackthis log in THAT forum.

If you are still having problems after getting a clean bill of health from the malware expert, please return to this thread.
  • 0

#4
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
chuckle...I do not think you are owned.

In fact, I think that is your own PC talking to itself

Logon GUID: {00000000-0000-0000-0000-000000000000}

that is your system partition ID....in other words, your own harddrive.

Gonna see if I can figure it out...
  • 0

#5
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
clear your security event log, then reboot, log in...

open the security event log...are those event there again?

And they occured at the time of your logon?

Right click the event log, and export it as a text file, attach it to your next post.

From what I can discern, this is all part of you logging into your machine, but I'd like to see the log.
  • 0

#6
Kylestern

Kylestern

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
ok, first off i'll show you the logs, but i also think something really screwy is going on, might put a hjt log in the malware section, since i've run all the right scans, and found that my hjt was infected with a worm, and i only found it after i reinstalled mcafee again. hmmm meaning something or someone is bypassing my security! bah!!

Anyway i'm putting in two logs, the first is from when i installed xp up until i cleared the log, the second is everything that happend after. I didnt save the second though until two hours after i cleared the log, just to give you an indication of whats happening. anyway, tell me what you think.



and the second



oh yeh if you need the actual event log file i can post them aswell.

Edited by Kylestern, 12 July 2005 - 03:21 PM.

  • 0

#7
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts

, since i've run all the right scans, and found that my hjt was infected with a worm, and i only found it after i reinstalled mcafee again. 



Hiya Kylestern, dont worry about that, it is a known False Positive with McaFee. HJT is Extremely unlikely to be infected.

UKBiker
  • 0

#8
Kylestern

Kylestern

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks, just in case though i deleted it and downloaded it again.

Can anyone spell P A R A N O I D ? ? ? ?
  • 0

#9
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hi Kylestern. While you wait for Gerry to come back online...if you want, you can go ahead and post your HijackThis log in THIS thread, and I'll take a quick look for you. Then, if you're Malware free...gerry can continue and get you fixed up. ;)

I don't blame you for the "paranoid". I get that way too! :tazz:
  • 0

#10
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
was hoping for the log, not list
  • 0

#11
Kylestern

Kylestern

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
ok there is a problem! my attatchments cache has 2mb free and my log file is 1,152 kb, yet when i try to upload it says i have no room in my cache???

i'm uploading the secong log file only as the other one wont load, this is the file after i cleaned the logs. BTW i changed the ext to .txt so you will have to change it back to .evt or when you open log viewer view all files.......but you already knew that ;)

anyway here it is, and if you can figure out a way to get the first one to upload let me know.

Oops my bad you can only load 500k per post :tazz: guess i cant load the first one ;) unless you know how to get around that?

Attached File  secondlog.txt   351.39KB   80 downloads

Edited by Kylestern, 13 July 2005 - 03:03 AM.

  • 0

#12
Karl666

Karl666

    New Member

  • Member
  • Pip
  • 1 posts
Hi,

I was wondering if you ever got an answer to your problems. I am having the same problems but can not find an answer anywhere. Ive been trying to resolve this issue for weeks. I just need to know if its normal system behaviour or something more sinister ?

Regards
Karl.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP