Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Programs asking for elevated privileges and multiple logons in event viewer


  • Please log in to reply
No replies to this topic

#1 Subrandus

Subrandus

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 06 October 2009 - 12:52 AM

Hello,

Re-posted without the HJT report ... sorry I didn't realize we weren't supposed to include them in this forum.



I have some strange stuff going on and my attempts at researching them have not helped me to resolve it. Here are the symptoms.
I have XP home SP3 installed so I do not have access to XP pro tools if they are needed.

I have installed Comodo firewall and every time I open a new program, it asks for elevated debug privileges.

The following two events are in my event viewer every 15 minutes day and night.

Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeDebugPrivilege
SeChangeNotifyPrivilege

Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: -

background activity happens when these happen (hourglass appears in the cursor)

I also seem to have a lot of stuff on my computer that would more properly be on a server even though I am a home user and connecting through a router (no network)

I have disabled every unneeded service that I could think of that could cause these and still no luck (using this site, black viper, and the elder geek).

I have run multiple virus scans and rootkit scans and checked every file mentioned in my research on virustotal without result. It appears I am clean (of course I know this may not be true)

I am the owner with admin privileges and installed a program called user manager to see the permissions of my accounts and to my surprise, every account had debug privileges listed (owner, guest, admin). I removed the debug privileges from all accounts except admin and owner but no luck. Tried also removing debug privileges from all accounts ... no effect. Tried removing all privileges for the debug group and even removing the group itself as well ... no effect.

I also have the occasional anonymous logon and I don't know where that comes from either

uccessful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x2AD9B)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: -

And finally I have regular failure events when I reboot

Logon Failure:
Reason: Unknown user name or bad password
User Name: Owner
Domain:
Logon Type: 2
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: INERGETIX

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Owner
Source Workstation: INERGETIX
Error Code: 0xC000006E

I was being helped with another issue a few weeks ago by microsoft support (couldn't download updates) but he ended up going on holidays and I resolved the issue through a lot of trial and error. He didn't use remote assistance to my knowledge but I did download some files he suggested regarding a re-install of
MS office 2003 and the install cleanup tool. Not sure but there could be a timing connection here.

I do not have advapi.exe on my system, only the dll.

I think I have a debugger running since the following dll's are listed in nirsoft's regdllview and they all have connected system entries.

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MSDBG2.DLL
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\PDM.DLL
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\VS7JIT.EXE

I have disabled MDM.EXE with no effect.

Can anyone help me with this strange stuff?

Thank you

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users