Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unusual Security Logins and audit privileges


  • Please log in to reply
1 reply to this topic

#1 Traveler5

Traveler5

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 13 January 2012 - 03:53 PM

My OS is windows XP home edition. I use Comodo internet security and antivirus, Malwarebytes, Spybot, and Sysprot anti-root kit scans regularly and they all report that my computer has no issues whatsoever. I am not running torrents and never belonged to any file sharing service. I am not running to the best of my knowledge any server on this machine. My router has DD-WRT firmware installed and I am not using UPNP and all ports are closed. GRC.com Shields Up port scan returns stealth on all scans. I do have two Linux webservers on my network as well as an FTP server which I never have problems with.
I am a retired engineer but I have no IT skills. I believe my event and security logs are unusual and am asking assistance with an evaluation. At 2am this morning there was a logon and advapi service transmitted over 200kb of info to the web. I am unable to enclose screenshots here so I enclose a link so you may view them elsewhere.
I would like to run Combofix and have the results analyzed, Any assistance is appreciated. Thank you for reading.
Screenshots

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:35 PM

Posted 13 January 2012 - 04:01 PM

Those are all normal those logins are part of windows hidden users that should not be used for regular use.


Aliases for \\CAPRICORN

---------------------------------------------------------------
*Administrators
*Backup Operators
*Cryptographic Operators
*Debugger Users
*Distributed COM Users
*Event Log Readers
*Guests
*HomeUsers
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Replicator
*Users
The command completed successfully.


Those are all the groups on my system:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users