Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Logon/off & password change audits in Event Viewer


  • This topic is locked This topic is locked
2 replies to this topic

#1 TripleInstance

TripleInstance

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 31 July 2012 - 01:26 PM

There are many logon/off attempts and password change attempts marked as success and failure audits in my event manager - is there someone trying to hack in to my computer remotely? Event Manager audits I am receiving:

- Many logon/logoff attempts
- Failure audits for logon failures (bad user name or password)
- Attempts to change my logon password for the following accounts

Administrator *
ASPNET
Guest (deactivated)
HelpAssistant
Len *
SUPPORT_388945a0
Work Account *

The asterisk indicates active accounts - I don't know what the others are for.

- Failure Audits for attempting to log in under my account (Len)
- Success Audits for Anonymous login
- Logon processes being trusted to submit logon requests
- Notification packages being activated to submit password or account changes


I have scanned using Norton 360 and Norton Power Eraser, Malwarebytes, Trend Micro Housecall in safe mode and nothing has come up. I have used Microsoft Security Analyzer to 2.2 to try and find issues - none has come up.

I ran TDSkiller, eset online scanner and ran minitoolbox as per Swagger - nothing yet.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by Len at 12:32:17 on 2012-07-31
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1191 [GMT -4:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Norton 360\Norton 360\Engine\6.2.1.5\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\3.0.271\SSScheduler.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton 360\Norton 360\Engine\6.2.1.5\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\norton 360\engine\6.2.1.5\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\norton 360\engine\6.2.1.5\ips\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\norton 360\engine\6.2.1.5\coIEPlg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.271\SSScheduler.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: microsoft.com\www.update
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1339194782546
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1339194776703
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer = 64.71.255.198
TCP: Interfaces\{8FBEC5D3-AB1D-470B-B070-200906BC62CF} : DhcpNameServer = 64.71.255.198
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 04293766;04293766;c:\windows\system32\drivers\04293766.sys [2011-8-22 133208]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2007-8-29 116264]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2011-5-16 17064]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0602010.005\symds.sys [2012-5-18 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0602010.005\symefa.sys [2012-5-18 905336]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\bashdefs\20120711.002\BHDrvx86.sys [2012-7-12 821920]
R1 ccSet_N360;Norton 360 Settings Manager;c:\windows\system32\drivers\n360\0602010.005\ccsetx86.sys [2012-5-18 132744]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0602010.005\ironx86.sys [2012-5-18 149624]
R2 N360;Norton 360;c:\program files\norton 360\norton 360\engine\6.2.1.5\ccsvchst.exe [2012-5-18 138232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-5-31 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\ipsdefs\20120727.001\IDSXpx86.sys [2012-7-28 369632]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\virusdefs\20120730.017\NAVENG.SYS [2012-7-30 87928]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.1.2\definitions\virusdefs\20120730.017\NAVEX15.SYS [2012-7-30 1589752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-8 250056]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.271\McCHSvc.exe [2012-3-13 237272]
S3 NYOV;NYOV;c:\docume~1\len\locals~1\temp\nyov.exe --> c:\docume~1\len\locals~1\temp\NYOV.exe [?]
S3 OLA;OLA;c:\docume~1\len\locals~1\temp\ola.exe --> c:\docume~1\len\locals~1\temp\OLA.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-07-31 16:29:34 16384 ----atw- c:\windows\~DF5E4C.tmp
2012-07-31 16:25:25 16384 ----atw- c:\windows\~DF4B88.tmp
2012-07-31 16:23:52 69632 ----atw- c:\windows\~DFFD33.tmp
2012-07-31 16:23:52 16384 ----atw- c:\windows\~DFEC74.tmp
2012-07-30 18:22:09 131344 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2012-07-30 15:58:13 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-07-30 02:20:38 -------- d-----w- c:\program files\Adobe Download Assistant
2012-07-30 02:17:51 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-07-30 02:17:51 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-07-30 02:17:51 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-07-30 02:17:51 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-07-30 02:17:51 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-07-30 02:17:51 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-07-30 02:17:51 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2012-07-30 02:11:56 -------- d-----w- c:\documents and settings\len\local settings\application data\Sun
2012-07-30 02:11:01 -------- d-----w- c:\program files\Oracle
2012-07-30 02:10:54 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-30 02:10:54 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-27 20:57:57 593920 ------w- c:\windows\system32\ati2sgag.exe
2012-07-27 20:48:08 701440 -c--a-w- c:\windows\system32\dllcache\ati2mtag.sys
2012-07-27 20:48:08 3565056 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2012-07-27 17:20:44 -------- d-----w- c:\windows\system32\drivers\nbrtwizard\0500000.05A
2012-07-27 17:20:44 -------- d-----w- c:\windows\system32\drivers\NBRTWizard
2012-07-27 17:20:42 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard
2012-07-26 17:59:54 -------- d-----w- c:\program files\ESET
2012-07-26 01:08:00 -------- d-----w- c:\documents and settings\len\application data\Malwarebytes
2012-07-26 01:07:52 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-07-26 01:07:51 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-26 01:07:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-25 22:15:02 -------- d-----w- c:\documents and settings\len\SecurityScans
2012-07-25 22:14:46 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2012-07-25 21:33:26 -------- d-----w- c:\windows\system32\NtmsData
2012-07-24 16:52:07 645632 ----a-w- c:\windows\system32\xvidcore.dll
2012-07-24 16:52:07 240640 ----a-w- c:\windows\system32\xvidvfw.dll
2012-07-24 16:52:07 153088 ----a-w- c:\windows\system32\xvid.ax
2012-07-24 16:52:06 -------- d-----w- c:\program files\Xvid
2012-07-23 17:15:11 -------- d-----w- c:\documents and settings\len\application data\TuneUpMedia
.
==================== Find3M ====================
.
2012-07-28 18:11:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-28 18:11:23 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-06 02:06:20 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 21:35:26 222448 ----a-w- c:\windows\system32\muweb.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:12:30 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 12:33:04.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:25 PM

Posted 01 August 2012 - 05:30 PM

Hi,

Do you know the active "Work account"? If so, the remaining unknown user-accounts you have listed are default accounts, present pretty much on all Windows XP machines. There's nothing to worry about on that end. Did you notice those logon/logoff attempts suddenly starting? Or did you you just check the eventviewer some day and realised there were many logon/logoff attempts?

Your logs, so far, look mostly clean. Nevertheless, we may be missing something, hence I would like you to run a scan with TDSSKiller:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

As well as a scan with aswMBR:
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

regards myrti

Edited by myrti, 01 August 2012 - 06:31 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:25 PM

Posted 20 August 2012 - 04:40 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users