Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was my daughter's boyfriend doing something fishy?


  • Please log in to reply
17 replies to this topic

#1 george93

george93

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 05 March 2015 - 03:19 PM

I'm a dad and I don't know anything about computers.  My daughter just ended a relationship with a less than desirable man (we found out he was married) and noticed some strange things with her computer.  I found a couple "Warning logs", could someone look at them and give me their opinion?  I would appreciate it.

 

Log Name:      System

Source:        bowser

Date:          4/8/2014 2:45:26 PM

Event ID:      8003

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      Julie-HP

Description:

The master browser has received a server announcement from the computer ERIC_LAPTOP that believes that it is the master browser for the domain on transport NetBT_Tcpip_{AAF29C78-4592-4FEE-B068-8E1D9D86E420}. The master browser is stopping or an election is being forced.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="bowser" />

    <EventID Qualifiers="49152">8003</EventID>

    <Level>2</Level>

    <Task>0</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2014-04-08T18:45:26.846669300Z" />

    <EventRecordID>70231</EventRecordID>

    <Channel>System</Channel>

    <Computer>Julie-HP</Computer>

    <Security />

  </System>

  <EventData>

    <Data>\Device\LanmanDatagramReceiver</Data>

    <Data>ERIC_LAPTOP</Data>

    <Data>NetBT_Tcpip_{AAF29C78-4592-4FEE-B068-8E1D9D86E420}</Data>

    <Binary>000000000300320000000000431F00C0000000000000000000000000000000000000000000000000</Binary>

  </EventData>

</Event>Log Name:      System

Source:        bowser

 

Here's another:

 

Log Name:      System

Source:        Microsoft-Windows-DNS-Client

Date:          11/9/2014 2:20:23 PM

Event ID:      1014

Task Category: None

Level:         Warning

Keywords:     

User:          NETWORK SERVICE

Computer:      Julie

Description:

Name resolution for the name ERIC_LAPTOP.hsd1.mi.comcast.net timed out after none of the configured DNS servers responded.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-DNS-Client" Guid="{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}" />

    <EventID>1014</EventID>

    <Version>0</Version>

    <Level>3</Level>

    <Task>0</Task>

    <Opcode>0</Opcode>

    <Keywords>0x4000000000000000</Keywords>

    <TimeCreated SystemTime="2014-11-09T19:20:23.939373000Z" />

    <EventRecordID>105989</EventRecordID>

    <Correlation />

    <Execution ProcessID="1528" ThreadID="2780" />

    <Channel>System</Channel>

    <Computer>Julie</Computer>

    <Security UserID="S-1-5-20" />

  </System>

  <EventData>

    <Data Name="QueryName">ERIC_LAPTOP.hsd1.mi.comcast.net</Data>

    <Data Name="AddressLength">16</Data>

    <Data Name="Address">0200003544574D820000000000000000</Data>

  </EventData>

</Event>

 

Also, we found out he set himself up Windows Credentials unbeknownst to us on her computer.  Why would he do that?

 

Thanks!

George



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 05 March 2015 - 03:23 PM

Hi george :)

Is the name of that computer ERIC_LAPTOP? Or do you have a computer/laptop in your house named ERIC_LAPTOP?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 george93

george93
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 05 March 2015 - 03:24 PM

The boyfriend's computer was eric_laptop, my daughter's was Julie



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 05 March 2015 - 03:25 PM

Alright it seems like your daughter's computer is attempting to connect to ERIC_LAPTOP's for some reason. He might have changed some settings, but I guess these can only affect a local connection (if he's on your network, LAN). If you think that he infected your daughter's laptop, you can request a check-up by a malware removal helper here on BleepingComputer. In order to do that, you have to post a thread in the Virus, Trojan, Spyware, and Malware Removal Logs section. You have to follow the instructions in the preparation guide prior to posting your thread, since it contains the steps to follow when posting it.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 george93

george93
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 05 March 2015 - 03:28 PM

Could he have set her computer up to connect to his?  There are other Error logs with volume errors like he was downloading info from her computer.  Does that sound logical to you?



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 05 March 2015 - 03:37 PM

It's possible yes. If he installed what we call a RAT (Remote Administration Tool) like malware on her computer, he can connect to it, download files remotely, execute processes remotely, etc. Hence why I suggest you to get her computer checked here.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 george93

george93
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 05 March 2015 - 03:39 PM

Can anyone tell me where I would find the settings he would have changed that would made my daughters computer try to connect to his computer? 

 

I'm thinking he was after her financial information as a lot of it is stored on her computer and her credit card was compromised twice since she was with him.



#8 george93

george93
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 05 March 2015 - 03:41 PM

I will get it checked, thank you!



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 05 March 2015 - 03:43 PM

Once you'll have posted your thread in the malware removal section, you'll have to ask your helper all these questions. Good luck with the removal procedure, you are in good hands here! :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 george93

george93
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 05 March 2015 - 03:51 PM

Thanks again.



#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 05 March 2015 - 06:31 PM

Are the 2 event logs that you posted from 2 different computers? Or the same?

Because in the first event, the computer is named Julie-HP, and in the second Julie.
Or was the computer name changed in between (both events are from last year and seven months apart)?

He created a user account for himself on Julie's laptop? With that he can logon to the computer, even if Julie changes her password without him knowing the new password.

Edited by Didier Stevens, 05 March 2015 - 06:56 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 george93

george93
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 06 March 2015 - 03:19 AM

Same computer, not sure if she changed the name of her computer.

#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 06 March 2015 - 09:29 AM

Both event log entries are normal, they are not an indication that this person did something fishy on the machine.

 

As to the account creation, it can go both ways.

It can be to secure access, as I posted before, but it can also be that he wanted to use the machine without affecting your daughters account (like favorites, browser history, recently used files, ...).


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 george93

george93
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 06 March 2015 - 09:58 AM

He never used her computer only his Mac. That's why we are suspicious. Why he would be transferring data from her machine to his. I don't agree that this is normal.

#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 06 March 2015 - 10:42 AM

He never used her computer only his Mac. That's why we are suspicious. Why he would be transferring data from her machine to his. I don't agree that this is normal.

 

You did not post event log entries that show data transfer. Only event log entries that show that both computers were on the same network.

 

But we can not tell you why he did this. We can only offer some guesses. If you want to know, you will have to confront him.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users