I know this has been posted around the web as "normal" activity but I am definitely hacked.
I found the typical "Special Logons" with user ID 0x3e7 that most people insist are normal. What is different in my case is that when I look further back in the logs, I can see an attempt to find an account with a blank password followed by an "enumeration" of security objects and eventually a change in security policy, new account and it goes on. I cannot post the logs at the moment partially due to the fact that I am not at my PC but more importantly, I seem to have angered it and it started deleting and adding firewall rules and a long list of other entries in the security log. This happened after I disabled some services like netlogon, secondary logon, RAS, and one called Te.Service that had no description.
So, last night I found a file called "root.reg" in a folder called "searches" and opened it in notepad++. At the top was a fair amount of Chinese characters that I'm assuming are comments followed by some code that makes use of MS Access's DDE capabilities (using /nostartup). Maybe it's not related but I thought it was a bad sign. There was also a bunch of C++ source code in that folder with names like root.h/.cpp, and many others.
So, I have no scheduled tasks, I do not have anything set up to defragment my HD - at least not ~hourly as these logons happen. I don't have anything that I can find that would cause a logon type of 5 with these nasty looking log entries.
Sorry for the lack of logs. I really don't even want to turn it back on at this point and plan on replacing the HD in hopes of getting rid of this.
I have seen so many people being told not to worry but I really don't think this is the case here. Most of the threads I have seen just kind of die out with no resolution. I was hoping someone out there could provide some information on what this is.
Again, sorry if I sound biased or assuming the worst case but I do have reason to believe there is a problem.
Thank you for any suggestions you may have.