Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacked using multiple methods Special Logons as a result


  • Please log in to reply
No replies to this topic

#1 Dave48

Dave48

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 10 October 2017 - 07:34 AM

I know this has been posted around the web as "normal" activity but I am definitely hacked.

 

I found the typical "Special Logons" with user ID 0x3e7 that most people insist are normal. What is different in my case is that when I look further back in the logs, I can see an attempt to find an account with a blank password followed by an "enumeration" of security objects and eventually a change in security policy, new account and it goes on. I cannot post the logs at the moment partially due to the fact that I am not at my PC but more importantly, I seem to have angered it and it started deleting and adding firewall rules and a long list of other entries in the security log. This happened after I disabled some services like netlogon, secondary logon, RAS, and one called Te.Service that had no description.

 

So, last night I found a file called "root.reg" in a folder called "searches" and opened it in notepad++. At the top was a fair amount of Chinese characters that I'm assuming are comments followed by some code that makes use of MS Access's DDE capabilities (using /nostartup). Maybe it's not related but I thought it was a bad sign. There was also a bunch of C++ source code in that folder with names like root.h/.cpp, and many others.

 

So, I have no scheduled tasks, I do not have anything set up to defragment my HD - at least not ~hourly as these logons happen. I don't have anything that I can find that would cause a logon type of 5 with these nasty looking log entries.

 

Sorry for the lack of logs. I really don't even want to turn it back on at this point and plan on replacing the HD in hopes of getting rid of this.

 

I have seen so many people being told not to worry but I really don't think this is the case here. Most of the threads I have seen just kind of die out with no resolution. I was hoping someone out there could provide some information on what this is.

 

Again, sorry if I sound biased or assuming the worst case but I do have reason to believe there is a problem.

 

Thank you for any suggestions you may have.



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users