Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Questions About Different Warnings And Errors In Event Viewer


  • Please log in to reply
12 replies to this topic

#1 bloomcounty

bloomcounty

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 20 June 2007 - 09:55 AM

I was checking my Event Viewer Log for something unrelated, and I noticed some odd things that I was hoping you all could help me with:

1. Event Viewer > System
When I boot into safe mode, it seems I get a series of 11 Errors in the System Event Viewer:
2 DCOM (10005) - USER: 1 SYSTEM, 1 LOGON NAME
5 Service Control Manager (7001) - USER: N/A
1 Service Control Manager (7026) - USER: N/A
3 DCOM (10005) - USER: ALL 3 LOGON NAME

Is this normal for when you start in safe mode?

(I didn't write down each individual entry and its description, but I can if needed. Also, I've got a.jpg of the log that shows all these in a row if you need it...)

2. Event Viewer > System
Back on 5/13, I saw one of these:
Source: Tcpip
Type: Warning
Event: 4226
User: N/A
"TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts."

9 minutes prior it shows I had "successfully established a connection to mindspring using the device COM4" (Source: Remote Access Event 20158)

9 minutes after it shows the "connection to mindspring made by user <my email address> using device COM4 was disconnected" (Source: Remove Access; Event: 20159)

When I looked this up, it said something about it being a sign you might be compromised to spyware (?), but I didn't get what it was saying. Is this something to worry about? This was the only one of these I saw...

3. Event Viewer > Application
Source: Userenv
User: System
Event ID: 1517
"Windows saved user <Computer Name>\<Logon Name> registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

"This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account."

I've got a TON of these entries...

4. Event Viewer > Security
Source: Security
Catetgory: Policy Change
Event ID: 615
"IPSec Services:
IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem."

I also get a TON of these entries...

---------------------

I did go to the MS link provided in the Properties box for each and looked up the Event ID #, but none of it really meant anything to me...

Any thoughts on any of this? Thanks, as always! :thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

BC AdBot (Login to Remove)

 


#2 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 20 June 2007 - 12:58 PM

Just wanted to add two more that I noticed that may be related:

5. Source: Security
Type: Failure Audit
Category: Logon/Logoff
Event ID: 529
User: NT Authority/System
Logon Failure:
Reason: Unknown user name or bad password
User Name: <user logon>
Domain: <computer name>
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: <computer name>

6. Source: Security
Type: Failure Audit
Category: Logon/Logoff
Event ID: 680
User: NT Authority/System
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: <my user logon>
Source Workstation: <computer name>
Error Code: 0xC000006A

I get these fairly often. I got one an hour between 7am and 10am this morning -- so that's four right there. These two events are always right next to each other. However, I *did not* mistype my password or logon name at all this morning at any time. So what would trigger this?

Could someone be trying to logon to my computer? Wouldn't that be hard to do if I only have dial-up? (And the thing is, I don't think I was actually connected to the internet during all those times, as I was doing a disc scan and defrag this morning -- so could that mean there's something on my computer that's trying to figure out my password? But if that was the case, wouldn't it be happening A LOT more than that?)

Any help is appreciated -- thanks!

Edited by bloomcounty, 20 June 2007 - 01:12 PM.

My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#3 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:07:10 AM

Posted 21 June 2007 - 05:59 AM

In general the error messages seem to be concerned with security errors AND connections to your system. BUT, the time sequence of these errors in important also. If they're all close together and recent it's more significant than if they're spread over a long time period - also of importance is if they're related to each other or not. Since this could be the result of malware, I'd suggest that the first step is to double check your system with these 2 free, online scans:

http://safety.live.com
http://housecall.trendmicro.com
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#4 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 21 June 2007 - 11:33 AM

In general the error messages seem to be concerned with security errors AND connections to your system. BUT, the time sequence of these errors in important also. If they're all close together and recent it's more significant than if they're spread over a long time period - also of importance is if they're related to each other or not.


1.
When I'm back home, I'm going to check the time/dates of all those things and post them for you. Once I do that, will you take a look and reassess? (I'd like to do that before attempting any on-line scans, if that's okay.)

2a. But concerning those on-line scans (as I've avoided those up until now), I would need to do both of those through IE, right?

2b. And have to set my Internet Security to Medium while I was at those sites doing the scans?

2c. My biggest concern with those is that they put something on your computer that you can't remove, or they take some identifiable info or create a list of what's on your computer, etc. -- any kind of privacy invasion, you know?

Any thoughts/info in regards to all that?

Thanks for the help! Looking forward to hearing back! :thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:07:10 AM

Posted 21 June 2007 - 08:07 PM

1) What you do is up to you. Yes, once I've got a time frame for the errors I'll have to reassess your situation to try and figure out what's pertinent and what's not. For example, the May 13 TCP/IP error can be caused by a lot of stuff - it could be a download that was trying to get too much bandwidth, it could be that too many programs started their requests at the same time, it could be network congestion, it could be malware. If this error happens a lot, then there can be a problem - but if it's only a one-time or infrequent thing, then there's likely nothing to worry about.

2a) The http://safety.live.com/ will require IE, the http://housecall.trendmicro.com/ works with Firefox also (I haven't tried any other browsers nor have I read the instructions).

2b) Never had to reset my Security settings from the default, so I don't suggest that you mess with it. Messing with the security settings (without good, detailed documentation of what you've done) is asking for connectivity problems. The impact of a change is far greater than you might expect (for example, I blocked cookies from MSN once upon a time. A couple of weeks later I couldn't check my Hotmail on the web - and it took forever to figure out that it was the cookie blocker that was doing it).

3) These are reputable companies that provide this service for free. You can research them if you'd like (Microsoft and TrendMicro). I'd also suggest reading the EULA on their sites as it pertains to the free online scans. The purpose of the online scans is to determine if your system's protection has been compromised. This is done by using a reputable, reliable other source to "double check" your system (the links that I gave).

But, as I read more and more about your concerns, I've become concerned that this may be an issue of too much security. Too much security can cripple your system just as surely as too little. The security apps can not only eat up your resources, but they can conflict with each other and cause severe problems with your system.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#6 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 22 June 2007 - 10:22 AM

2a) The http://safety.live.com/ will require IE, the http://housecall.trendmicro.com/ works with Firefox also (I haven't tried any other browsers nor have I read the instructions).


It actually didn't list Firefox 2.0.0.4, only Firefox 1.x (which I thought was weird), so that's why I asked about that...

2b) Never had to reset my Security settings from the default, so I don't suggest that you mess with it. Messing with the security settings (without good, detailed documentation of what you've done) is asking for connectivity problems. The impact of a change is far greater than you might expect (for example, I blocked cookies from MSN once upon a time. A couple of weeks later I couldn't check my Hotmail on the web - and it took forever to figure out that it was the cookie blocker that was doing it).


Hmmm... Well, I don't use IE (except for Windows Updates), so I have all cookies blocked in IE, along with in IE, I have the Internet Zone set to HIGH, Local Intranet Zone set to HIGH (I'm not on a network -- I have a laptop with dial-up, that's it), Trusted Sites set to MEDIUM (with only the three Windows Updates URL's that the site says you need to add to use Windows Update), and Restricted Sites set to CUSTOM (with everything set to deny/prompt, etc. -- that's the default anyways). In Firefox, I also have cookies turned off, but allow certain sites to set cookies for the session (like this site!).

Under my dial-up and 1394 Connection in Network Connections, I've got "Client for Microsoft Networks" and "File and Printer Sharing for Microsoft Networks" both UNCHECKED -- as I read that was the safest thing to do there.

But, as I read more and more about your concerns, I've become concerned that this may be an issue of too much security. Too much security can cripple your system just as surely as too little. The security apps can not only eat up your resources, but they can conflict with each other and cause severe problems with your system.


I use AVG Free and ZA Free -- nothing else is running that I know of. I use Ad-Aware SE Free and SpyBot and AVG Root-kit Free as scans. I think that's it.

BUT, if there's anything you want me to check to see if I've got too much security going, especially with certain settings, please let me know and I'll check anything you want me to! :flowers:

I think I'll hold off on any on-line scans for now -- until we determine if anything bad is going on...

Thanks for helping! Let me know your thoughts on any of that and I'll be back later today with the logs/info for the Event Viewer stuff. :thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#7 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:07:10 AM

Posted 22 June 2007 - 11:14 AM

1. In safe mode without internet connection service won't run. Totally normal.
2. Same thing.
3. Yeah, happens all the time. One or more services (usually firewall) is holding on till the bitter end. So Windows will cleanup on next boot.
4. No idea.
5 & 6. If I recall correctly, I have these two all the time I boot the computer. I think on this forum long ago someone helped me decide it was no problem.

The policy change things might be, but I'm guessing, related to both the firewall and AV. They might be hooking into the system early enough that windows sees it as a policy change. I always have'm and nothing bad going on. Which is not to guarantee that your computer's ok, considering dial-up and no router, but chances are you'reok. If you don't want on-line scanners, most of which are a PITA to setup, download a-squared, update, run on demand.

Edited by tos226, 22 June 2007 - 11:15 AM.


#8 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 22 June 2007 - 12:48 PM

1. In safe mode without internet connection service won't run. Totally normal.
2. Same thing.
3. Yeah, happens all the time. One or more services (usually firewall) is holding on till the bitter end. So Windows will cleanup on next boot.
4. No idea.
5 & 6. If I recall correctly, I have these two all the time I boot the computer. I think on this forum long ago someone helped me decide it was no problem.

The policy change things might be, but I'm guessing, related to both the firewall and AV. They might be hooking into the system early enough that windows sees it as a policy change. I always have'm and nothing bad going on. Which is not to guarantee that your computer's ok, considering dial-up and no router, but chances are you'reok. If you don't want on-line scanners, most of which are a PITA to setup, download a-squared, update, run on demand.


So with #2, that didn't have anything to do with starting in safe mode... Just wanted to make sure that was clear. Are you just saying that one instance of what I show for #2 in Post #1 is normal?

For #4, are you saying that you have that entry all the time too, but just don't know what it means? You said "no idea", but then you started talking about the "policy change" (which I think you're referring to #4?) and you said that you always have them.

Let me know... Thanks!

(And more info is still coming...)
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#9 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 22 June 2007 - 01:54 PM

Okey-doke... Using the Numbering I used for each thing in Posts #1 and #2, here's some more info, as promised:

#1 seems solved by tos226, unless you think there's something security-wise going on, usasma?

#2, which is the May 13 TCP/IP error, this only happened once in my log (which goes back to 5/9/07). So nothing to worry about? Or could spyware have got on my computer in that one instance?

#3 -- Here's the instances of this one:

Log goes back to 4/17 -- First one is on 4/24, then 5/9, 5/10, 5/12, 5/14, 5/20, 5/24, 5/27 (2 times, around 9AM, the other around noon), 5/29, 6/1, 6/2, 6/9, 6/13, 6/15, 6/16, 6/17, 6/18, 6/19 (2 times), 6/20 (that's the last one so far). There's nothing time-wise near any of them that could be related.

tos226 seems to think it's normal for the reasons he described (which makes sense). But if that was the case, wouldn't it be happening every time I shutdown or something? As you can see, it's not happening every day... Thoughts?

Skipping #4 for the moment...

#5 & #6 -- I get them the same way tos226 describes (mostly), every time I boot the computer. So I'm guessing this is normal...? If so, any idea why it does this?

But keep those in mind as we go to #4...

I do notice that #4 happens "on it's own" sometimes (as you'll see), but it also happens EVERY TIME I disconnected from the internet and reconnect while keeping my computer on. So if I start up my computer and dial-up -- it will not show up for that instance of dial-up connection. HOWEVER, if I disconnect from the internet and dial-up again WITHOUT rebooting (just keeping my computer on), then one of these #4 entries will show up. And it will do that each time I disconnect from the internet and reconnect WHILE MY COMPUTER STAYS ON.

So that would explain a number of them (probably the ones that are right in a row, as I often disconnect and reconnect throughout the day).

But IS THAT NORMAL? And WHY does it happen?

Here's the log for when I just shutdown and booted up my computer a few minutes ago -- this will include the stuff for #4, 5, and 6.

I will type notes in ALL CAPS BOLD throughout:

Type Date Time Source Category Event User Computer
Failure Audit 6/22/2007 11:02:14 AM Security Policy Change 615 NETWORK SERVICE COMP.NAME
THIS ONE ABOVE SHOWED UP WHEN I DISCONNECTED FROM THE INTERNET THEN DIALED-UP AGAIN
Success Audit 6/22/2007 10:57:23 AM Security Privilege Use 576 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 10:57:23 AM Security Logon/Logoff 528 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 10:57:20 AM Security Privilege Use 576 Logon Name COMP.NAME
Success Audit 6/22/2007 10:57:20 AM Security Logon/Logoff 528 Logon Name COMP.NAME
Success Audit 6/22/2007 10:57:20 AM Security Account Logon 680 SYSTEM COMP.NAME
Failure Audit 6/22/2007 10:57:14 AM Security Logon/Logoff 529 SYSTEM COMP.NAME
Failure Audit 6/22/2007 10:57:14 AM Security Account Logon 680 SYSTEM COMP.NAME
THESE TWO ABOVE ARE THE ONES THAT I BELIEVE SHOW UP ALL THE TIME, EACH TIME I REBOOT MY COMPUTER AND LOGON
Failure Audit 6/22/2007 10:57:07 AM Security Logon/Logoff 529 SYSTEM COMP.NAME
Failure Audit 6/22/2007 10:57:07 AM Security Account Logon 680 SYSTEM COMP.NAME
THESE TWO ABOVE ARE BECAUSE THIS TIME I ACTUALLY TYPED MY PASSWORD WRONG (ON PURPOSE, TO TEST) -- SO NORMALLY I ONLY HAVE THE TWO OF THESE WHEN I BOOT UP, NOT FOUR ENTRIES
Success Audit 6/22/2007 10:57:01 AM Security Privilege Use 576 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 10:57:01 AM Security Logon/Logoff 528 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 10:57:00 AM Security Privilege Use 576 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 10:57:00 AM Security Logon/Logoff 528 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 10:56:15 AM Security Policy Change 850 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:15 AM Security Policy Change 850 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:15 AM Security Policy Change 850 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:15 AM Security Policy Change 850 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:15 AM Security Policy Change 850 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:15 AM Security Policy Change 850 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:15 AM Security Policy Change 850 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:15 AM Security Policy Change 849 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:15 AM Security Policy Change 849 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:15 AM Security Policy Change 849 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:15 AM Security Policy Change 849 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:15 AM Security Policy Change 849 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:15 AM Security Policy Change 849 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:15 AM Security Policy Change 848 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:14 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:14 AM Security Privilege Use 576 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 10:56:14 AM Security Logon/Logoff 528 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 10:56:13 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:13 AM Security Policy Change 615 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 10:56:13 AM Security Privilege Use 576 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 10:56:13 AM Security Logon/Logoff 528 LOCAL SERVICE COMP.NAME
Failure Audit 6/22/2007 10:56:13 AM Security Policy Change 615 NETWORK SERVICE COMP.NAME
SO THIS ONE HAPPENED SOMETIME DURING BOOT UP -- SEEMS TO ALWAYS SHOW UP LIKE THIS
Success Audit 6/22/2007 10:56:13 AM Security Logon/Logoff 540 ANONYMOUS LOGON COMP.NAME
NOT SURE WHAT THIS ANONYMOUS LOGON THING IS, BUT IT'S ALWAYS PART OF THIS LIST LIKE THIS WHEN BOOTING UP
Success Audit 6/22/2007 10:56:12 AM Security Privilege Use 576 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 10:56:12 AM Security Logon/Logoff 528 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 10:56:12 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:12 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:12 AM Security Policy Change 806 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:09 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security Privilege Use 576 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security Logon/Logoff 528 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security Privilege Use 576 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security Logon/Logoff 528 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security Privilege Use 576 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security Logon/Logoff 528 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security System Event 518 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security System Event 514 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security System Event 514 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security System Event 514 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security System Event 514 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security System Event 514 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security System Event 514 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:56:06 AM Security System Event 514 SYSTEM COMP.NAME


Here's the rest of the log for this morning for when I first booted up:

Success Audit 6/22/2007 10:50:13 AM Security System Event 513 SYSTEM COMP.NAME
Success Audit 6/22/2007 10:50:01 AM Security Logon/Logoff 551 Logon Name COMP.NAME
Failure Audit 6/22/2007 10:49:53 AM Security Policy Change 615 NETWORK SERVICE COMP.NAME
Failure Audit 6/22/2007 10:49:06 AM Security Policy Change 615 NETWORK SERVICE COMP.NAME
Failure Audit 6/22/2007 10:41:45 AM Security Policy Change 615 NETWORK SERVICE COMP.NAME
Failure Audit 6/22/2007 10:36:02 AM Security Policy Change 615 NETWORK SERVICE COMP.NAME
Failure Audit 6/22/2007 8:56:50 AM Security Policy Change 615 NETWORK SERVICE COMP.NAME
NOT SURE WHAT ALL THESE ARE, BUT I SUSPECT THEY'RE FROM DISCONNECTING AND RECONNECTING
Success Audit 6/22/2007 7:04:39 AM Security Privilege Use 576 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 7:04:39 AM Security Logon/Logoff 528 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 7:04:38 AM Security Privilege Use 576 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 7:04:38 AM Security Logon/Logoff 528 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 7:04:18 AM Security Privilege Use 576 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 7:04:18 AM Security Logon/Logoff 528 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 7:04:14 AM Security Privilege Use 576 Logon Name COMP.NAME
Success Audit 6/22/2007 7:04:14 AM Security Logon/Logoff 528 Logon Name COMP.NAME
Success Audit 6/22/2007 7:04:14 AM Security Account Logon 680 SYSTEM COMP.NAME
Failure Audit 6/22/2007 7:04:11 AM Security Logon/Logoff 529 SYSTEM COMP.NAME
Failure Audit 6/22/2007 7:04:11 AM Security Account Logon 680 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:53 AM Security Policy Change 850 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:53 AM Security Policy Change 850 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:53 AM Security Policy Change 850 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:53 AM Security Policy Change 850 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:53 AM Security Policy Change 850 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:53 AM Security Policy Change 850 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:53 AM Security Policy Change 850 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:53 AM Security Policy Change 849 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:53 AM Security Policy Change 849 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:53 AM Security Policy Change 849 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:53 AM Security Policy Change 849 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:53 AM Security Policy Change 849 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:53 AM Security Policy Change 849 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:53 AM Security Policy Change 848 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:52 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:52 AM Security Privilege Use 576 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 7:03:52 AM Security Logon/Logoff 528 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 7:03:51 AM Security Privilege Use 576 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 7:03:51 AM Security Logon/Logoff 528 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 7:03:51 AM Security Policy Change 615 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 7:03:51 AM Security System Event 515 SYSTEM COMP.NAME
Failure Audit 6/22/2007 7:03:51 AM Security Policy Change 615 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 7:03:51 AM Security Logon/Logoff 540 ANONYMOUS LOGON COMP.NAME
Success Audit 6/22/2007 7:03:50 AM Security Privilege Use 576 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 7:03:50 AM Security Logon/Logoff 528 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 7:03:50 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:50 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:49 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:48 AM Security Policy Change 806 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security Privilege Use 576 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security Logon/Logoff 528 LOCAL SERVICE COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security Privilege Use 576 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security Logon/Logoff 528 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security Privilege Use 576 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security Logon/Logoff 528 NETWORK SERVICE COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security System Event 518 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security System Event 515 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security System Event 514 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security System Event 514 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security System Event 514 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security System Event 514 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security System Event 514 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security System Event 514 SYSTEM COMP.NAME
Success Audit 6/22/2007 7:03:44 AM Security System Event 514 SYSTEM COMP.NAME


So, concerning #4 -- If everything else checks out, the big question is whether or not it should be showing up as a Failure Audit or whatever when I disconnect from the internet and then reconnect without rebooting...? And if it's not supposed to be doing that, is there some setting or something I need to change? Or is it a sign of some kind of security or other problem/issue?

Looking forward to hearing back -- thanks! :thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#10 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:07:10 AM

Posted 24 June 2007 - 06:50 AM

A failure in the security audit means that an audited event failed - this includes both malware and legitimate events. Since it happens primarily at logon, I'd investigate those entries further.

The gist of this is - there are several things that are messed up about the security on your system With all of the customized settings it's very difficult to tell what they are. Since you don't want to do an online scan to ensure that you're clean, I don't know what else to suggest. I won't attempt to fix an OS (and in particularly security problems in OS's) until the system has been verified to be clean - anything else is an exercise in futility and could result in even easier access for malware.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#11 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 24 June 2007 - 09:23 AM

A failure in the security audit means that an audited event failed - this includes both malware and legitimate events. Since it happens primarily at logon, I'd investigate those entries further.


Well, it happens once on logon,, then it happens every time I disconnect and reconnect to the internet (upon reconnecting -- via dial-up). So which entries exactly do you want me to investigate further? And how so?

The gist of this is - there are several things that are messed up about the security on your system With all of the customized settings it's very difficult to tell what they are. Since you don't want to do an online scan to ensure that you're clean, I don't know what else to suggest. I won't attempt to fix an OS (and in particularly security problems in OS's) until the system has been verified to be clean - anything else is an exercise in futility and could result in even easier access for malware.


What are the "several things that are messed up about the security" on my system?

And what "customized settings" are you referring to? I don't really have any involved customized settings. My higher security internet settings for IE (which I *don't* use, except for Windows Updates) are fairly standard. I'm not aware of any other customized settings. So I'm not sure what you're referring to here...

Re: On-line scans
So that's my *only* option here...? tos226 admits they're a pain to do, and I don't think it's too crazy to not like the idea of letting some website scan my computer. Plus, having only dial-up, depending on the intensity of the scan, I may have to be on-line and let it scan for hours (and that's not really an option).

I have/use Ad-Aware SE Free and Spybot -- both of which I ran in safe mode. I also have AVG Free, and run the anti-virus scan in normal mode regularly. I also run AVG Rootkit scanner Free regularly. Nothing has ever come up with any of these. I know there is an AVG Free anti-spyware scanner, and have been considering installing that (but am fearful of conflicts or further problems, which installing more new stuff tends to lead to).

I hope you will be able to answer my questions here and continue to help me out. Thanks!
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#12 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 24 June 2007 - 10:41 PM

usasma -- I hope to still hear your response to my previous post, but just to let you know, I've been told elsewhere that all those things I listed are normal. Even the 615 IPSec Services one. And Grinler found this quote:

7. No comment on that. I honestly do not know the answer on the stuff in that topic. From the other event, I found this:

IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem. This message replaces the several IP Helper API messages that were used in Windows 2000. This is a benign error if it occurs when interfaces are added and removed or when connection states change, such as when a wireless network is no longer in range. It is also benign when it occurs during resumption from standby or hibernate modes and a different network interface configuration exists that is being detected during the resumption.


The part about "when connection state changes" sound like when I disconnect and get that message, you know?

See what you think. And please let me know what you're specifically talking about concerning my "customized settings" and "messed up security" on my laptop, as I'm not sure what those opinions are based on.

Thanks.

Edited by bloomcounty, 24 June 2007 - 10:41 PM.

My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#13 NEsince92

NEsince92

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 24 June 2007 - 10:45 PM

Didn't read the whole thread, but I just wanted to introduce you all to eventid.net. It's a great resource for finding out what these events in the event viewer mean.

HTH




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users