# Solved: Suspicious logon/logoff entries in event viewer



## Laura.B

Hi there, 
I have dozens of logon/logoff entries in my event viewer when I turn on my PC, most of which are supposedly done by NT AUTHORITY or NETWORK SERVICE. What's also weird is that I get some failed logon attempts as well. This happens every time. I should say that I do suspect someone on the same network (I am one of two clients hooked up to a router+modem that connects to the internet) of malicious activity. But I don't know if this is related. I have turned on logon/logoff auditing. The following is what I see upon waking up my PC from standby. You can see my actual logon occurring a few seconds after all the 'network services' have logged on.



> 4/12/2008	11:38:20 PM	Security	Success Audit	Logon/Logoff 538	YOUR-699C5579F9\Laura	YOUR-699C5579F9	"User Logoff:
> User Name:	Laura
> Domain: YOUR-699C5579F9
> Logon ID: (0x0,0x56CA957)
> Logon Type:	7
> "
> 4/12/2008	11:38:20 PM	Security	Success Audit	Privilege Use 576	YOUR-699C5579F9\Laura	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:
> Domain:
> Logon ID: (0x0,0x56CA957)
> Privileges: SeChangeNotifyPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeDebugPrivilege"
> 4/12/2008	11:38:20 PM	Security	Success Audit	Logon/Logoff 528	YOUR-699C5579F9\Laura	YOUR-699C5579F9	"Successful Logon:
> User Name:	Laura
> Domain: YOUR-699C5579F9
> Logon ID: (0x0,0x56CA957)
> Logon Type:	7
> Logon Process:	User32
> Authentication Package:	Negotiate
> Workstation Name:	YOUR-699C5579F9
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:20 PM	Security	Success Audit	Account Logon 680	NT AUTHORITY\SYSTEM	YOUR-699C5579F9	Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: Laura
> Source Workstation: YOUR-699C5579F9
> Error Code: 0x0
> 
> 4/12/2008	11:38:20 PM	Security	Success Audit	Privilege Use 576	YOUR-699C5579F9\Laura	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:
> Domain:
> Logon ID: (0x0,0x56C7CA2)
> Privileges: SeChangeNotifyPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeDebugPrivilege"
> 4/12/2008	11:38:20 PM	Security	Success Audit	Logon/Logoff 528	YOUR-699C5579F9\Laura	YOUR-699C5579F9	"Successful Logon:
> User Name:	Laura
> Domain: YOUR-699C5579F9
> Logon ID: (0x0,0x56C7CA2)
> Logon Type:	2
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:	YOUR-699C5579F9
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:20 PM	Security	Success Audit	Account Logon 680	NT AUTHORITY\SYSTEM	YOUR-699C5579F9	Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: Laura
> Source Workstation: YOUR-699C5579F9
> Error Code: 0x0
> 
> 4/12/2008	11:38:20 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:20 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:20 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:20 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:20 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:20 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:19 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:16 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:16 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:16 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:16 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:16 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:16 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"
> 4/12/2008	11:38:16 PM	Security	Failure Audit	Logon/Logoff 529	NT AUTHORITY\SYSTEM	YOUR-699C5579F9	"Logon Failure:
> Reason: Unknown user name or bad password
> User Name:	Laura
> Domain: YOUR-699C5579F9
> Logon Type:	2
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:	YOUR-699C5579F9"
> 4/12/2008	11:38:16 PM	Security	Failure Audit	Account Logon 680	NT AUTHORITY\SYSTEM	YOUR-699C5579F9	Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: Laura
> Source Workstation: YOUR-699C5579F9
> Error Code: 0xC000006A
> 
> 4/12/2008	11:38:15 PM	Security	Failure Audit	Logon/Logoff 529	NT AUTHORITY\SYSTEM	YOUR-699C5579F9	"Logon Failure:
> Reason: Unknown user name or bad password
> User Name:	Laura
> Domain: YOUR-699C5579F9
> Logon Type:	2
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:	YOUR-699C5579F9"
> 4/12/2008	11:38:15 PM	Security	Failure Audit	Account Logon 680	NT AUTHORITY\SYSTEM	YOUR-699C5579F9	Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: Laura
> Source Workstation: YOUR-699C5579F9
> Error Code: 0xC000006A
> 
> 4/12/2008	11:38:15 PM	Security	Failure Audit	Policy Change 615	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.
> 
> "
> 4/12/2008	11:38:14 PM	Security	Success Audit	Privilege Use 576	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Special privileges assigned to new logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Privileges: SeAuditPrivilege
> SeAssignPrimaryTokenPrivilege
> SeChangeNotifyPrivilege"
> 4/12/2008	11:38:14 PM	Security	Success Audit	Logon/Logoff 528	NT AUTHORITY\NETWORK SERVICE	YOUR-699C5579F9	"Successful Logon:
> User Name:	NETWORK SERVICE
> Domain: NT AUTHORITY
> Logon ID: (0x0,0x3E4)
> Logon Type:	5
> Logon Process:	Advapi
> Authentication Package:	Negotiate
> Workstation Name:
> Logon GUID:	{00000000-0000-0000-0000-000000000000}"


Sorry about that but yes, _that many_ entries on logon. As a side question, what's the surest method of preventing any sort of remote logins or remote control of a PC (ie. in terms of disabling services, firewall options etc..)?


----------



## PLACEBOID

I hate to be a cynic but the surest method of avoiding unauthorised access is to disconnect yourself from the network when you are not using it. I had a quick scan through the event log and their is some dubious looking stuff going on here....Have you run hijack this and posted the log yet? This could be malware or some kind and I would eliminate this as an option before looking for human operated hacking threats. 

Unfortunately I'm not an expert in this field but this report here is of concern: 

4/12/2008 11:38:15 PM Security Failure Audit Policy Change 615 NT AUTHORITY\NETWORK SERVICE YOUR-699C5579F9 "IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.

It seems like some of your ports might have been opened...do you use peer to peer sites like emule or limewire?

Please upload a log from hijack this as this will allow someone to eliminate malware from the equation.

Good luck with this!


----------



## Laura.B

Thanks for the reply.

I don't use any p2p programs or any networking apps at all. The computer is solely used for the internet. It does however go through a router which another computer is connected to - hence the suspicion.

Here is the HJT log (I'm running WinXP Tablet edition):



> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 12:30:41 PM, on 4/14/2008
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
> Boot mode: Normal
> 
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\System32\svchost.exe
> C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
> C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
> C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
> C:\WINDOWS\system32\spoolsv.exe
> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
> C:\Program Files\COMODO\Firewall\cmdagent.exe
> C:\WINDOWS\system32\CTsvcCDA.EXE
> C:\WINDOWS\System32\digtizer.exe
> C:\Program Files\Common Files\LightScribe\LSSrvc.exe
> C:\WINDOWS\system32\o2flash.exe
> C:\Program Files\Softex\OmniPass\Omniserv.exe
> C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
> C:\Program Files\Softex\OmniPass\OPXPApp.exe
> C:\WINDOWS\SYSTEM32\WISPTIS.EXE
> C:\WINDOWS\System32\tabbtnu.exe
> C:\WINDOWS\Explorer.EXE
> C:\WINDOWS\system32\ctfmon.exe
> C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
> C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
> C:\Program Files\Fujitsu\updnavi\updnavi.exe
> C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
> C:\windows\system32\KADxMain.exe
> C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
> C:\Program Files\Fujitsu\Utils\FjDspMon.exe
> C:\Program Files\Fujitsu\Utils\fjevents.exe
> C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
> C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
> C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
> C:\Program Files\Notebook Hardware Control\nhc.exe
> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
> C:\WINDOWS\system32\avp.exe
> C:\Program Files\MSN Messenger\MsnMsgr.Exe
> C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
> C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
> C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
> C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
> C:\WINDOWS\system32\mmc.exe
> F:\Software\Sec\HiJackThis.exe
> 
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pc-ap.fujitsu.com/
> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.monash.edu.au
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
> O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
> O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
> O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
> O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
> O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
> O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
> O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
> O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
> O4 - HKLM\..\Run: [LoadFUJ02E3] "C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe"
> O4 - HKLM\..\Run: [FjStrtAp] "C:\Program Files\Fujitsu\Utils\FjStrtAp.exe"
> O4 - HKLM\..\Run: [KADxMain] C:\windows\system32\KADxMain.exe
> O4 - HKLM\..\Run: [LoadBtnHnd] "C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe"
> O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
> O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
> O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet
> O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
> O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
> O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
> O4 - HKLM\..\Run: [McAfee Online Virus Scanner] avp.exe
> O4 - HKLM\..\RunServices: [McAfee Online Virus Scanner] avp.exe
> O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
> O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
> O4 - HKUS\S-1-5-19\..\Run: [TabletWizard] %windir%\help\wizard.hta (User '?')
> O4 - HKUS\S-1-5-20\..\Run: [TabletWizard] %windir%\help\wizard.hta (User '?')
> O4 - HKUS\S-1-5-21-1941494055-3217071479-4106037145-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
> O4 - HKUS\S-1-5-18\..\Run: [TabletWizard] %windir%\help\wizard.hta (User '?')
> O4 - HKUS\.DEFAULT\..\Run: [TabletWizard] %windir%\help\wizard.hta (User 'Default user')
> O4 - Global Startup: Bluetooth Manager.lnk = ?
> O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
> O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
> O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
> O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
> O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
> O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
> O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
> O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
> O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
> O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
> O23 - Service: Digitizer Service (Digitizer) - WACOM - C:\WINDOWS\System32\digtizer.exe
> O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
> O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
> O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
> O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\WINDOWS\system32\o2flash.exe
> O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
> O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
> O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
> O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
> O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
> 
> --
> End of file - 7856 bytes


----------



## PLACEBOID

I see your tablet PC has biometrics...although this does not totally eliminate physical unauthorized log-in to your PC is does significantly reduce the likelihood. 

If the other user of the router is doing something dodgy they would be foolish to do it from your PC as ultimately it could be tied back to the same router (even if they were using your machine to hijack a MAC address elsewhere it seems pretty pointless) so if you are concerned about the other preson using the router I can only assume that you are concerned about them compromising your privacy (and of course your security)

From a quick scan of the log I see that you have processes running for both AVG and McAfee...I had an issue a while back with a trojan masquerading as McAfee which was next to impossible to uninstall and it took me many hours to remove all traces of it's processes. It is generally not reccomended to have more than one anti-virus program running.

Can anyone out there in TSG land who is more familiar with detecting hacks have a squizz at this one?


----------



## PLACEBOID

Sorry was in a bit of a rush...the AVG is the antispyware not the antivirus yeah?

These two are also a bit suspect...can you thing of anything that you have installed that would automatically port info to excel?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

If nobody posts in the next little while bump me and I will look into it more deeply (sorry have stacks on my plate!)


----------



## Laura.B

Thanks for your comments PLACEBOID. Yeah biometrics is there but I use it more for convenience - I haven't figured out how to make it compulsory to pass the fingerprint scanner to login.

Yes, AVG is for antispyware. I have not installed Mcafee myself, I always assumed it got installed with my internet browser. When I open active connections in Komodo firewall, avp.exe is always there and I have no idea why.



> so if you are concerned about the other preson using the router I can only assume that you are concerned about them compromising your privacy (and of course your security)


Yes privacy is the main concern.



> These two are also a bit suspect...can you thing of anything that you have installed that would automatically port info to excel?


I have installed the Excel data analysis Toolpak. I'm not sure if it is this though.


----------



## Laura.B

Anyone else have any ideas?


----------



## hairbender1950

A couple days ago, I was offered an upgrade from NAV. After the install, I checked the Event ID to see if all looked good and what I saw, scared me to death.
I came to the techguys and did a search for Failure Audit, Event ID 529 and found your thread.
What I saw of your log was almost the same as mine.
I just found this online and I think it might answer your questions.
I hope it is ok to post the link. It eased my feelings and I hope it does yours too.

http://www.pcreview.co.uk/forums/thread-250761.php
the gentleman explains what happened.


----------



## PLACEBOID

Good one Hairbender!


----------



## Laura.B

Hey thanks for that, hairy.


----------



## hairbender1950

I am just glad I found my answers and happy I could help others.

Techguy forum has helped me to solve my computer problems so many times. I am a self taught granny, with the help of others.

Laura,
What about marking this thread as solved? 

Thanks Techguys!


----------

