Re: HELP, Hacked with machine account
From: HACKED OFF (BluemanHACKEDOFF_at_discussions.microsoft.com)
Date: 07/30/04
- Next message: anonymous: "slow startup win2000"
- Previous message: Torgeir Bakken \(MVP\): "Re: Local users"
- In reply to: Steven L Umbach: "Re: HELP, Hacked with machine account"
- Next in thread: Steven L Umbach: "Re: HELP, Hacked with machine account"
- Reply: Steven L Umbach: "Re: HELP, Hacked with machine account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 30 Jul 2004 10:29:01 -0700
Thanks for the help Steve. The odd thing is I cant tell when this hacker is logged on. I have tried all PSTOOLS and Auditing. He is like a ghost. Nothing to track him. I found his machine connected once with Hyena. Running task manager shows no connected users. I stopped all local policys and and still denied access. I cant find anyone logon scripts. What can run before policys.
"Steven L Umbach" wrote:
> First run a virus scan and trojan scan [SwatIt is a free download] program with
> current definitions to see if they can find anything malicious being sure to use
> latest definition files from what ever product you use. You can't disable
> NTAuthority.
>
> http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
> -- try here also.
>
> There are free tools from SysInternals if you want to explore what has happened
> including Autoruns, TCPView, and Process Explorer. Autoruns will list startup
> programs from many possible places on your computer and TCPView will show what
> application/process is listening on a port while Process Explorer will give more
> detailed information on the process. Booting into safe mode may be worth a try to
> bypass problem to make repairs.
>
> A big concern would be how did this happen and how can you prevent this from
> happening again. A properly configured firewall, up to date virus protection that
> also scans all email, keeping current on critical updates, and using a good password
> are places to start. You can look in Local Group Policy via gpedit.msc to see if any
> startup or logon scripts are configured there. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;322241 --- Group
> Policyscripts.
>
>
> "Blueman (HACKED OFF)" <Blueman (HACKED OFF)@discussions.microsoft.com> wrote in
> message news:5D87D54D-F8E4-4C59-84A0-92890263446A@microsoft.com...
> > I was hacked by a person usering a machine$ account and nt authority. How can I
> view the system accounts and how can I disable the NT Authority. Looks like hacker
> has a script running to change all my settings after I logon. How can I tell what is
> being loaded and in what order
> >
> > Thank for you all your help
>
>
>
- Next message: anonymous: "slow startup win2000"
- Previous message: Torgeir Bakken \(MVP\): "Re: Local users"
- In reply to: Steven L Umbach: "Re: HELP, Hacked with machine account"
- Next in thread: Steven L Umbach: "Re: HELP, Hacked with machine account"
- Reply: Steven L Umbach: "Re: HELP, Hacked with machine account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
