Re: Help, I've been hacked

From: Wesley Vogel (123WVogel955_at_comcast.net)
Date: 03/09/05 

Date: Tue, 8 Mar 2005 19:25:13 -0700

Kim,

These??

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680

Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/?kbid=305822

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529

[[The event occurred on Windows XP if the machine environment meets the
following criteria:
- The machine is a member of a domain.
- The machine is using a machine local account.
- Logon failure auditing is enabled.
When the user logs off, Windows will write event ID 529 to the log file
because
the OS incorrectly tries to contact the domain controller (DC), despite the
fact that the machine is using a local account. Microsoft currently doesn't
provide a fix for this problem, but you can safely ignore this event ID.]]

Security Event 529 Is Logged for Local User Accounts
http://support.microsoft.com/?kbid=811082

Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/?kbid=305822 

-- 
Hope this helps.  Let us know.
Wes
MS-MVP Windows Shell/User
In news:0A64EB31-56BB-4716-A7A7-6BF5085C43AA@microsoft.com,
TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> Hi Wes,
>   Yes that information does help. Thank you.
> I agree that the information of the Event ID & the Event Source are
> very important.
> To bad it wasn't you that I talked with while on the phone with
> Microsoft.
>
> The Microsoft tech and I talked for hours on the phone yesterday, and
> I was told that my computer is clean, and everything is fine. We
> tried all sorts of things looking for viruses/worms. We purged the
> cache, cleared out SSL state, ran scans, and cleaned out passwords,
> and even deleted a couple of folders in the registry.
> I ended up telling him I would just take my computer into the shop. I
> was told it would be a waste of my money..LOL
> He did not seem to care about the info of the Event ID & the Event
> Source.
> I am still having way too many unknown user name/bad password entries.
> I also do not like the successful ANONYMOUS LOGONs.
>
> Maybe I'm crazy, but these two entires alone, do not look right to
> me, as they are still happening.
>
> Thanks for the links. Especially the one for events and errors help.
>
> Kim
>
> "Wesley Vogel" wrote:
>
>> Kim,
>>
>> Event ID & the Event Source are very important.
>>
>> To open the Event Viewer...
>> Start | Run | Type:     eventvwr      | OK
>>
>> For any Events that seem related to the problem...
>>
>> Double click the event in Event Viewer | Click: the button below the
>> second arrow (looks like two pages) [[Copies the details of the
>> event to the Clipboard.]] | Paste into Notepad | Click:
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>
>> Read all info | Copy and paste to Notepad | Click the [+] Related
>> Knowledge Base articles | Follow any links that might be useful
>>
>> HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;308427
>>
>> Event Viewer overview
>>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/event_overview_01.mspx
>>
>> This can also be very useful.
>> You need to have the Event ID & the Event Source.
>>
>> To view Windows XP Events and Errors, type the Source (for example,
>> Print) and/or the Event code (for example, 20) into the ID field,
>> then click the Go button.  Source and Event codes may be found in
>> the Event Viewer logs.
>>
>> Windows XP  Home/Professional Events and Errors
>>
http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%20XP%20Professional&ProdName=Windows%20Operating%20System&MajorMinor=5.1&LCID=1033
>>
>> --
>> Hope this helps.  Let us know.
>>
>> Wes
>> MS-MVP Windows Shell/User
>>
>> In news:36B7EF3A-84CB-43FF-AE71-0809F24ED301@microsoft.com,
>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>> Hi Wes,
>>>   Yes, it appears that did help.
>>> It shows disabled, instead of being started.
>>> I also see no entries listed of a remote access in the event viewer.
>>> Whoo hoo..LOL
>>>
>>> This entry in the event viewer looks good:
>>> The Remote Access Connection Manager service was successfully sent a
>>> stop control.
>>> Thank you for helping me get that turned off.
>>>
>>> However, when I just rebooted, I did see these, which do not look
>>> good in my opinion, but I could be wrong:
>>>
>>>  The first one has been going on for a long time, and is still
>>> showing.
>>>
>>> Logon Failure:
>>>   Reason:  Unknown user name or bad password
>>>   User Name: Owner
>>>   Domain:  OWNER-1E81AA74C
>>>   Logon Type: 2
>>>   Logon Process: Advapi
>>>   Authentication Package: Negotiate
>>>   Workstation Name: OWNER-1E81AA74C
>>>
>>> The protected system file c:\windows\system32\racpldlg.dll could not
>>> be verified as valid because Windows File Protection is terminating.
>>> Use the SFC utility to verify the integrity of the file at a later
>>> time.
>>>
>>> The TCP/IP NetBIOS Helper service depends on the AFD service which
>>> failed to start because of the following error:
>>> A device attached to the system is not functioning.
>>>
>>> Your computer was not able to renew its address from the network
>>> (from the DHCP Server) for the Network Card with network address
>>> 0011099706B4.  The following error occurred:
>>> The semaphore timeout period has expired. . Your computer will
>>> continue to try and obtain an address on its own from the network
>>> address (DHCP) server.
>>>
>>> Your computer has detected that the IP address 66.25.204.98 for the
>>> Network Card with network address 0011099706B4 is already in use on
>>> the network. Your computer will automatically attempt to obtain a
>>> different address.
>>>
>>> Your computer has detected that the IP address 0.0.0.0 for the
>>> Network Card with network address 0011099706B4 is already in use on
>>> the network. Your computer will automatically attempt to obtain a
>>> different address.
>>>
>>> Your computer was not able to renew its address from the network
>>> (from the DHCP Server) for the Network Card with network address
>>> 0011099706B4.  The following error occurred:
>>> The semaphore timeout period has expired. . Your computer will
>>> continue to try and obtain an address on its own from the network
>>> address (DHCP) server.
>>>
>>> The following boot-start or system-start driver(s) failed to load:
>>> Aavmker4
>>> AFD
>>> aswTdi
>>> Fips
>>> intelppm
>>> IPSec
>>> MRxSmb
>>> NetBIOS
>>> NetBT
>>> RasAcd
>>> Rdbss
>>> Tcpip
>>> vsdatant
>>>
>>> Looks like a fun time huh?
>>>
>>> Kim
>>>
>>> "Wesley Vogel" wrote:
>>>
>>>> Kim,
>>>>
>>>> Reboot.
>>>>
>>>> And then check on the Remote Access Connection Manager in Services,
>>>> it probably won't have started since you disabled it.
>>>>
>>>> --
>>>> Hope this helps.  Let us know.
>>>>
>>>> Wes
>>>> MS-MVP Windows Shell/User
>>>>
>>>> In news:452BD71A-2811-4B73-AFCA-5A9930F9F063@microsoft.com,
>>>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>>>> Hi Wesley,
>>>>>  Here ae the results from what I just did in the services.msc.
>>>>>
>>>>> The Remote Access Auto Connection was already stopped, and I did
>>>>> the type set to disabled.
>>>>>
>>>>> The Remote Desktop Help Session Manager, was also stopped, and I
>>>>> did the type set to disabled.
>>>>>
>>>>> The Remote Access Connection Manager would not allow me to stop
>>>>> it. The type set is set to Start, but I got an error saying :
>>>>> Could not stop the Remote Access Connection Manager on Local
>>>>> Computer. Error 1053: The service did not respond to the start or
>>>>> control request in a timely fashion.
>>>>> Anyway, I did the type set to Disabled.
>>>>>
>>>>> I am not sure if I should have, but I stopped the secondary logon,
>>>>> and set it to disabled too.
>>>>>
>>>>> It looks like there are alot of things there I would like to
>>>>> disable, but I won't without some kind of assistance first.
>>>>>
>>>>> Now, when I right click on my computer/properties/remote tab, it
>>>>> is unchecked to Allow REmote Assistance invitations to be sent
>>>>> from this computer.
>>>>> There was not another option listed.
>>>>>
>>>>> Kim
>>>>>
>>>>> "Wesley Vogel" wrote:
>>>>>
>>>>>> [[Remote Access Auto Connection Manager is on by default in
>>>>>> Windows XP Professional computers that are not members of a
>>>>>> domain and in Windows XP Home Edition.]]
>>>>>>
>>>>>> Open Services and disable Remote Access Auto Connection
>>>>>> Manager...
>>>>>>
>>>>>> Start | Run | Type:   services.msc   | Click OK |
>>>>>> Scroll down to and double click: Remote Access Auto Connection
>>>>>> Manager | If the service is running, click the Stop button | When
>>>>>> it has stopped, under Startup
>>>>>> type set to Disabled | Apply | OK |
>>>>>>
>>>>>> Do the same for Remote Access Connection Manager & Remote Desktop
>>>>>> Help Session Manager.
>>>>>>
>>>>>> Right click My Computer | Properties | Remote tab |
>>>>>> Make sure that both of these are UNChecked:
>>>>>>  Allow Remote Assistance invitations to be sent from
>>>>>> this computer  Allow users to connect remotely to this
>>>>>> computer
>>>>>>
>>>>>> Turn on a firewall.
>>>>>>
>>>>>> --
>>>>>> Hope this helps.  Let us know.
>>>>>>
>>>>>> Wes
>>>>>> MS-MVP Windows Shell/User
>>>>>>
>>>>>> In news:E8DF3AE0-4FCB-47DB-8EEA-BAED4DBF1773@microsoft.com,
>>>>>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>>>>>> I have very very stramge entries in my registry and event viewer
>>>>>>> that are adding up to no good.
>>>>>>>
>>>>>>> I have talked with Microsoft today, and what we tried did not
>>>>>>> solve the problem.
>>>>>>> I really don't want to wait until Monday to call them back.
>>>>>>>
>>>>>>> Does anyone know where I might find where remote access
>>>>>>> connection manager is in the registry?
Loading