Archived from groups: microsoft.public.win2000.security (
More info?)
Nothing unusual shows up as far as ports listening with TCPView, or startup processes
with Autoruns? Services load before anyone logs on, are there any unusual services
listed? Also check add/remove programs to see if anything unusual shows. Are you
using a firewall? Why do you think it is NT Authority? Anonymous connections in the
security log are normal and may not indicate hacking. Check the members of your
administrators group to make sure it is correct and change your password, though if a
keyboard logger is installed that may not help. The following services should be
disabled if you do not use them - telnet, ftp, and www and file and print sharing if
you do not share files with a user on a network or use it for remote management via
Computer Management. It may help to install a personal firewall like Sygate [free] on
your computer and use it for logging and to alert you when a process wants to access
the internet. --- Steve
"Blueman (HACKED OFF)" <BluemanHACKEDOFF@discussions.microsoft.com> wrote in message
news:65CE1A8C-1E1D-433A-AC7A-7C39DCF07A6C@microsoft.com...
> Thanks for the help Steve. The odd thing is I cant tell when this hacker is logged
on. I have tried all PSTOOLS and Auditing. He is like a ghost. Nothing to track him.
I found his machine connected once with Hyena. Running task manager shows no
connected users. I stopped all local policys and and still denied access. I cant
find anyone logon scripts. What can run before policys.
>
> "Steven L Umbach" wrote:
>
> > First run a virus scan and trojan scan [SwatIt is a free download] program with
> > current definitions to see if they can find anything malicious being sure to use
> > latest definition files from what ever product you use. You can't disable
> > NTAuthority.
> >
> >
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
> > -- try here also.
> >
> > There are free tools from SysInternals if you want to explore what has happened
> > including Autoruns, TCPView, and Process Explorer. Autoruns will list startup
> > programs from many possible places on your computer and TCPView will show what
> > application/process is listening on a port while Process Explorer will give more
> > detailed information on the process. Booting into safe mode may be worth a try to
> > bypass problem to make repairs.
> >
> > A big concern would be how did this happen and how can you prevent this from
> > happening again. A properly configured firewall, up to date virus protection that
> > also scans all email, keeping current on critical updates, and using a good
password
> > are places to start. You can look in Local Group Policy via gpedit.msc to see if
any
> > startup or logon scripts are configured there. --- Steve
> >
> >
http://support.microsoft.com/default.aspx?scid=kb;en-us;322241 --- Group
> > Policyscripts.
> >
> >
> > "Blueman (HACKED OFF)" <Blueman (HACKED OFF)@discussions.microsoft.com> wrote in
> > message news:5D87D54D-F8E4-4C59-84A0-92890263446A@microsoft.com...
> > > I was hacked by a person usering a machine$ account and nt authority. How can
I
> > view the system accounts and how can I disable the NT Authority. Looks like
hacker
> > has a script running to change all my settings after I logon. How can I tell
what is
> > being loaded and in what order
> > >
> > > Thank for you all your help
> >
> >
> >