ok so i was watching a video and the I/O completely froze. couldnt move the mouse or anything. the sound started buzzing. so i shut it down... i turned it back on and found that the event log has some strange stuff that has been said to be a large hole in the windows security... i will post only the logs from the time it happened if anything else would help let me know
please let me know what this was, why it happened, and how to prevent it from happening again... and dont say i was attacked becaause i already know that. i want some techno-babble please
under (event viewer > windows logs > security)
@6:18:21 (the first event to occur)
event properties:
=====================================
(general tab)
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: DENA-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x238
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
(details tab)
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4624
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2012-12-31T00:18:21.315497100Z
EventRecordID 38670
Correlation
- Execution
[ ProcessID] 576
[ ThreadID] 628
Channel Security
Computer Dena-PC
Security
- EventData
SubjectUserSid S-1-5-18
SubjectUserName DENA-PC$
SubjectDomainName WORKGROUP
SubjectLogonId 0x3e7
TargetUserSid S-1-5-18
TargetUserName SYSTEM
TargetDomainName NT AUTHORITY
TargetLogonId 0x3e7
LogonType 5
LogonProcessName Advapi
AuthenticationPackageName Negotiate
WorkstationName
LogonGuid {00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x238
ProcessName C:\Windows\System32\services.exe
IpAddress -
IpPort -
================================
now for the second event to occur (at the same time but after the last one)
general tab
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
and the details tab
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4672
Version 0
Level 0
Task 12548
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2012-12-31T00:18:21.315497100Z
EventRecordID 38671
Correlation
- Execution
[ ProcessID] 576
[ ThreadID] 628
Channel Security
Computer Dena-PC
Security
- EventData
SubjectUserSid S-1-5-18
SubjectUserName SYSTEM
SubjectDomainName NT AUTHORITY
SubjectLogonId 0x3e7
PrivilegeList SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
==================
also theirs alot of stuff under aceevent logs and theres something saying windows search was started
please let me know what this was, why it happened, and how to prevent it from happening again... and dont say i was attacked becaause i already know that. i want some techno-babble please
under (event viewer > windows logs > security)
@6:18:21 (the first event to occur)
event properties:
=====================================
(general tab)
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: DENA-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x238
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
(details tab)
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4624
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2012-12-31T00:18:21.315497100Z
EventRecordID 38670
Correlation
- Execution
[ ProcessID] 576
[ ThreadID] 628
Channel Security
Computer Dena-PC
Security
- EventData
SubjectUserSid S-1-5-18
SubjectUserName DENA-PC$
SubjectDomainName WORKGROUP
SubjectLogonId 0x3e7
TargetUserSid S-1-5-18
TargetUserName SYSTEM
TargetDomainName NT AUTHORITY
TargetLogonId 0x3e7
LogonType 5
LogonProcessName Advapi
AuthenticationPackageName Negotiate
WorkstationName
LogonGuid {00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x238
ProcessName C:\Windows\System32\services.exe
IpAddress -
IpPort -
================================
now for the second event to occur (at the same time but after the last one)
general tab
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
and the details tab
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4672
Version 0
Level 0
Task 12548
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2012-12-31T00:18:21.315497100Z
EventRecordID 38671
Correlation
- Execution
[ ProcessID] 576
[ ThreadID] 628
Channel Security
Computer Dena-PC
Security
- EventData
SubjectUserSid S-1-5-18
SubjectUserName SYSTEM
SubjectDomainName NT AUTHORITY
SubjectLogonId 0x3e7
PrivilegeList SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege
==================
also theirs alot of stuff under aceevent logs and theres something saying windows search was started