Please analyze my event log....

ok so i was watching a video and the I/O completely froze. couldnt move the mouse or anything. the sound started buzzing. so i shut it down... i turned it back on and found that the event log has some strange stuff that has been said to be a large hole in the windows security... i will post only the logs from the time it happened if anything else would help let me know

please let me know what this was, why it happened, and how to prevent it from happening again... and dont say i was attacked becaause i already know that. i want some techno-babble please

under (event viewer > windows logs > security)

@6:18:21 (the first event to occur)
event properties:

=====================================
(general tab)

An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: DENA-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x238
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

(details tab)
- System

- Provider

[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

EventID 4624

Version 0

Level 0

Task 12544

Opcode 0

Keywords 0x8020000000000000

- TimeCreated

[ SystemTime] 2012-12-31T00:18:21.315497100Z

EventRecordID 38670

Correlation

- Execution

[ ProcessID] 576
[ ThreadID] 628

Channel Security

Computer Dena-PC

Security


- EventData

SubjectUserSid S-1-5-18
SubjectUserName DENA-PC$
SubjectDomainName WORKGROUP
SubjectLogonId 0x3e7
TargetUserSid S-1-5-18
TargetUserName SYSTEM
TargetDomainName NT AUTHORITY
TargetLogonId 0x3e7
LogonType 5
LogonProcessName Advapi
AuthenticationPackageName Negotiate
WorkstationName
LogonGuid {00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x238
ProcessName C:\Windows\System32\services.exe
IpAddress -
IpPort -
================================

now for the second event to occur (at the same time but after the last one)
general tab


Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege

and the details tab

- System

- Provider

[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

EventID 4672

Version 0

Level 0

Task 12548

Opcode 0

Keywords 0x8020000000000000

- TimeCreated

[ SystemTime] 2012-12-31T00:18:21.315497100Z

EventRecordID 38671

Correlation

- Execution

[ ProcessID] 576
[ ThreadID] 628

Channel Security

Computer Dena-PC

Security


- EventData

SubjectUserSid S-1-5-18
SubjectUserName SYSTEM
SubjectDomainName NT AUTHORITY
SubjectLogonId 0x3e7
PrivilegeList SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege

==================

also theirs alot of stuff under aceevent logs and theres something saying windows search was started
8 answers Last reply
More about please analyze event
  1. A little more info regarding your hardware (model #s, age, condition, etc..) is in order.

    The event you describe sounds like a bad memory location on your video card. I've personally experienced precisely the same issue with system freezing and audio playing a strangely modulated tone (screech?). Replacing my old 9800GT fixed the issue for me.
  2. krasmussen said:
    ok so i was watching a video and the I/O completely froze. couldnt move the mouse or anything. the sound started buzzing. so i shut it down... i turned it back on and found that the event log has some strange stuff that has been said to be a large hole in the windows security... i will post only the logs from the time it happened if anything else would help let me know

    please let me know what this was, why it happened, and how to prevent it from happening again... and dont say i was attacked becaause i already know that. i want some techno-babble please

    under (event viewer > windows logs > security)

    @6:18:21 (the first event to occur)
    event properties:

    =====================================
    (general tab)

    An account was successfully logged on.

    Subject:
    Security ID: SYSTEM
    Account Name: DENA-PC$
    Account Domain: WORKGROUP
    Logon ID: 0x3e7

    Logon Type: 5

    New Logon:
    Security ID: SYSTEM
    Account Name: SYSTEM
    Account Domain: NT AUTHORITY
    Logon ID: 0x3e7
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Process Information:
    Process ID: 0x238
    Process Name: C:\Windows\System32\services.exe

    Network Information:
    Workstation Name:
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: Advapi
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    (details tab)
    - System

    - Provider

    [ Name] Microsoft-Windows-Security-Auditing
    [ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

    EventID 4624

    Version 0

    Level 0

    Task 12544

    Opcode 0

    Keywords 0x8020000000000000

    - TimeCreated

    [ SystemTime] 2012-12-31T00:18:21.315497100Z

    EventRecordID 38670

    Correlation

    - Execution

    [ ProcessID] 576
    [ ThreadID] 628

    Channel Security

    Computer Dena-PC

    Security


    - EventData

    SubjectUserSid S-1-5-18
    SubjectUserName DENA-PC$
    SubjectDomainName WORKGROUP
    SubjectLogonId 0x3e7
    TargetUserSid S-1-5-18
    TargetUserName SYSTEM
    TargetDomainName NT AUTHORITY
    TargetLogonId 0x3e7
    LogonType 5
    LogonProcessName Advapi
    AuthenticationPackageName Negotiate
    WorkstationName
    LogonGuid {00000000-0000-0000-0000-000000000000}
    TransmittedServices -
    LmPackageName -
    KeyLength 0
    ProcessId 0x238
    ProcessName C:\Windows\System32\services.exe
    IpAddress -
    IpPort -
    ================================

    now for the second event to occur (at the same time but after the last one)
    general tab


    Subject:
    Security ID: SYSTEM
    Account Name: SYSTEM
    Account Domain: NT AUTHORITY
    Logon ID: 0x3e7

    Privileges: SeAssignPrimaryTokenPrivilege
    SeTcbPrivilege
    SeSecurityPrivilege
    SeTakeOwnershipPrivilege
    SeLoadDriverPrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeDebugPrivilege
    SeAuditPrivilege
    SeSystemEnvironmentPrivilege
    SeImpersonatePrivilege

    and the details tab

    - System

    - Provider

    [ Name] Microsoft-Windows-Security-Auditing
    [ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

    EventID 4672

    Version 0

    Level 0

    Task 12548

    Opcode 0

    Keywords 0x8020000000000000

    - TimeCreated

    [ SystemTime] 2012-12-31T00:18:21.315497100Z

    EventRecordID 38671

    Correlation

    - Execution

    [ ProcessID] 576
    [ ThreadID] 628

    Channel Security

    Computer Dena-PC

    Security


    - EventData

    SubjectUserSid S-1-5-18
    SubjectUserName SYSTEM
    SubjectDomainName NT AUTHORITY
    SubjectLogonId 0x3e7
    PrivilegeList SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege

    ==================

    also theirs alot of stuff under aceevent logs and theres something saying windows search was started


    Wow that's a lot of text. Anyway, good news is you were not attacked. NT Authority is not a remote user, it's actually the kernal host of the computer itself. If you were to go to Run and type in Shutdown -a it would bring up a box telling you that NT Authority is shutting down the computer....

    As for being protected from NT Authority....it's your OS buddy. You're safe from it. As for other attacks, a good firewall will help ease that bit of the equation.

    As for the lockup and stutter issue, it will depend your graphics card (whether it be integrated or discreet) as to where your issue lies.

    Long story short, Feed us your specifics and we should be able to help a bit more. Not sure how? You can use either CPU-Z or Speccy to take the guess work out for you.
  3. Quote:
    input this URL:

    ( http://www.buy2me.net/ )

    you can find many cheap and high stuff

    Believe you will love it.

    WE ACCEPT CREDIT CARD /WESTERN UNION PAYMENT
    YOU MUST NOT MISS IT!!!


    SPAM! Reported to moderators.

    DO NOT FOLLOW!

    These guys are busy!!
  4. Usually if your computer freezes when watching a video or gaming usually points towards the graphics card. Either the drivers are messed up or a bad overclock which I've had happen while watching a movie on my tv. if someone did attack you they would not want your computer to lock up on you since they themselves couldn't do anything either unless they planted something. but If this keeps happening I would do a fresh install of your graphics drivers and maybe run a memory check.
  5. all very interesting points..
    this pc has no capability to be OCed (at least i cant find it and thus it is not OCed)
    the gpu is integrated and has never given any issues
    its a compaq and its a very stable build iv been using it for about 3 years now and learned most of what i know about computers with this machine

    my personal problem is that not only did the sound and video freeze... EVERYTHING froze at the exact time the 2 logs i posted were recorded

    if you guys say it isnt an attack then ill believe you but i had some concerns with it happening at the time these logs were recorded

    specifically that a new user was logged on and given these privilages

    Privileges: SeAssignPrimaryTokenPrivilege
    SeTcbPrivilege
    SeSecurityPrivilege
    SeTakeOwnershipPrivilege
    SeLoadDriverPrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeDebugPrivilege
    SeAuditPrivilege
    SeSystemEnvironmentPrivilege
    SeImpersonatePrivilege


    as i said i have NEVER had an issue with this pc doing anything like this and i promise that the logs posted are the cause for the freeze... i simply dont know what exactly they mean


    but if you think it will help the device manager says

    display
    AMD M880G with ATI Mobility Raedon HD 4200 (which i am pretty sure is an integrated chip)

    CPU
    AMD Sempron m120

    its a compaq laptop in pretty good condition
  6. krasmussen said:
    all very interesting points..
    this pc has no capability to be OCed (at least i cant find it and thus it is not OCed)
    the gpu is integrated and has never given any issues
    its a compaq and its a very stable build iv been using it for about 3 years now and learned most of what i know about computers with this machine

    my personal problem is that not only did the sound and video freeze... EVERYTHING froze at the exact time the 2 logs i posted were recorded

    if you guys say it isnt an attack then ill believe you but i had some concerns with it happening at the time these logs were recorded

    specifically that a new user was logged on and given these privilages

    Privileges: SeAssignPrimaryTokenPrivilege
    SeTcbPrivilege
    SeSecurityPrivilege
    SeTakeOwnershipPrivilege
    SeLoadDriverPrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeDebugPrivilege
    SeAuditPrivilege
    SeSystemEnvironmentPrivilege
    SeImpersonatePrivilege


    as i said i have NEVER had an issue with this pc doing anything like this and i promise that the logs posted are the cause for the freeze... i simply dont know what exactly they mean


    but if you think it will help the device manager says

    display
    AMD M880G with ATI Mobility Raedon HD 4200 (which i am pretty sure is an integrated chip)

    CPU
    AMD Sempron m120

    its a compaq laptop in pretty good condition


    It is an integrated graphics module. I would recommend going to AMDs site and downloading the latest drivers for it and see if the issue duplicates itself (the lockup) when you are doing the same thing. If it does, go download GPU-Z and take a look at the temperatures coming from the graphics module when in use. Report back here what it reports.
  7. it looks like you are infected with a netdevil.12 worm
    http://www.bleepingcomputer.com/startups/Advapi.exe-199.html
    i have not cleaned this one yet, good luck.
  8. it seems conficker could also be the problem and you identify those pid'?

    how to identify a pid (process identifier) by randini

    click start type cmd
    (hit enter)
    type netstat -ano

    open task manager > click the process tab > click view and select columns > check pid

    now in the command propmt are all youre active/wainting network connections on the right side list pid's. compare pid's in task manager to the network connections, and look for anthing odd.

    some good process monitoring tools
    Sysinterals (microsoft)
    Process Explorer v15.23
    Process Monitor v3.03
Ask a new question

Read More

Security Windows Security Windows 7