Sign in with
Sign up | Sign in
Your question

Please analyze my event log....

Last response: in Windows 7
Share
December 30, 2012 10:44:04 PM

ok so i was watching a video and the I/O completely froze. couldnt move the mouse or anything. the sound started buzzing. so i shut it down... i turned it back on and found that the event log has some strange stuff that has been said to be a large hole in the windows security... i will post only the logs from the time it happened if anything else would help let me know

please let me know what this was, why it happened, and how to prevent it from happening again... and dont say i was attacked becaause i already know that. i want some techno-babble please

under (event viewer > windows logs > security)

@6:18:21 (the first event to occur)
event properties:

=====================================
(general tab)

An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: DENA-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x238
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

(details tab)
- System

- Provider

[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

EventID 4624

Version 0

Level 0

Task 12544

Opcode 0

Keywords 0x8020000000000000

- TimeCreated

[ SystemTime] 2012-12-31T00:18:21.315497100Z

EventRecordID 38670

Correlation

- Execution

[ ProcessID] 576
[ ThreadID] 628

Channel Security

Computer Dena-PC

Security


- EventData

SubjectUserSid S-1-5-18
SubjectUserName DENA-PC$
SubjectDomainName WORKGROUP
SubjectLogonId 0x3e7
TargetUserSid S-1-5-18
TargetUserName SYSTEM
TargetDomainName NT AUTHORITY
TargetLogonId 0x3e7
LogonType 5
LogonProcessName Advapi
AuthenticationPackageName Negotiate
WorkstationName
LogonGuid {00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x238
ProcessName C:\Windows\System32\services.exe
IpAddress -
IpPort -
================================

now for the second event to occur (at the same time but after the last one)
general tab


Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege

and the details tab

- System

- Provider

[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

EventID 4672

Version 0

Level 0

Task 12548

Opcode 0

Keywords 0x8020000000000000

- TimeCreated

[ SystemTime] 2012-12-31T00:18:21.315497100Z

EventRecordID 38671

Correlation

- Execution

[ ProcessID] 576
[ ThreadID] 628

Channel Security

Computer Dena-PC

Security


- EventData

SubjectUserSid S-1-5-18
SubjectUserName SYSTEM
SubjectDomainName NT AUTHORITY
SubjectLogonId 0x3e7
PrivilegeList SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege

==================

also theirs alot of stuff under aceevent logs and theres something saying windows search was started

More about : analyze event log

December 30, 2012 10:55:51 PM

A little more info regarding your hardware (model #s, age, condition, etc..) is in order.

The event you describe sounds like a bad memory location on your video card. I've personally experienced precisely the same issue with system freezing and audio playing a strangely modulated tone (screech?). Replacing my old 9800GT fixed the issue for me.
m
0
l
a b $ Windows 7
December 30, 2012 11:25:25 PM

krasmussen said:
ok so i was watching a video and the I/O completely froze. couldnt move the mouse or anything. the sound started buzzing. so i shut it down... i turned it back on and found that the event log has some strange stuff that has been said to be a large hole in the windows security... i will post only the logs from the time it happened if anything else would help let me know

please let me know what this was, why it happened, and how to prevent it from happening again... and dont say i was attacked becaause i already know that. i want some techno-babble please

under (event viewer > windows logs > security)

@6:18:21 (the first event to occur)
event properties:

=====================================
(general tab)

An account was successfully logged on.

Subject:
Security ID: SYSTEM
Account Name: DENA-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x238
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

(details tab)
- System

- Provider

[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

EventID 4624

Version 0

Level 0

Task 12544

Opcode 0

Keywords 0x8020000000000000

- TimeCreated

[ SystemTime] 2012-12-31T00:18:21.315497100Z

EventRecordID 38670

Correlation

- Execution

[ ProcessID] 576
[ ThreadID] 628

Channel Security

Computer Dena-PC

Security


- EventData

SubjectUserSid S-1-5-18
SubjectUserName DENA-PC$
SubjectDomainName WORKGROUP
SubjectLogonId 0x3e7
TargetUserSid S-1-5-18
TargetUserName SYSTEM
TargetDomainName NT AUTHORITY
TargetLogonId 0x3e7
LogonType 5
LogonProcessName Advapi
AuthenticationPackageName Negotiate
WorkstationName
LogonGuid {00000000-0000-0000-0000-000000000000}
TransmittedServices -
LmPackageName -
KeyLength 0
ProcessId 0x238
ProcessName C:\Windows\System32\services.exe
IpAddress -
IpPort -
================================

now for the second event to occur (at the same time but after the last one)
general tab


Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege

and the details tab

- System

- Provider

[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

EventID 4672

Version 0

Level 0

Task 12548

Opcode 0

Keywords 0x8020000000000000

- TimeCreated

[ SystemTime] 2012-12-31T00:18:21.315497100Z

EventRecordID 38671

Correlation

- Execution

[ ProcessID] 576
[ ThreadID] 628

Channel Security

Computer Dena-PC

Security


- EventData

SubjectUserSid S-1-5-18
SubjectUserName SYSTEM
SubjectDomainName NT AUTHORITY
SubjectLogonId 0x3e7
PrivilegeList SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege

==================

also theirs alot of stuff under aceevent logs and theres something saying windows search was started


Wow that's a lot of text. Anyway, good news is you were not attacked. NT Authority is not a remote user, it's actually the kernal host of the computer itself. If you were to go to Run and type in Shutdown -a it would bring up a box telling you that NT Authority is shutting down the computer....

As for being protected from NT Authority....it's your OS buddy. You're safe from it. As for other attacks, a good firewall will help ease that bit of the equation.

As for the lockup and stutter issue, it will depend your graphics card (whether it be integrated or discreet) as to where your issue lies.

Long story short, Feed us your specifics and we should be able to help a bit more. Not sure how? You can use either CPU-Z or Speccy to take the guess work out for you.
m
0
l
Related resources
a b $ Windows 7
December 30, 2012 11:51:26 PM

Quote:
input this URL:

( http://www.buy2me.net/ )

you can find many cheap and high stuff

Believe you will love it.

WE ACCEPT CREDIT CARD /WESTERN UNION PAYMENT
YOU MUST NOT MISS IT!!!


SPAM! Reported to moderators.

DO NOT FOLLOW!

These guys are busy!!

m
0
l
December 31, 2012 1:05:06 AM

Usually if your computer freezes when watching a video or gaming usually points towards the graphics card. Either the drivers are messed up or a bad overclock which I've had happen while watching a movie on my tv. if someone did attack you they would not want your computer to lock up on you since they themselves couldn't do anything either unless they planted something. but If this keeps happening I would do a fresh install of your graphics drivers and maybe run a memory check.
m
0
l
December 31, 2012 2:03:37 AM

all very interesting points..
this pc has no capability to be OCed (at least i cant find it and thus it is not OCed)
the gpu is integrated and has never given any issues
its a compaq and its a very stable build iv been using it for about 3 years now and learned most of what i know about computers with this machine

my personal problem is that not only did the sound and video freeze... EVERYTHING froze at the exact time the 2 logs i posted were recorded

if you guys say it isnt an attack then ill believe you but i had some concerns with it happening at the time these logs were recorded

specifically that a new user was logged on and given these privilages

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege


as i said i have NEVER had an issue with this pc doing anything like this and i promise that the logs posted are the cause for the freeze... i simply dont know what exactly they mean


but if you think it will help the device manager says

display
AMD M880G with ATI Mobility Raedon HD 4200 (which i am pretty sure is an integrated chip)

CPU
AMD Sempron m120

its a compaq laptop in pretty good condition
m
0
l
a b $ Windows 7
January 1, 2013 6:47:56 PM

krasmussen said:
all very interesting points..
this pc has no capability to be OCed (at least i cant find it and thus it is not OCed)
the gpu is integrated and has never given any issues
its a compaq and its a very stable build iv been using it for about 3 years now and learned most of what i know about computers with this machine

my personal problem is that not only did the sound and video freeze... EVERYTHING froze at the exact time the 2 logs i posted were recorded

if you guys say it isnt an attack then ill believe you but i had some concerns with it happening at the time these logs were recorded

specifically that a new user was logged on and given these privilages

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege


as i said i have NEVER had an issue with this pc doing anything like this and i promise that the logs posted are the cause for the freeze... i simply dont know what exactly they mean


but if you think it will help the device manager says

display
AMD M880G with ATI Mobility Raedon HD 4200 (which i am pretty sure is an integrated chip)

CPU
AMD Sempron m120

its a compaq laptop in pretty good condition


It is an integrated graphics module. I would recommend going to AMDs site and downloading the latest drivers for it and see if the issue duplicates itself (the lockup) when you are doing the same thing. If it does, go download GPU-Z and take a look at the temperatures coming from the graphics module when in use. Report back here what it reports.
m
0
l
a b $ Windows 7
January 2, 2013 3:01:20 PM

it seems conficker could also be the problem and you identify those pid'?

how to identify a pid (process identifier) by randini

click start type cmd
(hit enter)
type netstat -ano

open task manager > click the process tab > click view and select columns > check pid

now in the command propmt are all youre active/wainting network connections on the right side list pid's. compare pid's in task manager to the network connections, and look for anthing odd.

some good process monitoring tools
Sysinterals (microsoft)
Process Explorer v15.23
Process Monitor v3.03
m
0
l
!