c:\Documents and Settings\NetworkService

[Geranium]

Hello!

Ad-Aware found cookies in a cache below a directory/user I did not know
existed:
c:\Documents and Settings\NetworkService.

What is the directory NetworkService used for? The directory is not seen in
Windows Explorer even when folder options is set to show everything. One of
these cookies was from a gaming web that I did not visit at the time of the
cookie creation. A few hours earlier my eventlogger shut down for three
seconds and som windows popped on my screen. I visited www.adelphia.net just
before this and it went kind of slow there. I do not know if these things
are connected with each other.

Ad-Aware did not find any other stuff than cookies.

I use Windows XP.

From sys eventlog
2005-11-28,01:11:06,EventLog,Information,None,6005,N/A,mycomputer,The Event
log service was started.
2005-11-28,01:11:06,EventLog,Information,None,6009,N/A,mycomputer,Microsoft
(R) Windows (R) 5.01. 2600 Service Pack 2 Multiprocessor Free.
2005-11-28,01:10:03,EventLog,Information,None,6006,N/A,mycomputer,The Event
log service was stopped.
2005-11-28,00:19:31,Tcpip,Warning,None,4226,N/A,mycomputer,TCP/IP has
reached the security limit imposed on the number of concurrent TCP connect
attempts.

I use firewall and anti-virus and the firewall stopped logging at 00:44


Has something bad happened to my computer? Intrusion?



Thanks in advance.

 

[Steven L Umbach]

The networkservice is a profile created by the operating system as explained
in the text below from Microsoft documentation at the link below. If you
look at your services using services.msc you will see that some services use
the network service account for logon which is much more secure than
"system" that was probably used for the same service in Windows 2000.
System is all powerful on the computer while network service is much more
limited. What may have happened is that cookies were written there in an
attempt to hide them from removal tools or using IE to delete cookies.
Administrators has full control to the networkservice profile and those
cookies may have been written there while you were logged on as an
administrator and browsing the internet. It is good idea to create a regular
user account for internet browsing and reading email. In addition to using
AdAware you should scan for viruses with a quality antivirus program using
the latest definitions form the vendors website. Spyware would not be able
to stop the EventLog service but a virus could or if someone installed a
backdoor/trojan on your computer they may be doing it to prevent events from
being written to the security log. --- Steve

http://www.microsoft.com/windowsserver2003/community/centers/management/manage_faq.mspx
http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
--- Protect Your PC
http://www.microsoft.com/athome/security/viruses/default.mspx --- info on
viruses and worms.

NetworkService and LocalService. The LocalService and NetworkService
profiles are automatically created by Windows XP for two new built in user
accounts that are used by the Service Control Manager to host services that
do not need to run as the local system account. These profiles are required
by the system to run and should not be modified. Both of these profiles are
hidden by default

 

[Geranium]

Thanks.

What may have happened is that cookies were written there in an attempt to
hide them from removal tools or using IE to delete cookies. Administrators
has full control to the networkservice profile and those cookies may have
been written there while you were logged on as an administrator and
browsing the internet. It is good idea to create a regular user account for
internet browsing and reading email. In addition to using AdAware you
should scan for viruses with a quality antivirus program using the latest
definitions form the vendors website. Spyware would not be able to stop the
EventLog service but a virus could or if someone installed a
backdoor/trojan on your computer they may be doing it to prevent events
from being written to the security log. --- Steve

My anti virus software was updated. It is high rated.

I have a separate administrator account that I use for administrive tasks
including windowsupdate. That account have a name of their own and do not
surf outside sites used by microsoft update and that is not where the
cookies came from. How can a site save cookies in a cache apart from the
current user?

I have a regular account with lesser privileges for everyday use.

This
"2005-11-28,00:19:31,Tcpip,Warning,None,4226,N/A,mycomputer,TCP/IP has
reached the security limit imposed on the number of concurrent TCP connect
attempts."

happened just before the event log stopped logging. Any suggestions why?

Regards

 

[Steven L Umbach]

The article in the link below explains the tcp/ip error message and you may
want to modify that setting to up the limit from the default of ten [which
used to be unlimited]. Offhand I don't know why there are cookies found in
that folder. If you check the creation date and the owner of those files
that may give you a clue as to when they were created and by what user. If
it shows administrators then they were written there when an administrator
was logged on. You may also want to verify permissions to that folder to
make sure only networkservice, administrators, and system have access which
would be full control by default.

http://www.speedguide.net/read_articles.php?id=1497

Remove the limit on TCP connection attempts

Windws XP SP2 introduces a few new twists to TCP/IP in order to babysit
users and "reduce the threat" of worms spreading fast without control. In
one such attempt, the devs seem to have limited the number of possible TCP
connection attempts per second to 10 (from unlimited in SP1). This
argumentative feature can possibly affect server and P2P programs that need
to open many outbound connections at the same time.

 

[Geranium]

Thanks!