break in ? Are login/logout events clear proof ?

  • Thread starter Thread starter barrett bonden
  • Start date Start date
B

barrett bonden

Win xp home Audit logs showing login events at 3 AM



Source security cat privilege event 576 user network service

Login /logoff 3:49 event 528



Norton firewall also reports activity of a Trojan at the same time.



Is the log showing clear evidence of a break in ?

I must say I'm puzzled in general over these logs; I know windows is doing
lots in the

background, is a login/logoff event what it sounds like ? Someone , and not
a process , logging in and out of the machine ?
 
1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt321.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as possible
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point


* * * Please report your results ! * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html





|
|
| Win xp home Audit logs showing login events at 3 AM
|
|
|
| Source security cat privilege event 576 user network service
|
| Login /logoff 3:49 event 528
|
|
|
| Norton firewall also reports activity of a Trojan at the same time.
|
|
|
| Is the log showing clear evidence of a break in ?
|
| I must say I'm puzzled in general over these logs; I know windows is doing
| lots in the
|
| background, is a login/logoff event what it sounds like ? Someone , and not
| a process , logging in and out of the machine ?
|
|
|
 
very kind of you - I know adaware , but not the other two, and I'll try
them. Machine is at client however, it will take some days...I'm still
curious about the MS audit info, and see little on the web about it- do you
know of any resource for it ?
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Security Event Logs / Network access 1
SeTcbPriviledge - Event 577 1
Unexplained 540 Events in Security log on W2K workstation in a dom 0
Windows Login Event Monitor 6
Event id 529 3
Auditing User logon/logoff events. 2
Frequent Event ID 529 (Kerberos) 2
Can you Audit logouts?? 1

Back
Top