Changes in settings / security??

[MrGib]

Since I d/l SP3, I've noticed many changes to misc areas. ie internet
security settings, modem/DSL exception changes and I now have a guest user.
Never created a guest user (I don't think!?) Had to de/reinstall my net
adapter, modem, change back internet security setttings, etc etc. Question =
Hacked? If someone would guide me through some 'diag' steps to verify I'm
still protected and 'alone'.....or am I way off.??? TYVM!!!!

XP Home SP3
IE7
Dell / P4
Comcast DSL

 

[PA Bear [MS MVP]]

Did you reinstall WinXP just before you installed SP3? Were you running
WinXP SP2 before SP3 was installed?

Free unlimited installation and compatibility support is available for
Windows XP, but only for Service Pack 3 (SP3), until 14 Apr-09. Chat and
e-mail support is available only in the United States and Canada.

• US:
http://support.microsoft.com/oas/default.aspx?ln=en-us&prid=11273&gprid=522131

• CA:
http://support.microsoft.com/oas/default.aspx?ln=en-ca&prid=11273&gprid=522131

• UK:
http://support.microsoft.com/oas/default.aspx?ln=en-gb&prid=11273&gprid=522131

• AU:
http://support.microsoft.com/oas/default.aspx?ln=en-au&prid=11273&gprid=522131

• Other: http://support.microsoft.com/oas/default.aspx?gprid=1173 | select
Windows XP | select Windows XP Service Pack 3

 

[MrGib]

Thanks much for the reply PB, Sir. Answers to you're questions are = No
reinstall & yes SP2.

Man, in the sys summary, I've got tasks and start-up pgms with user names
"all users = .default -- Svc's are running that are duped and shared, etc.
Strange stuff, man. (ha) Everything's clicking along, but ????

I'll refer to your instructed info and go from there. Thanks again Mr. PB,
MVP!

 

[MowGreen [MVP]]

Is the Guest account Disabled ? There is a native Guest User Account in XP.

Was the installed antivirus|security suite [re: any Norton "product"]
actively monitoring the system when SP3 was applied ?
If the answer is yes, see this:

WinXP SP3: Registry Corruption & Norton SymProtect
http://aumha.net/viewtopic.php?f=62&t=33522

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

 

[MrGib]

MG....Guest is disabled and I didn't know about the native guest user...TYVM!
There's a bunch of other 'peculiar' stuff happening, but I'm not having any
'crashes' or start up/shut dn issues....so I'll just stop sweating all this
mess I assume!

....& no Norton. Came w/McAfee from Dell...used that and now running both
that & AVG 7.5. ***Side question please.... AVG v8? I've read horror
stories on this, so your input is welcomed, Sir. Thanks!!

***Hey Mow....Glad to know that head shot in the boat in Tahoe didn't 86
ya....huhuhuh.***

Is the Guest account Disabled ? There is a native Guest User Account in XP.

Was the installed antivirus|security suite [re: any Norton "product"]
actively monitoring the system when SP3 was applied ?
If the answer is yes, see this:

WinXP SP3: Registry Corruption & Norton SymProtect
http://aumha.net/viewtopic.php?f=62&t=33522

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

Since I d/l SP3, I've noticed many changes to misc areas. ie internet
security settings, modem/DSL exception changes and I now have a guest user.
Never created a guest user (I don't think!?) Had to de/reinstall my net
adapter, modem, change back internet security setttings, etc etc. Question =
Hacked? If someone would guide me through some 'diag' steps to verify I'm
still protected and 'alone'.....or am I way off.??? TYVM!!!!

XP Home SP3
IE7
Dell / P4
Comcast DSL

 

[MrGib]

Anyone help me w/the event 63 below? Says run a Cscript?? Things as this is
why I'm 'concerned.'

Thanks in advance ya'll!

Boot.ini = multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP
Home Edition"/noexecute=optin/fastdetect

Event Type: Warning
Event Source: WinMgmt
Event Category: None
Event ID: 63
Date: 5/28/2008
Time: 2:50:14 PM
User: CHUCK\Chuck
Computer: CHUCK
Description:
A provider, OffProv11, has been registered in the WMI namespace,
Root\MSAPPS11, to use the LocalSystem account. This account is privileged
and the provider may cause a security violation if it does not correctly
impersonate user requests.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Is the Guest account Disabled ? There is a native Guest User Account in XP.

Was the installed antivirus|security suite [re: any Norton "product"]
actively monitoring the system when SP3 was applied ?
If the answer is yes, see this:

WinXP SP3: Registry Corruption & Norton SymProtect
http://aumha.net/viewtopic.php?f=62&t=33522

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

Since I d/l SP3, I've noticed many changes to misc areas. ie internet
security settings, modem/DSL exception changes and I now have a guest user.
Never created a guest user (I don't think!?) Had to de/reinstall my net
adapter, modem, change back internet security setttings, etc etc. Question =
Hacked? If someone would guide me through some 'diag' steps to verify I'm
still protected and 'alone'.....or am I way off.??? TYVM!!!!

XP Home SP3
IE7
Dell / P4
Comcast DSL

 

[MrGib]

I'm the sole user of the PC btw....

-----------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 5/28/2008
Time: 3:55:04 PM
User: NT AUTHORITY\SYSTEM
Computer: CHUCK
Description:
A trusted logon process has registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.

Logon Process Name: Winlogon\MSGina

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----
Logon Process Name: MSGina =====

Logon Process Name: RASMAN
Logon Process Name: Secondary Logon Service
Logon Process Name: KSecDD
Logon Process Name: LAN Manager Workstation Service
Logon Process Name: CHAP
Logon Process Name: DCOMSCM
Logon Process Name: Winlogon
--------------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 5/28/2008
Time: 8:48:12 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: CHUCK
Description:
IPSec Services: IPSec Services failed to get the complete list of network
interfaces on the machine. This can be a potential security hazard to the
machine since some of the network interfaces may not get the protection as
desired by the applied IPSec filters. Please run IPSec monitor snap-in to
further diagnose the problem.

----------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 848
Date: 5/28/2008
Time: 1:04:06 AM
User: NT AUTHORITY\SYSTEM
Computer: CHUCK
Description:
The following policy was active when the Windows Firewall started.

Group Policy applied: No
Profile used: Standard
Interface: All interfaces
Operational mode: On
Services:
File and Printer Sharing: Disabled
Remote Desktop: Disabled
UPnP Framework: Disabled
Allow remote administration: Disabled
Allow unicast responses to multicast/broadcast traffic: Disabled
Security Logging:
Log dropped packets: Disabled
Log successful connections Disabled
ICMP:
Allow incoming echo request: Disabled
Allow incoming timestamp request: Disabled
Allow incoming mask request: Disabled
Allow incoming router request: Disabled
Allow outgoing destination unreachable: Disabled
Allow outgoing source quench: Disabled
Allow outgoing parameter problem: Disabled
Allow outgoing time exceeded: Disabled
Allow redirect: Disabled
Allow outgoing packet too big: Disabled

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

----**had several as below that were disabled, then enabled over & over &
over???

Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 849
Date: 5/25/2008
Time: 1:38:22 PM
User: NT AUTHORITY\SYSTEM
Computer: CHUCK
Description:
An application was listed as an exception when the Windows Firewall started.

Policy origin: Local Policy
Profile used: Standard
Name: Remote Assistance
Path: C:\WINDOWS\system32\sessmgr.exe
State: Disabled
Scope: All subnets

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

---
Name: Run a DLL as an App
Path: C:\WINDOWS\system32\rundll32.exe

Name: RealPlayer
Path: C:\Program Files\Real\RealPlayer\realplay.exe

Name: Network Diagnostics for Windows XP
Path: %windir%\Network Diagnostic\xpnetdiag.exe

----Defender----
Event Type: Information
Event Source: WinDefend
Event Category: None
Event ID: 5007
Date: 5/28/2008
Time: 7:48:25 PM
User: N/A
Computer: CHUCK
Description:
The description for Event ID ( 5007 ) in Source ( WinDefend ) cannot be
found. The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may be able
to use the /AUXSOURCE= flag to retrieve this description; see Help and
Support for details. The following information is part of the event: %%827,
1.1.1593.0, Default\Real-Time Protection\EnableUnknownPrompts = 0,
HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time
Protection\EnableUnknownPrompts = 1, , .

----Office Update Errors????---
Event Type: Failure Audit
Event Source: OfficeUpdateV3
Event Category: None
Event ID: 0
Date: 5/28/2008
Time: 11:21:18 AM
User: N/A
Computer: CHUCK
Description:
The description for Event ID ( 0 ) in Source ( OfficeUpdateV3 ) cannot be
found. The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may be able
to use the /AUXSOURCE= flag to retrieve this description; see Help and
Support for details. The following information is part of the event:
V3_2|519988|INSTALL|MAINSP3_11.0.8173_ENG||2008-05-28
10:51:24|9|FAIL|00000000|The operation completed successfully.|.

****OK.....Sorry for the mile long data! Thanks for any and all input /
thoughts on all this. !!!

Gib

Anyone help me w/the event 63 below? Says run a Cscript?? Things as this is
why I'm 'concerned.'

Thanks in advance ya'll!

Boot.ini = multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP
Home Edition"/noexecute=optin/fastdetect

Event Type: Warning
Event Source: WinMgmt
Event Category: None
Event ID: 63
Date: 5/28/2008
Time: 2:50:14 PM
User: CHUCK\Chuck
Computer: CHUCK
Description:
A provider, OffProv11, has been registered in the WMI namespace,
Root\MSAPPS11, to use the LocalSystem account. This account is privileged
and the provider may cause a security violation if it does not correctly
impersonate user requests.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Is the Guest account Disabled ? There is a native Guest User Account in XP.

Was the installed antivirus|security suite [re: any Norton "product"]
actively monitoring the system when SP3 was applied ?
If the answer is yes, see this:

WinXP SP3: Registry Corruption & Norton SymProtect
http://aumha.net/viewtopic.php?f=62&t=33522

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

Since I d/l SP3, I've noticed many changes to misc areas. ie internet
security settings, modem/DSL exception changes and I now have a guest user.
Never created a guest user (I don't think!?) Had to de/reinstall my net
adapter, modem, change back internet security setttings, etc etc. Question =
Hacked? If someone would guide me through some 'diag' steps to verify I'm
still protected and 'alone'.....or am I way off.??? TYVM!!!!

XP Home SP3
IE7
Dell / P4
Comcast DSL

 

[MowGreen [MVP]]

I got shot in the eye whilst getting a massage in Vegas.
Fredo is the one who was rubbed out on Lake Tahoe <w>

If 2 AVs are monitoring the system concurrently than you're asking for
trouble. Only one AV should do that.
AVG 8 is apparently causing issues for a great deal of folks.
Recommend Avast or Antivir, if you're seeking a free AV.

Now, was the Dell supplied McAfee actively monitoring the system when
SP3 was installed ? If so, that would explain all the actions you had to
take in your original post:

Had to de/reinstall my net
adapter, modem, change back internet security setttings, etc etc.

Not sure why you subsequently posted those Events.
Nothing untoward is showing but ... some of the missing information in
the registry *may* very well be related to having McAfee actively
monitoring the system when SP3 was applied.


MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============

MG....Guest is disabled and I didn't know about the native guest user...TYVM!
There's a bunch of other 'peculiar' stuff happening, but I'm not having any
'crashes' or start up/shut dn issues....so I'll just stop sweating all this
mess I assume!

...& no Norton. Came w/McAfee from Dell...used that and now running both
that & AVG 7.5. ***Side question please.... AVG v8? I've read horror
stories on this, so your input is welcomed, Sir. Thanks!!

***Hey Mow....Glad to know that head shot in the boat in Tahoe didn't 86
ya....huhuhuh.***


:

Is the Guest account Disabled ? There is a native Guest User Account in XP.

Was the installed antivirus|security suite [re: any Norton "product"]
actively monitoring the system when SP3 was applied ?
If the answer is yes, see this:

WinXP SP3: Registry Corruption & Norton SymProtect
http://aumha.net/viewtopic.php?f=62&t=33522

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============



MrGib wrote:

Since I d/l SP3, I've noticed many changes to misc areas. ie internet
security settings, modem/DSL exception changes and I now have a guest user.
Never created a guest user (I don't think!?) Had to de/reinstall my net
adapter, modem, change back internet security setttings, etc etc. Question =
Hacked? If someone would guide me through some 'diag' steps to verify I'm
still protected and 'alone'.....or am I way off.??? TYVM!!!!

XP Home SP3
IE7
Dell / P4
Comcast DSL