Need an IT GUY. Have been hacked. Can anyone check my event viewer below.... - HotUKDeals
We use cookie files to improve site functionality and personalisation. By continuing to use HUKD, you accept our cookie and privacy policy.
Get the HUKD app free at Google Play

Search Error

An error occurred when searching, please try again!

Login / Sign UpSubmit

Need an IT GUY. Have been hacked. Can anyone check my event viewer below....

davedave3 Avatar
banned7y, 10m agoPosted 7 years, 10 months ago
Windows firewall is on, have comodo firewall, avg.

Shared internet (I plug into router and so do others)
Believe it is someone in this house
This happens now and again, the PC was not used as I waited, then the login happened. I have shut down a lot of stuff and used various spyware and virus remover's, but still he can get in, anyone help>?


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 22/01/2009
Time: 19:44:27
User: NT AUTHORITYNETWORK SERVICE
Computer: MOSICSA
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 22/01/2009
Time: 11:55:07
User: NT AUTHORITYNETWORK SERVICE
Computer: MOSICSA
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



--------------------Below is when I pulled the internet cable out---above is what matters.....

Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 22/01/2009
Time: 11:56:13
User: NT AUTHORITYNETWORK SERVICE
Computer: MOSICSA
Description:
IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.



For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Tags:
Other Links From Check :
davedave3 Avatar
banned7y, 10m agoPosted 7 years, 10 months ago
Options

All Comments

(43) Jump to unreadPost a comment
Comments/page:
Page:
banned#1
Also have 3 ADVAPI32.DLL

And 1 ADVAPI32.DL
#2
You need to be much clearer in your description of what's happening.
#3
got an it problem? moss is your man...

http://i.thisislondon.co.uk/i/pix/2007/12/43a_20_itcrowd_243x377.jpg



sorry, i know this doesn't help you, couldn't resist it's the first thing that came to mind when i read IT ;-)
banned#4
"You need to be much clearer in your description of what's happening."
I gave enough info of the problem, that's why in the title I asked if there was any IT guys.
[mod]#5
davedave3;4156800
"You need to be much clearer in your description of what's happening."
I gave enough info of the problem, that's why in the title I asked if there was any IT guys.


This could be why you are not getting any help. If someone tries to be of assistance on here and you meet it with that attitude then people here won't help you. :thumbsup:
banned#6
omg...............................
#7
davedave3
omg...............................


this usually happens when you google google.

But yeah, your attitude stinks.
#8
So what actually happens?

The computer logs its self on?
#9
http://www.processlibrary.com/directory/files/advapi/

you have a virus.

please use google next time :)
#10
It is a problem with Advapi

http://www.processlibrary.com/directory/files/advapi/

Search and delete from your HDD, pref in safe mode. (Press F8 before the PC boots)

EDIT: - Wow, Matt.. You know about google like I do... Don't tell everyone...

Keep it our secret..
#11
Don't think anyone has mentioned this but it's likely to be a virus with a name like Advapi LOL


So you can relax a little now in the knowledge that no one is hacking you, transferring huge sums of money they are just gonna format your hard drives instead .



Hope you can take a joke and sort your system out
#12
Chiptivo
It is a problem with Advapi

EDIT: - Wow, Matt.. You know about google like I do... Don't tell everyone...

Keep it our secret..


I know yeah, this made up word even made it into the dictionary. Yet people do not know how to just copy and paste one word to find the answer to the question.
#13
Just incase you didnt know op

http://www.google.co.uk

for next time :)
banned#15
Advapi.exe virus yes

But advapi32 dl or dll ?

Advapi is a must for the pc.

Another person on the network (router shared) is accessing the PC, check the event viewer.

This firewall was off for sometime (hacker turned it off) now if a programme or whatever is installed it is giving access to log in at anytime. File sharing is disabled aswell.
#16
oh sweet moses...
step 1 - google advapi. this will give info on a virus called NETDEVIL.12 (NetDevil 1.2) VIRUS
step 2 - google said netdevil virus. this will give info on what the virus does such as taking control of pc's.
step 3 - google solution for removal of netdevil virus

what's the keyword here.... anyone....
#17


REP for that.. Never seen that before.. Class stuff.
#18
davedave3
Advapi.exe virus yes

But advapi32 dl or dll ?

Advapi is a must for the pc.

Another person on the network (router shared) is accessing the PC, check the event viewer.

This firewall was off for sometime (hacker turned it off) now if a programme or whatever is installed it is giving access to log in at anytime. File sharing is disabled aswell.


advapi32.dll. there is no such thing as dl.
banned#19
I thought as much.

ADVAPI32.DL_ is in the folder c:\Windows\I386 date created 2006 though

The guy above just posted a link the ADVAPI.EXE, which I already talked about.

The other 3 ADVAPI32.DLL 1 is in system32, 1 system\dllcache, 1 softwaredistribution (those 3 microsoft)
banned#20
Well I deleted the dl one, was tempting to do it all day, but as it was created a few years ago, and passed every test, but hey, lets see. I'm sure you can understand that it must be very annoying to have someone use a remote desktop and watch what your doing, and know they are connected as I use a real time event viewer. Just a few hours ago, i have a few files change on my system, a remote desktop connection file in a file which it would never be in, and many more which I won't bore you. Think of it, some guy has the WWW, but he prefers to flipping watch what I am doing.
#21
ADVAPI32.DL_

is unextracted version
banned#22
Extracted..........it wasn't in winrar, but that probably sounds stupid right. I don't think me deleting that will do anything. I just think some guy used his PC skills to adjust my PC when my firewall was off (I don't know how long it was off for.........maybe 1 month). And now he can just login using the network service no matter what. HELP!
#23
Just download AVG FREE, install, update, and a full scan.

http://free.avg.com/download-avg-anti-virus-free-edition
banned#25
I mentioned that I had avg at the top.
banned#26
you need nod32.....
banned#27
I think it's gone past downloading an standard virus/spy/malware prog. This hacker must have admin privileges, so he can do anything he wants. I just need to block him logging on through the network service. Or if I knew what to do, find his IP, then kick his head in:?
banned#28
davedave3
I think it's gone past downloading an standard virus/spy/malware prog. This hacker must have admin privileges, so he can do anything he wants. I just need to block him logging on through the network service. Or if I knew what to do, find his IP, then kick his head in:?


can't admin remove admin? you may need to reinstall mate....

what you should have tried was a system restore when you first noticed it...it may have got rid of the problem...

back ur data up asap...
#29
Erm disable remote desktop, remote help in the OS
Close ports on your router/activate hardware firewall
Enable view for hidden user accounts (google/tweakui)
Change user account passwords
banned#30
MoneySavingG
Erm disable remote desktop, remote help in the OS
Close ports on your router/activate hardware firewall


or use a hammer...:thumbsup:
#31
imranmaz;4158683
or use a hammer...:thumbsup:


lol I was about to suggest..curl up in a ball and cry
banned#32
Yep I thought about re-installing, but I have a lost of things on the PC, plus I do not have the original cd. This is not a nice thing indeed. It's like I'm on big brother.

As you can imagine, finding info on the net takes ages. I have spent days looking into this (that's why when someone said download avg, it would not make me laugh)

I have just joined an IT forum, and i'll see what those chaps say, but it is looking bleak.

I know you can hide admin accounts, so if you look, it will show only you, but if you have some knowledge, there could be a hidden one...............now try finding that on the net.
banned#33
Erm disable remote desktop, remote help in the OS
Close ports on your router/activate hardware firewall
Enable view for hidden user accounts (google/tweakui)
Change user account passwords

I am running on a basic system, all I want is to download and play, scan the net that's it so I pretty much disabled a lot!

I have windows worms doors cleaner, it has closed ports apart from 137-139, otherwise the internet will not work........because I have tried closing them aswell.
#34
davedave3;4158771
Erm disable remote desktop, remote help in the OS
Close ports on your router/activate hardware firewall
Enable view for hidden user accounts (google/tweakui)
Change user account passwords

I am running on a basic system, all I want is to download and play, scan the net that's it so I pretty much disabled a lot!

I have windows worms doors cleaner, it has closed ports apart from 137-139, otherwise the internet will not work........because I have tried closing them aswell.


Skimming the thread I take it you are running your internet off a shared router? Are you running a software firewall then, like ZoneAlarm? This should have options to disallow inbound connections to your PC. First you need to get rid of any trojans/viruses on the PC. I'd suggest NOD32, run whilst disconnected from the network.
banned#35
Yup shared router, I am running windows firewall, and comodo firewall. I did have zone alarm, but the hacker put and exception in it, so I got rid of that and downloaded comodo. I just installed tweak ui, and there were 2 accounts, 1 admin, the other interactive (I deleted it). When I pressed default the interactive account came back, I deleted it again, I presume it's just a standard thing. Of course I can disallow inbound connections, but I will have no internet. I live with Bill Gates it seems.
#36
Just format and start again. Why take the risk of trusting you've removed it fully when your pc has already been compromised in such a huge way.
#37
Why not format and use Linux (Ubuntu etc.)? Legal, free, hard to hack, less chance of viruses.
banned#38
The only defense I have at the moment is a real time event log. Once a login occurs, a pop up balloon appears, and I disconnect the internet.
banned#39
jah128..........

formatting, I have not done this before, I know it is simple but I am unsure of one thing. If I format, then where is the OS? I don't have anything, just a cr...ap PC, all genuine windows, but if I format, what happens (please no obvious jokes)
#40
Have you not got a windows cd ?

If not, download Windows XP black

Post a Comment

You don't need an account to leave a comment. Just enter your email address. We'll keep it private.

...OR log in with your social account

...OR comment using your social account

Thanks for your comment! Keep it up!
We just need to have a quick look and it will be live soon.
The community is happy to hear your opinion! Keep contributing!