Need an IT GUY. Have been hacked. Can anyone check my event viewer below....

Banned
Windows firewall is on, have comodo firewall, avg.

Shared internet (I plug into router and so do others)
Believe it is someone in this house
This happens now and again, the PC was not used as I waited, then the login happened. I have shut down a lot of stuff and used various spyware and virus remover's, but still he can get in, anyone help>?


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 22/01/2009
Time: 19:44:27
User: NT AUTHORITYNETWORK SERVICE
Computer: MOSICSA
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at go.microsoft.com/fwl…asp.


Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 22/01/2009
Time: 11:55:07
User: NT AUTHORITYNETWORK SERVICE
Computer: MOSICSA
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege

For more information, see Help and Support Center at go.microsoft.com/fwl…asp.



--------------------Below is when I pulled the internet cable out---above is what matters.....

Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 22/01/2009
Time: 11:56:13
User: NT AUTHORITYNETWORK SERVICE
Computer: MOSICSA
Description:
IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.



For more information, see Help and Support Center at go.microsoft.com/fwl…asp.

43 Comments

Original Poster Banned

Also have 3 ADVAPI32.DLL

And 1 ADVAPI32.DL

You need to be much clearer in your description of what's happening.

got an it problem? moss is your man...

http://i.thisislondon.co.uk/i/pix/2007/12/43a_20_itcrowd_243x377.jpg



sorry, i know this doesn't help you, couldn't resist it's the first thing that came to mind when i read IT ;-)

Original Poster Banned

"You need to be much clearer in your description of what's happening."
I gave enough info of the problem, that's why in the title I asked if there was any IT guys.

davedave3;4156800

"You need to be much clearer in your description of what's happening."I … "You need to be much clearer in your description of what's happening."I gave enough info of the problem, that's why in the title I asked if there was any IT guys.



This could be why you are not getting any help. If someone tries to be of assistance on here and you meet it with that attitude then people here won't help you. :thumbsup:

Original Poster Banned

omg...............................

davedave3;4157024

omg...............................



this usually happens when you google google.

But yeah, your attitude stinks.

So what actually happens?

The computer logs its self on?

It is a problem with Advapi

processlibrary.com/dir…pi/

Search and delete from your HDD, pref in safe mode. (Press F8 before the PC boots)

EDIT: - Wow, Matt.. You know about google like I do... Don't tell everyone...

Keep it our secret..

Don't think anyone has mentioned this but it's likely to be a virus with a name like Advapi LOL


So you can relax a little now in the knowledge that no one is hacking you, transferring huge sums of money they are just gonna format your hard drives instead .



Hope you can take a joke and sort your system out

Chiptivo;4157073

It is a problem with Advapi EDIT: - Wow, Matt.. You know about google … It is a problem with Advapi EDIT: - Wow, Matt.. You know about google like I do... Don't tell everyone...Keep it our secret..



I know yeah, this made up word even made it into the dictionary. Yet people do not know how to just copy and paste one word to find the answer to the question.

Just incase you didnt know op

google.co.uk

for next time

Original Poster Banned

Advapi.exe virus yes

But advapi32 dl or dll ?

Advapi is a must for the pc.

Another person on the network (router shared) is accessing the PC, check the event viewer.

This firewall was off for sometime (hacker turned it off) now if a programme or whatever is installed it is giving access to log in at anytime. File sharing is disabled aswell.

oh sweet moses...
step 1 - google advapi. this will give info on a virus called NETDEVIL.12 (NetDevil 1.2) VIRUS
step 2 - google said netdevil virus. this will give info on what the virus does such as taking control of pc's.
step 3 - google solution for removal of netdevil virus

what's the keyword here.... anyone....

Babbabooey;4157196

]Here's the info on what is happening to your computer, and how to fix it



REP for that.. Never seen that before.. Class stuff.

davedave3;4157238

Advapi.exe virus yesBut advapi32 dl or dll ?Advapi is a must for the … Advapi.exe virus yesBut advapi32 dl or dll ?Advapi is a must for the pc.Another person on the network (router shared) is accessing the PC, check the event viewer.This firewall was off for sometime (hacker turned it off) now if a programme or whatever is installed it is giving access to log in at anytime. File sharing is disabled aswell.



advapi32.dll. there is no such thing as dl.

Original Poster Banned

I thought as much.

ADVAPI32.DL_ is in the folder c:\Windows\I386 date created 2006 though

The guy above just posted a link the ADVAPI.EXE, which I already talked about.

The other 3 ADVAPI32.DLL 1 is in system32, 1 system\dllcache, 1 softwaredistribution (those 3 microsoft)

Original Poster Banned

Well I deleted the dl one, was tempting to do it all day, but as it was created a few years ago, and passed every test, but hey, lets see. I'm sure you can understand that it must be very annoying to have someone use a remote desktop and watch what your doing, and know they are connected as I use a real time event viewer. Just a few hours ago, i have a few files change on my system, a remote desktop connection file in a file which it would never be in, and many more which I won't bore you. Think of it, some guy has the WWW, but he prefers to flipping watch what I am doing.

ADVAPI32.DL_

is unextracted version

Original Poster Banned

Extracted..........it wasn't in winrar, but that probably sounds stupid right. I don't think me deleting that will do anything. I just think some guy used his PC skills to adjust my PC when my firewall was off (I don't know how long it was off for.........maybe 1 month). And now he can just login using the network service no matter what. HELP!

Just download AVG FREE, install, update, and a full scan.

free.avg.com/dow…ion

Original Poster Banned

I mentioned that I had avg at the top.

Banned

you need nod32.....

Original Poster Banned

I think it's gone past downloading an standard virus/spy/malware prog. This hacker must have admin privileges, so he can do anything he wants. I just need to block him logging on through the network service. Or if I knew what to do, find his IP, then kick his head in:?

Banned

davedave3;4158593

I think it's gone past downloading an standard virus/spy/malware prog. … I think it's gone past downloading an standard virus/spy/malware prog. This hacker must have admin privileges, so he can do anything he wants. I just need to block him logging on through the network service. Or if I knew what to do, find his IP, then kick his head in:?



can't admin remove admin? you may need to reinstall mate....

what you should have tried was a system restore when you first noticed it...it may have got rid of the problem...

back ur data up asap...

Erm disable remote desktop, remote help in the OS
Close ports on your router/activate hardware firewall
Enable view for hidden user accounts (google/tweakui)
Change user account passwords

Banned

MoneySavingG;4158665

Erm disable remote desktop, remote help in the OSClose ports on your … Erm disable remote desktop, remote help in the OSClose ports on your router/activate hardware firewall



or use a hammer...:thumbsup:

imranmaz;4158683

or use a hammer...:thumbsup:



lol I was about to suggest..curl up in a ball and cry

Original Poster Banned

Yep I thought about re-installing, but I have a lost of things on the PC, plus I do not have the original cd. This is not a nice thing indeed. It's like I'm on big brother.

As you can imagine, finding info on the net takes ages. I have spent days looking into this (that's why when someone said download avg, it would not make me laugh)

I have just joined an IT forum, and i'll see what those chaps say, but it is looking bleak.

I know you can hide admin accounts, so if you look, it will show only you, but if you have some knowledge, there could be a hidden one...............now try finding that on the net.

Original Poster Banned

Erm disable remote desktop, remote help in the OS
Close ports on your router/activate hardware firewall
Enable view for hidden user accounts (google/tweakui)
Change user account passwords

I am running on a basic system, all I want is to download and play, scan the net that's it so I pretty much disabled a lot!

I have windows worms doors cleaner, it has closed ports apart from 137-139, otherwise the internet will not work........because I have tried closing them aswell.

davedave3;4158771

Erm disable remote desktop, remote help in the OSClose ports on your … Erm disable remote desktop, remote help in the OSClose ports on your router/activate hardware firewallEnable view for hidden user accounts (google/tweakui)Change user account passwordsI am running on a basic system, all I want is to download and play, scan the net that's it so I pretty much disabled a lot!I have windows worms doors cleaner, it has closed ports apart from 137-139, otherwise the internet will not work........because I have tried closing them aswell.



Skimming the thread I take it you are running your internet off a shared router? Are you running a software firewall then, like ZoneAlarm? This should have options to disallow inbound connections to your PC. First you need to get rid of any trojans/viruses on the PC. I'd suggest NOD32, run whilst disconnected from the network.

Original Poster Banned

Yup shared router, I am running windows firewall, and comodo firewall. I did have zone alarm, but the hacker put and exception in it, so I got rid of that and downloaded comodo. I just installed tweak ui, and there were 2 accounts, 1 admin, the other interactive (I deleted it). When I pressed default the interactive account came back, I deleted it again, I presume it's just a standard thing. Of course I can disallow inbound connections, but I will have no internet. I live with Bill Gates it seems.

Just format and start again. Why take the risk of trusting you've removed it fully when your pc has already been compromised in such a huge way.

Why not format and use Linux (Ubuntu etc.)? Legal, free, hard to hack, less chance of viruses.

Original Poster Banned

The only defense I have at the moment is a real time event log. Once a login occurs, a pop up balloon appears, and I disconnect the internet.

Original Poster Banned

jah128..........

formatting, I have not done this before, I know it is simple but I am unsure of one thing. If I format, then where is the OS? I don't have anything, just a cr...ap PC, all genuine windows, but if I format, what happens (please no obvious jokes)

Have you not got a windows cd ?

If not, download Windows XP black
Post a comment
Avatar
@
    Text
    Top Discussions
    1. Sad news about Barcelona1422
    2. I banned myself from HUKD for 3m, I saved so much money!1213
    3. Anyway to remove the Idealo section in searches?11
    4. ❅☁☁❅ I want☼to talk☼about the☔WEATHER☔no politics☃no religion❅☁☁❅18846097

    See more discussions