I'm a novice when it when it comes to computers, but I'm fairly certain that I'm being remotely accessed. My system was set to require a user to log in with a password after a period of inactivity, but that feature is no longer working. I went into services and noticed my password filled into several networking services with the user name "NT User Authority" (or something to that effect), but I only own one stand-alone home computer which should not be networked except for a dial-up internet connection. I deleted the passwords, disabled the suspicious services, and changed my administrative password. This morning I checked the event log and found these:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 7/7/2007
Time: 3:06:27 AM
User: NT AUTHORITY\SYSTEM
Computer: MOM
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Owner
Source Workstation: MOM
Error Code: 0xC000006A
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/7/2007
Time: 3:06:27 AM
User: NT AUTHORITY\SYSTEM
Computer: MOM
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Owner
Domain:
Logon Type: 2
Logon Process: Advapi
Authentication Package
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: MOM
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 7/7/2007
Time: 3:06:28 AM
User: NT AUTHORITY\SYSTEM
Computer: MOM
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Kids
Source Workstation: MOM
Error Code: 0xC000006A
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 7/7/2007
Time: 3:10:26 AM
User: MOM\Owner
Computer: MOM
Description:
Change Password Attempt:
Target Account Name: Owner
Target Domain: MOM
Target Account ID: MOM\Owner
Caller User Name: Owner
Caller Domain: MOM
Caller Logon ID: (0x0,0x1CEB2)
Privileges: -
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 7/7/2007
Time: 4:05:44 AM
User: MOM\Owner
Computer: MOM
Description:
User Logoff:
User Name: Owner
Domain: MOM
Logon ID: (0x0,0x4DA4A2D)
Logon Type: 9
and several more like these. Does the first success audit mean that my password was successfully changed at 3:10 AM???? If so, I'm afraid to reboot since I don't know what the password is.
Also, the .NET Framework 1.1 Configuration page has suddenly appeared twice after I made changes to my system.
I read about Backdoor.Sekorbdal on the Symantec site, and I did click on the link that supposedly activates it, but I did not find the related files on my computer. Please help!
