Posted on 2011-10-07
Medium Priority
Last Modified: 2012-05-12
32-bit xp

My system shutdown this morning without warning.  I started looking in the logs and went to the security logs.  I am having what looks like an attack

There are many ID 850 "A port was listed as an exception when the Windows Firewall started."

There are many ID 576 "Special privileges assigned to new logon:" and the user name and domain are blank

There are many id 515 "A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. "

There are many ID 849 "An application was listed as an exception when the Windows Firewall started. "

I am rushing this - need to get back to it...
Question by:santaspores1
  • 4

Author Comment

ID: 36931001
Now I see that my security log is filled with such events.  It goes back to 9/21/2011and I see all the same security events...

Is there any reason (other than having been hacked) why I might have such entries?

Author Comment

ID: 36931944
And also ID 518 source security:
An notification package has been loaded by the Security Account Manager. This package will be notified of any account or password changes.
 Notification Package Name:      scecli

I have updated and run norton antivirus, malwarebytes, spybot.  None of them found anything.

Author Comment

ID: 36932941
sophos ati-rootkit and combofix did create some reports... but nothing that looked ridiculously suspicious.  
LVL 35

Accepted Solution

torimar earned 2000 total points
ID: 36936245
"Notification Package Name:      scecli"

That is a standard notification package, not a rogue one, hence no evidence for a security breach.

Most of the other event IDs should also be able to provide more detail:
515: logon process name
576: user name and domain
849: name and path of the process
850: port number, protocol, name and interface

Please post those details and comment on whether they sound familiar to you.

Author Closing Comment

ID: 36941970
I agree.  I found no evidence at all of any wrongdoing.  And I did find similar entries on other machines.  The Name brand anti apps found nothing.  I just wish there was more documentation for security items such as these!

Thanks for your expert opinion.  It is always valuable.

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question