Posted on 2011-10-07
Last Modified: 2012-05-12
32-bit xp

My system shutdown this morning without warning.  I started looking in the logs and went to the security logs.  I am having what looks like an attack

There are many ID 850 "A port was listed as an exception when the Windows Firewall started."

There are many ID 576 "Special privileges assigned to new logon:" and the user name and domain are blank

There are many id 515 "A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. "

There are many ID 849 "An application was listed as an exception when the Windows Firewall started. "

I am rushing this - need to get back to it...
Question by:santaspores1

    Author Comment

    Now I see that my security log is filled with such events.  It goes back to 9/21/2011and I see all the same security events...

    Is there any reason (other than having been hacked) why I might have such entries?

    Author Comment

    And also ID 518 source security:
    An notification package has been loaded by the Security Account Manager. This package will be notified of any account or password changes.
     Notification Package Name:      scecli

    I have updated and run norton antivirus, malwarebytes, spybot.  None of them found anything.

    Author Comment

    sophos ati-rootkit and combofix did create some reports... but nothing that looked ridiculously suspicious.  
    LVL 35

    Accepted Solution

    "Notification Package Name:      scecli"

    That is a standard notification package, not a rogue one, hence no evidence for a security breach.

    Most of the other event IDs should also be able to provide more detail:
    515: logon process name
    576: user name and domain
    849: name and path of the process
    850: port number, protocol, name and interface

    Please post those details and comment on whether they sound familiar to you.

    Author Closing Comment

    I agree.  I found no evidence at all of any wrongdoing.  And I did find similar entries on other machines.  The Name brand anti apps found nothing.  I just wish there was more documentation for security items such as these!

    Thanks for your expert opinion.  It is always valuable.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now