Windows 8 and 8.1 Forums

Multiple security audit events, Is my sytem compromised?

  1. #1

    Posts : 36
    Windows 8.1 Enterprise x64

    Multiple security audit events, Is my sytem compromised?

    Heres a few sample of what im seeing in event viewer

    An account was successfully logged on.
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0
    Logon Type: 0
    Impersonation Level: -
    New Logon:
    Security ID: SYSTEM
    Account Name: SYSTEM
    Account Domain: NT AUTHORITY
    Logon ID: 0x3E7
    Logon GUID: {00000000-0000-0000-0000-000000000000}
    Process Information:
    Process ID: 0x4
    Process Name:
    Network Information:
    Workstation Name: -
    Source Network Address: -
    Source Port: -
    Detailed Authentication Information:
    Logon Process: -
    Authentication Package: -
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    Special privileges assigned to new logon.



    Account Name: NETWORK SERVICE

    Account Domain: NT AUTHORITY

    Logon ID: 0x3E4

    Privileges: SeAssignPrimaryTokenPrivilege




    Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

    File Name: \Device\HarddiskVolume2\Windows\System32\guard64.dll

    And the one that troubles me the most is this one:

    An attempt was made to query the existence of a blank password for an account.
    Security ID: LOCAL SERVICE
    Account Name: LOCAL SERVICE
    Account Domain: NT AUTHORITY
    Logon ID: 0x3E5
    Additional Information:
    Caller Workstation: xxxx
    Target Account Name: xxxxxxxx
    Target Account Domain: xxxxx


    This last event I found a post about it here when googling it, could be system compromised or nasty rootkit malware. WTF is going on?
    Im getting tired of this and about to cleanly install a Linux distro to have peace of mind. Someone please help me before I do so.

      My System SpecsSystem Spec

  2. #2

    I would download and run MalwareBytes, using a rootkit scan and a reboot, running in "safe mode with networking" enabled.
      My System SpecsSystem Spec

  3. #3

    Did that help?
      My System SpecsSystem Spec

  4. #4

    Posts : 36
    Windows 8.1 Enterprise x64

    Sorry for taking so long to respond, but Im afraid malware bytes or any typical AV would not have been able to resolve this issue.

    Upon the time of this happening I talked to a computer security forensics expert and from what I explained to him, looks like my entire network was compromised. They had got in through wifi. Had to RMA all computer parts and start from scratch, since I believe I was infected by a hardware based BIOS rootkit which are not detectable by AVs.
      My System SpecsSystem Spec

Multiple security audit events, Is my sytem compromised?
Related Threads
Windows 8.1 won't activate in audit mode in Windows Updates & Activation
Ok, so here is the thing: Ever since I started syspreping I would go into audit mode and do all of my customization, once done I would finished syspreping. The issue that I have is that when I go into audit mode (win 8.1 64b) it won't give me the option to activate windows (screen will flick and...
Firefox compromised in Browsers & Mail
I think my Mozilla Firefox is compromised in last 30 minutes after I clicked some website in Google Search Results and see this icon in address bar in Orange as show in image below... Please help about how to remove this as I checked Add-Ons and Plugins for Firefox and found no stuff which looks...
Sytem Image in Performance & Maintenance
I have a question for those who have upgraded to 8.1. Does 8.1 have an option to create a system image??
It should be two files text files one for apps events and one for the system events. This is an example about how the format of the text files and what content should be inside: Event: Log Name: Application Source: ESENT Date: 2013-02-25T03:18:39.000 Event ID: 105 Task: General
Win8 audit mode 2 drives in Performance & Maintenance
So I have just bought this new msi gt70 laptop, comes with a raid0, 2-128 gb ssd and a standard 750 gb secondary drive. the literature and naming of the drives ssd's c: os d: data. But in actuality does not, and just throws everything at the c: drive. What I would like to do is replace the d: with...
ok guys ran into an interesting situation that i believe maybe some kind of hole in security i was watching a show on netflix on my Xbox when all of a sudden a cursor appeared on screen moved around a bit, went to one of the options then went away and nothing was noticed again. the only time i...
Eight Forums Android App Eight Forums IOS App Follow us on Facebook