|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
06-17-2009
| #1 (permalink) |
| Vista Home Premium | Hi, have a bit of an issue, afraid i have only just signed up, so not sure if this is the 100% correct place to post but here goes. I think someone has gained remote access of some kind to my computer, and retrieved a file. Originally based on what i heard through the very thin floor of my room. I.e. i think my housemates got at it and i would like to know for definite as it contains rather sensitive and personal information. I am not an expert with IT but i will try to explain a little, and will try to answer any further questions to get to the bottom of it. Around 2 months back i noticed a small brown or red icon on my toolbar at the bottom of the screen (perhaps someone might be able to recognise a method from this scrappy description?), this read something along the lines of "connected to ?????-PC", ????? being the name of a housemate. I terminated the link and confronted them but they deny this. Secondly i have noticed that windows remote access has been enabled, and after some reading up i have found that this is not enabled by default, and as i know very little about software, and know i havent touched it, then this cant be me? Thirdly i have been looking through the event log, and within the WLAN-Autoconfig i found an Event ID 11004 which reads: Adapter Broadcom 802.11g Network Adapter DeviceGuid {B4FD2D99-F15B-4BAC-A591-180E23218228} LocalMac 00:1F:C6:8C:AB:6E SSID SKY97932 BSSType Infrastructure PeerMac 00:1B:2F:41:CA:B6 SecurityHint The operation succeeds. SecurityHintCode 0 ConnectionId 0x1Perhaps it is me being paranoid but the security hint strikes me as odd, but then i dont really know what it means. 4th DFS Replication, i have only 6 entries under DFS Replication, all relate to a date that falls within the period i believe the document to have been taken, lasting only 5 mins. 5th Terminal Services - Remote Connection Manager Log has been or is disabled. 6th all Windows Error Reports found through the tree: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\ are post 18/5/2009, there are a fair few, but i bought my computer last summer, so would have expected there to be some prior to 18/5/2009 as well? It could just be me being very paranoid, but its just that the document covers a wide variety of topics, many of which have been introduced in to conversation between us soon after i had confronted them over gaining access the first time. I would be very greatful for any assistance that can be offered, as it is actually driving me insane. Cheers, Lloyd  Also there appear to be Microsoft Visual Source Safe events, and events through WMI Event ID:10??? |
My System Specs |
|
06-18-2009
| #2 (permalink) |
| Vista Home Premium 32bit | Re: Paranoid or Poirot? Looks like they remoted into your computer. |
| My System Specs |
|
06-18-2009
| #3 (permalink) |
| Vista Home Premium | Re: Paranoid or Poirot? Is there any specific part of any of that, that would specifically signify remote access had been achieved? Is there any way of tracking down specific access? After all these people were meant to be my friends and i dont really want to make accusations without specifics. |
| My System Specs |
|
06-18-2009
| #4 (permalink) |
| Vista Home Premium 32bit | Re: Paranoid or Poirot? This, quoted from your first post: 'something along the lines of "connected to ?????-PC", ????? being the name of a housemate.' PC Anywhere and other remote access programs can do this. But I am not an expert at remote access, you might wait for others here to chime in with a response. |
| My System Specs |
|
06-18-2009
| #5 (permalink) |
| Winodws Vista Ultimate SP2 x32 | Re: Paranoid or Poirot? I guess you've got to set a new password for your wireless router, as your house mates may have hacked (if you have a password) the password and then gained access to your computer. Hope this helps.  |
| My System Specs |
|
06-18-2009
| #6 (permalink) |
| Vista Home Premium | Re: Paranoid or Poirot? We all used the same wireless router, which was attached to said housemates PC and then i was linked in via wireless network card. The "connected to ????-PC" was a link that i closed down without doing a screenshot as evidence, and i havent seen it since so havent had the opportunity to take a screenshot to back up my allegations. If memory serves me correctly it was a brown or orange icon that i think resembled the MSN logo for shape (i think), does this ring any bells? Is there any way to confirm it? A way of tracking through the event log or something? I am not brilliant with PCs but i want to have definitive proof first, as if i am right this is a situation where i will go absolutely ballistic at them. |
| My System Specs |
|
06-18-2009
| #7 (permalink) |
| Vista Home Premium | Re: Paranoid or Poirot? P.S. thank you for all the help so far |
| My System Specs |
|
06-18-2009
| #8 (permalink) |
| Vista Home Premium | Re: Paranoid or Poirot? Have been doing a bit of further research and if anyone has any knowledge specifically of Go To My PC i would very much like to know more about the toolbar logo for this software, It appears to be an orange square with an msn style logo cut out, or at least on their webpage.... |
| My System Specs |
|
06-19-2009
| #9 (permalink) |
| Vista Home Premium | Re: Paranoid or Poirot? Ok, so i am hoping that i am getting there slightly, i am not sure on Go To My PC, however i have been looking over the event Logs and have noticed the following: EventData SubjectUserSid S-1-0-0 SubjectUserName - SubjectDomainName - SubjectLogonId 0x0 TargetUserSid S-1-5-7 TargetUserName ANONYMOUS LOGON TargetDomainName NT AUTHORITY TargetLogonId 0xec3c29 LogonType 3 LogonProcessName NtLmSsp AuthenticationPackageName NTLM WorkstationName DUNCAN-PC LogonGuid {00000000-0000-0000-0000-000000000000} TransmittedServices - LmPackageName NTLM V1 KeyLength 128 ProcessId 0x0 ProcessName - IpAddress 192.168.0.4 IpPort 61466 EventData SubjectUserSid S-1-0-0 SubjectUserName - SubjectDomainName - SubjectLogonId 0x0 TargetUserSid S-1-5-7 TargetUserName ANONYMOUS LOGON TargetDomainName NT AUTHORITY TargetLogonId 0x8a922e LogonType 3 LogonProcessName NtLmSsp AuthenticationPackageName NTLM WorkstationName YOUR-A9279112E3 LogonGuid {00000000-0000-0000-0000-000000000000} TransmittedServices - LmPackageName NTLM V1 KeyLength 0 ProcessId 0x0 ProcessName - IpAddress 192.168.0.2 IpPort 4924 Now if I remember correctly the point at which I first mentioned seeing the Duncan-PC connection to my friends coincides with the fact that from then on all Logon Type 3 events, that show a workstation name, swap to YOUR-A9279112E3. Duncans pc was the hub for our network, does any of this make any sense? |
| My System Specs |
|
06-19-2009
| #10 (permalink) |
| Vista Home Premium | Re: Paranoid or Poirot? EventData SubjectUserSid S-1-5-21-2617509925-2813344812-3838341493-1000 SubjectUserName Lloydy SubjectDomainName Lloydy-PC SubjectLogonId 0x2e6d3 TargetUserSid S-1-5-21-2617509925-2813344812-3838341493-501 TargetUserName Guest TargetDomainName Lloydy-PC TargetLogonId 0x8d49ee LogonType 3 LogonProcessName Advapi AuthenticationPackageName Negotiate WorkstationName LLOYDY-PC LogonGuid {00000000-0000-0000-0000-000000000000} TransmittedServices - LmPackageName - KeyLength 0 ProcessId 0xd1c ProcessName C:\Windows\explorer.exe IpAddress - IpPort - I also thought this one looks weird because of the Guest status of target username? |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| Paranoid about my new OS... | Drivers | |||
| Setup can cause a paranoid attack | Vista installation & setup | |||
