Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
Advapi [please help understand Sucurity Event logged]
Advapi seems to by accessing my computer - a search shows it is a virus - but McAffee is not catching it and a search for advapi.exe turns up nothing (even search system folders and hidden files). Also advapi.exe does not show up in running processes or boot processes.
I'm not sure what it is, but it generates events 528 and 576 like crazy. Usually these events happen in bursts - several times per hour.
From what I can tell, advapi is a legit WIN opperation. I cannot find any specific reference to this event as a virus or trojan, but I am not sure what else it could be.
This is a typical event:
[quote][size=1]Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 1/25/2005
Time: 7:04:00 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: HAL2000
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 576
Date: 1/25/2005
Time: 7:04:00 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: HAL2000
Description:
Special privileges assigned to new logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Privileges: SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege
Yeah - it appears to be legit proceses - but I do not understand why there are so many. Maybe, as suggested by the one article, I have settings that are too sensative and record various innocuous events?
I have the same ADVAPI problem on my XP loads. Does anyone know if this is a legit process? The ADVAPI process runs immediately after installing XP. I did a low level format on the drive before loading it. The computer is not connected to the internet. All security prone services were disabled during the installation.
I have a Maxtor SATA/150 PIC Card installed because my system board is 100 and the drive is ATA/133. The card has a 10 MB bios. If I have a trojan, the only place it can be living is in the card bios.
If ADVAPI is a Trojan, it's a tough one to kill....
