Impersonating User

My PC hung up & the CPU usage was 100% [a "service host" was active]

Since I was online I suspected possible attack or active trojan was running, so I killed the MSIE & shut down (took a long time).

[note - PC uses HIBERNATION so last bootup was a week or more ago]

I re-booted using "boot logging" to look for trouble.

ntbtlog.txt has a BUNCH of listings of drivers not loading [though they do later in the list - required stuff like
Loaded driver \SystemRoot\System32\drivers\afd.sys
Did not load driver \SystemRoot\System32\drivers\afd.sys

Why the 'yes' then 'no'?

And here you have the shutdown & then startup portion from "userenv.log" on the re-boot.
USERENV(1e8.1ec) 10:26:18:386 DumpOpenRegistryHandle: 6 user registry Handles leaked from \Registry\User\S-1-5-21-1343024091-484763869-725345543-1003_Classes
USERENV(1e8.1ec) 10:26:18:386 ReportError: Impersonating user.
USERENV(1e8.1ec) 10:28:00:062 CUserProfile::CleanupUserProfile: Ref Count is not 0

SHould I be concerned with the "Impersonating" ???

All seems to be working OK on this internet connection.
Thanks,
C

EDIT - using XP SP1, no updates since installed in 2000
I have AVG Antivirus, Zone Alarm firewall,

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

sprkymrk

A search on MS site turned up this:

http://support.microsoft.com/kb/896427

crabeater

Yes, I saw a similar report in
http://support.microsoft.com/kb/873485/en-us
But both talk about HAVING to be part of a domain for the error to occur - I don't have mine

connected to a domain - setup only as 'workgroup'.

Neither make tis part of thier 'problem description'.

Also, I don't have any shares set on other computers - just the 2 local drives; so that can't be it either.

And the NIC is disabled since I am not connecting to others.

I have done some 'extra' shutting down of access to the PC - modified local security policies so maybe something there is wanting to check things.

Otherwise - I need to find a "rootkit" virus locator to look for them.

sprkymrk

crabeater wrote:

Otherwise - I need to find a "rootkit" virus locator to look for them.

RootKitRevealer at

www.sysinternals.com

KGhaleon

What operating system are you using, windows? If the computer is not on the network, I would do some thorough virus scans with AVG/Avast as well as run the above tool. I'd also suggest using Sophos anti-rootkit.

KG

crabeater

Will try the site listed.
using XP [see edit above]

Silver Bullet

It looks like ASP impersonates user accounts from what I have gathered by reading Technet

If you will take a look in Group Policy by typing gpedit.msc in a Run dialog box and then Navigate to Computer Configuratution > Windows Settings > Security Settings > Local Policies > User Rights Assignment and then find the setting to the right for Impersonate a Client after Authentication. Look at the properties of that setting and I'll bet that you have ASPNET listed there and probably Administrator and Service as well.

This may be all that is going on but it never hurts to be on the safe side and scan your PC.