Impersonating User

crabeatercrabeater Member Posts: 88 ■■□□□□□□□□
in Off-Topic
My PC hung up & the CPU usage was 100% [a "service host" was active]

Since I was online I suspected possible attack or active trojan was running, so I killed the MSIE & shut down (took a long time).

[note - PC uses HIBERNATION so last bootup was a week or more ago]

I re-booted using "boot logging" to look for trouble.

ntbtlog.txt has a BUNCH of listings of drivers not loading [though they do later in the list - required stuff like
Loaded driver \SystemRoot\System32\drivers\afd.sys
Did not load driver \SystemRoot\System32\drivers\afd.sys

Why the 'yes' then 'no'?

And here you have the shutdown & then startup portion from "userenv.log" on the re-boot.
USERENV(1e8.1ec) 10:26:18:386 DumpOpenRegistryHandle: 6 user registry Handles leaked from \Registry\User\S-1-5-21-1343024091-484763869-725345543-1003_Classes
USERENV(1e8.1ec) 10:26:18:386 ReportError: Impersonating user.
USERENV(1e8.1ec) 10:28:00:062 CUserProfile::CleanupUserProfile: Ref Count is not 0

SHould I be concerned with the "Impersonating" ???

All seems to be working OK on this internet connection.
Thanks,
C

EDIT - using XP SP1, no updates since installed in 2000
I have AVG Antivirus, Zone Alarm firewall,
· Share on FacebookShare on Twitter

Comments

  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    A search on MS site turned up this:

    http://support.microsoft.com/kb/896427
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • crabeatercrabeater Member Posts: 88 ■■□□□□□□□□
    Yes, I saw a similar report in
    http://support.microsoft.com/kb/873485/en-us
    But both talk about HAVING to be part of a domain for the error to occur - I don't have mine
    connected to a domain - setup only as 'workgroup'.

    Neither make tis part of thier 'problem description'.

    Also, I don't have any shares set on other computers - just the 2 local drives; so that can't be it either.

    And the NIC is disabled since I am not connecting to others.

    I have done some 'extra' shutting down of access to the PC - modified local security policies so maybe something there is wanting to check things.

    Otherwise - I need to find a "rootkit" virus locator to look for them.
    · Share on FacebookShare on Twitter
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    crabeater wrote:
    Otherwise - I need to find a "rootkit" virus locator to look for them.

    RootKitRevealer at

    www.sysinternals.com
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • KGhaleonKGhaleon Member Posts: 1,346 ■■■■□□□□□□
    What operating system are you using, windows? If the computer is not on the network, I would do some thorough virus scans with AVG/Avast as well as run the above tool. I'd also suggest using Sophos anti-rootkit.

    KG
    Present goals: MCAS, MCSA, 70-680
    · Share on FacebookShare on Twitter
  • crabeatercrabeater Member Posts: 88 ■■□□□□□□□□
    Will try the site listed.
    using XP [see edit above]
    · Share on FacebookShare on Twitter
  • Silver BulletSilver Bullet Member Posts: 676 ■■■□□□□□□□
    It looks like ASP impersonates user accounts from what I have gathered by reading Technet

    If you will take a look in Group Policy by typing gpedit.msc in a Run dialog box and then Navigate to Computer Configuratution > Windows Settings > Security Settings > Local Policies > User Rights Assignment and then find the setting to the right for Impersonate a Client after Authentication. Look at the properties of that setting and I'll bet that you have ASPNET listed there and probably Administrator and Service as well.

    This may be all that is going on but it never hurts to be on the safe side and scan your PC.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.