Allow me to explain what happend, I'll include some snipits from Event Viewer, and what happened in order from first to last.

I'm running Windows XP home on a cable connection behind a netgear router just so everybody knows.

I started up unreal tournament, attempted to find internet games but it kept on saying that the master server could not be resolved. So I quit, and relaunched it, after I started tetherreal so I could see the hostname for the master server so I could ping it to see if it was up. As this was happening, my CPU usage shot to 100%, the computer was lagging really badly and packets other than the typical Unreal UDP flurry were being seen.

The one that caught my eye was a packet that said nothing other than Malformed Packet and under the payload it just said "RX". I thought this to be odd, so I hit ctrl+alt+delete and noticed under the process list that the normal processes (SYSTEM, LOCAL SERVICE, USERS, etc.) were all blank, right as I noticed this the screen "flashed" to the WinXP classic theme, then back to my normal screen.

OK, now I'm in full defense mode, I'm jotting down IP's from tethereal, quit unreal tournament, and pulled my ethernet cable. Upon closer investigation by checking eventviewer. I noticed a couple interesting (but troubling at the same time) things.

I'll include these in order the time they happend.

From the security event viewer, these I suspect these events to be the particularly malicious events.

@7:28:58
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0xF92C)
Logon Type: 3

@7:28:59
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

Logon Process Name: RASMAN

@7:28:59
A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

Logon Process Name: CHAP

User logoff with the name Anonomyous Logon? RASMAN, CHAP? It gets better. At this point I rebooted like a dumbass.

then found this stuff. all in the startup process or an automated atack, I'm not sure as I wasnt paying attention to the clock when I rebooted.

@7:41:37
1)Windows is starting up.
2)An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts.
Authentication Package Name: C:\WINDOWS\system32\LSASRV.dll : Negotiate
3)Authentication Package Name: C:\WINDOWS\system32\kerberos.dll : Kerberos
4)Authentication Package Name: C:\WINDOWS\system32\msv1_0.dll : NTLM
5)Authentication Package Name: C:\WINDOWS\system32\schannel.dll : Microsoft Unified Security Protocol Provider
6)Authentication Package Name: C:\WINDOWS\system32\schannel.dll : Schannel
7)Authentication Package Name: C:\WINDOWS\system32\wdigest.dll : WDigest
8) Authentication Package Name: C:\WINDOWS\system32\msv1_0.dll : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
9)A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

Logon Process Name: KSecDD
10)Logon Process Name: Winlogon
11)Logon Process Name: Winlogon\MSGina
12)Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
- - Directory Service Access
+ + Account Logon

Changed By:
User Name: DELL8200$ <<My computers name is "DELL8200" no "$" sign???
Domain Name: MSHOME
Logon ID: (0x0,0x3E7)

THen I believe this to be the "takeover"

Successful Network Logon:
User Name: notice how theres no username?
Domain:
Logon ID: (0x0,0xF778)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

I hope I didnt bore you guys to death with this long thread, I'd really like to know what, if anything has happened here.

This is my newbie take on it.

They sent a fragmented packet (source routed as I have NAT enabled) that =malformed packets
Somehow loaded a bunch of authentication packages.
got authenticated
and logon with a blank username

Help here would be GREATLY appreciated

thanks in advance,
Jonesy