Anonymous Who?

By captaincranky
Aug 31, 2015
  1. Just a quick question. Over the past couple of weeks I've been getting this message:

    + System
    [ Name] Microsoft-Windows-Security-Auditing
    [ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
    EventID 4624
    Version 0
    Level 0
    Task 12544
    Opcode 0
    Keywords 0x8020000000000000
    - TimeCreated
    [ SystemTime] 2015-08-30T07:21:27.615899800Z
    EventRecordID 75041
    [ ProcessID] 568
    [ ThreadID] 716
    Channel Security
    Computer xxxxxxxx-PC

    SubjectUserSid S-1-0-0

    SubjectUserName -

    SubjectDomainName -

    SubjectLogonId 0x0

    TargetUserSid S-1-5-7

    TargetUserName ANONYMOUS LOGON

    TargetDomainName NT AUTHORITY

    TargetLogonId 0x3c66b89

    LogonType 3

    LogonProcessName NtLmSsp

    AuthenticationPackageName NTLM

    WorkstationName YOUR-25EFDBD77B

    LogonGuid {00000000-0000-0000-0000-000000000000}

    TransmittedServices -

    LmPackageName NTLM V1

    KeyLength 128

    ProcessId 0x0

    ProcessName -


    IpPort 1920

    So, I'm getting an "anonymous" logon Type 3 (internet), and obviously the IP address corresponds to my router. Since the process name, " NtLmSsp " attaches to a "brute force attack" (or does it?), am I correct in assuming this turd has been hacked?

    This has apparently been going on for quite some time. The odd part is, a logoff event is created simultaneously. (At least simultaneous with respect to the lowest measurement on the log, which is seconds).
    Last edited: Aug 31, 2015
  2. Broni

    Broni Malware Annihilator Posts: 52,799   +343

    You've been getting the above message how exactly?
  3. captaincranky

    captaincranky TechSpot Addict Topic Starter Posts: 11,462   +1,760

    Via the event log, on the security tab.

    This morning I got this report, where a "guest" had tried to log on to the machine, but was rejected:
    An account failed to log on.

    Security ID: xxxxxx-PC\xxxxxx
    Account Name: xxxxxxx
    Account Domain: xxxxxxxx-PC
    Logon ID: 0x1bbfa

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: Guest
    Account Domain: xxxxxxxx-PC

    Failure Information:
    Failure Reason: Account currently disabled.
    Status: 0xc000006e
    Sub Status: 0xc0000072

    Process Information:
    Caller Process ID: 0x50c
    Caller Process Name: C:\Windows\explorer.exe

    Network Information:
    Workstation Name: XXXXXXX-PC
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: Advapi
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    I have disabled any remote assistance options.

    Based on your observations, if a cure is called for, the machine will be reformatted.

    About 2(?) weeks ago the machine wouldn't boot, specifying "BIOS checksum error". It shut off and on several times without booting, but finally did. I have to wonder if a rootkit establishing itself could have caused it. (This is a Gigabyte board, and has a backup BIOS, which was IIRC called).

    I have had another issue with this PC, and I think the IPG is crashing. In circumstances of high memory use, (and Firefox seems to use a whole lot more memory in Win 7 than in XP). So, the screen goes to black, and writes back section at a time as you pass the mouse around the screen.

    Since the machine only has 2 GB of RAM, I'm thinking the VRAM allotment is conflicting with the program's needs, and a video crash results. I have speculated that an add-in video card might cure the problem. as that would free up system RAM.

    I guess your best guess as to whether this is indeed a video issue, would be helpful.

    The machine has MSE and Windows Defender installed. MSE failed to find the update server for a day or so, but now claims it is up to date. A full scan of C:/ revealed nothing.

    The ironic part of this is, this PC is used for nothing but above board activities. (Annoying the other children at Techspot, shopping, banking, Wiki research, and other pure of heart pastimes). It don't even have a torrent client.

    Thanks for any insights you might have, in advance...
    Last edited: Aug 31, 2015
  4. Broni

    Broni Malware Annihilator Posts: 52,799   +343

    Well, in here we can check if that computer is clean.

    Please, complete all steps listed here:
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...