Inactive Anonymous Who?

[captaincranky]

Just a quick question. Over the past couple of weeks I've been getting this message:

+ System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4624
Version 0
Level 0
Task 12544
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2015-08-30T07:21:27.615899800Z
EventRecordID 75041
Correlation
- Execution
[ ProcessID] 568
[ ThreadID] 716
Channel Security
Computer xxxxxxxx-PC
Security
- EventData


SubjectUserSid S-1-0-0


SubjectUserName -


SubjectDomainName -


SubjectLogonId 0x0


TargetUserSid S-1-5-7


TargetUserName ANONYMOUS LOGON


TargetDomainName NT AUTHORITY


TargetLogonId 0x3c66b89


LogonType 3


LogonProcessName NtLmSsp


AuthenticationPackageName NTLM


WorkstationName YOUR-25EFDBD77B


LogonGuid {00000000-0000-0000-0000-000000000000}


TransmittedServices -


LmPackageName NTLM V1


KeyLength 128


ProcessId 0x0


ProcessName -


IpAddress 192.168.1.65


IpPort 1920

So, I'm getting an "anonymous" logon Type 3 (internet), and obviously the IP address corresponds to my router. Since the process name, " NtLmSsp " attaches to a "brute force attack" (or does it?), am I correct in assuming this turd has been hacked?

This has apparently been going on for quite some time. The odd part is, a logoff event is created simultaneously. (At least simultaneous with respect to the lowest measurement on the log, which is seconds).

 

[Broni]

You've been getting the above message how exactly?

 

[captaincranky]

Via the event log, on the security tab.

This morning I got this report, where a "guest" had tried to log on to the machine, but was rejected:
___________________________________________________________________________
An account failed to log on.

Subject:
Security ID: xxxxxx-PC\xxxxxx
Account Name: xxxxxxx
Account Domain: xxxxxxxx-PC
Logon ID: 0x1bbfa

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Guest
Account Domain: xxxxxxxx-PC

Failure Information:
Failure Reason: Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072

Process Information:
Caller Process ID: 0x50c
Caller Process Name: C:\Windows\explorer.exe

Network Information:
Workstation Name: XXXXXXX-PC
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
___________________________________________________________________________

I have disabled any remote assistance options.

Based on your observations, if a cure is called for, the machine will be reformatted.

About 2(?) weeks ago the machine wouldn't boot, specifying "BIOS checksum error". It shut off and on several times without booting, but finally did. I have to wonder if a rootkit establishing itself could have caused it. (This is a Gigabyte board, and has a backup BIOS, which was IIRC called).

I have had another issue with this PC, and I think the IPG is crashing. In circumstances of high memory use, (and Firefox seems to use a whole lot more memory in Win 7 than in XP). So, the screen goes to black, and writes back section at a time as you pass the mouse around the screen.

Since the machine only has 2 GB of RAM, I'm thinking the VRAM allotment is conflicting with the program's needs, and a video crash results. I have speculated that an add-in video card might cure the problem. as that would free up system RAM.

I guess your best guess as to whether this is indeed a video issue, would be helpful.

The machine has MSE and Windows Defender installed. MSE failed to find the update server for a day or so, but now claims it is up to date. A full scan of C:/ revealed nothing.

The ironic part of this is, this PC is used for nothing but above board activities. (Annoying the other children at Techspot, shopping, banking, Wiki research, and other pure of heart pastimes). It don't even have a torrent client.

Thanks for any insights you might have, in advance...

 

[Broni]

Well, in here we can check if that computer is clean.

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.