Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Event Viewer dilemma -Win7


  • Please log in to reply
1 reply to this topic

#1 KemoHS

KemoHS

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 06 April 2014 - 12:34 PM

Hello, yesterday I opened up Event Viewer on my windows 7 machine and found this:

 

Subject:
    Security ID:        NULL SID
    Account Name:        -
    Account Domain:        -
    Logon ID:        0x0

Logon Type:            3

New Logon:
    Security ID:        ANONYMOUS LOGON
    Account Name:        ANONYMOUS LOGON
    Account Domain:        NT AUTHORITY
    Logon ID:        0x367ef
    Logon GUID:        {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:        0x0
    Process Name:        -

Network Information:
    Workstation Name:    
    Source Network Address:    -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:        NtLmSsp
    Authentication Package:    NTLM
    Transited Services:    -
    Package Name (NTLM only):    NTLM V1
    Key Length:        0



- System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-(not sure if I can post this)}
 
   EventID 4624
 
   Version 0
 
   Level 0
 
   Task 12544
 
   Opcode 0
 
   Keywords 0x8020000000000000
 
  - TimeCreated

   [ SystemTime]  2014-04-05T20:49:50.866600000Z
 
   EventRecordID 65470
 
   Correlation
 
  - Execution

   [ ProcessID]  604
   [ ThreadID]  640
 
   Channel Security
 
   Computer Me-PC
 
   Security
 

- EventData

  SubjectUserSid S-1-0-0
  SubjectUserName -
  SubjectDomainName -
  SubjectLogonId 0x0
  TargetUserSid S-1-5-7
  TargetUserName ANONYMOUS LOGON
  TargetDomainName NT AUTHORITY
  TargetLogonId 0x367ef
  LogonType 3
  LogonProcessName NtLmSsp  
  AuthenticationPackageName NTLM
  WorkstationName  
  LogonGuid {00000000-0000-0000-0000-000000000000}
  TransmittedServices -
  LmPackageName NTLM V1
  KeyLength 0
  ProcessId 0x0
  ProcessName -
  IpAddress -
  IpPort -
 

It occurs pretty much everytime I log on along with the other standard logon reports. I'm on a wi-fi network with a couple other of my computers (not in any way concerned about them)  someone suggested that it might have to do with folder sharing- however I have that turned off. Now I'm concerned about someone accesing my network without my knowledge. These kinds of logs have been occuring for just over a year- about two weeks younger than my oldest Event Viewer security logs.

 

Before that most log were like this:

 

Key file operation.

Subject:
    Security ID:        LOCAL SERVICE
    Account Name:        LOCAL SERVICE
    Account Domain:        NT AUTHORITY
    Logon ID:        0x3e5

Cryptographic Parameters:
    Provider Name:    Microsoft Software Key Storage Provider
    Algorithm Name:    Not Available.
    Key Name:    (removed this)
    Key Type:    Machine key.

Key File Operation Information:
    File Path:    C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\(removed this too)
    Operation:    Read persisted key from file.
    Return Code:    0x0

 

If someone could help me out I would be very grateful since this has been nagging on me for the past couple of days. I searched on google and people with similar logs have been told that theirs are signs of intrustion. But their logs all had a key lenght of 128 (my log has 0) and under network information they had worstation names and ip adresses (my log show a dash under ip adress and nothing under workstation.) Could someone gain acess and conceal these things or delete them later on? The main thing that bugs me is that the logon type is 3(network,) this shouldn't be the case if this is some standard operation of my system or should it? Could it be a part of a programs routine (like Avast?)

 

Again if someone could help me out with this it would mean a lot to me.



BC AdBot (Login to Remove)

 


#2 Chris Cosgrove

Chris Cosgrove

  • Moderator
  • 7,218 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:02:40 PM

Posted 07 April 2014 - 05:19 PM

If you are concerned about possible intrusion, there are several steps you can take to make life much harder for any intruder :

 

1  Make sure your firewall is active

2  If you are using a router, ensure that security, preferably WPA2-PSK, is in use

3  Change the access password on your router to anything except the default. Type your router's IP address into the address bar on your browser to access its control panel. A very common address is 192.168.0.1, but yours may be different. You may found it on a label on the router or in its documentation.

 

It is also possible you have been infected with malware. Download and run Malwarebytes, which you can get from here :

 

http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

 

If this shows up any problems that it is unable to deal with itself, then raise a topic in the 'Am I infected' section of BC and include a link to this topic. If you do post there, be patient - these people are all volunteers and busy!  Once you have posted there don't make any changes to your computer unless you are asked to, and if you don't understand something you are asked to do, post back for clarification.

 

Chris Cosgrove






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users