Bad logon Event type 529
Access, Access control, Application security, backdoors, Browsers, Current threats, Database, Desktops, Encryption, Exchange, filtering, Firewalls, Forensics, Hacking, human factors, Incident response, Instant Messaging, Intrusion management, Management, Microsoft Windows, Network security, OS, Patch management, Secure Coding, Security, Servers, Spyware, SQL Server, SSL/TLS, Trojans, Viruses, VPN, Web security, Wireless, worms
A User ill advisedly switched off Anti-Virus and since then we see a failed logon (Type 4 - Batch)under Logon process Advapi every 15 minutes in his User Id. A search of the Web links this to possible virus infectection (Netdevil 1.2. We have scanned etc but can't track down what is generating the attempted logins - any ideas?
Software/Hardware used:
Software/Hardware used:
ASKED:
August 24, 2005 7:11 AM
UPDATED:
August 25, 2005 6:46 AM
Answer Wiki:
Have you looked for the process in the registry (usually HKLMSoftwareMicrosoftWindowsCurrent VersionRun or HKCU...)? Any of the big AV websites should give you a description of the manual removal process. Just a question - why does this user have rights to stop services?
To see all answers submitted to the Answer Wiki: View Answer History.
Check out Sysinternals utility called autoruns (http://www.sysinternals.com/Utilities/Autoruns.html). If anything looks out of place, it’s probably worth checking out. Remember that even though it may look like a normal path and filename, it may not be the actual file. A virus scanner can scan the files to ensure they are not infected. If you don’t trust the antivirus software that’s (hopefully) installed on the computer, you can run a trusted boot disk with a command line scanner or install the drive in a computer with trusted AV software.
Hope this helps,
SF
advapi.exe is added as a result of the NETDEVIL.12 (NetDevil 1.2) VIRUS. This process is a security risk and should be removed from your system. If found make sure that you have downloaded the latest updates for your antivirus software