Bad logon Event type 529

pts.
Tags:
Access
Access control
Application security
backdoors
Browsers
Current threats
Database
Desktops
Encryption
filtering
Firewalls
Forensics
Hacking
human factors
Incident response
Instant Messaging
Intrusion management
Management
Microsoft Exchange
Microsoft Windows
Network security
OS
Patch management
Secure Coding
Security
Servers
Spyware
SQL Server
SSL/TLS
Trojans
Viruses
VPN
Web security
Wireless
worms
A User ill advisedly switched off Anti-Virus and since then we see a failed logon (Type 4 - Batch)under Logon process Advapi every 15 minutes in his User Id. A search of the Web links this to possible virus infectection (Netdevil 1.2. We have scanned etc but can't track down what is generating the attempted logins - any ideas?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Have you looked for the process in the registry (usually HKLMSoftwareMicrosoftWindowsCurrent VersionRun or HKCU…)? Any of the big AV websites should give you a description of the manual removal process. Just a question – why does this user have rights to stop services?

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Sonyfreek
    Check out Sysinternals utility called autoruns (http://www.sysinternals.com/Utilities/Autoruns.html). If anything looks out of place, it's probably worth checking out. Remember that even though it may look like a normal path and filename, it may not be the actual file. A virus scanner can scan the files to ensure they are not infected. If you don't trust the antivirus software that's (hopefully) installed on the computer, you can run a trusted boot disk with a command line scanner or install the drive in a computer with trusted AV software. Hope this helps, SF
    0 pointsBadges:
    report
  • Ve3ofa
    advapi.exe is added as a result of the NETDEVIL.12 (NetDevil 1.2) VIRUS. This process is a security risk and should be removed from your system. If found make sure that you have downloaded the latest updates for your antivirus software
    80 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following