Jump to content

Avanel

Honorary Members
  • Posts

    23
  • Joined

  • Last visited

Everything posted by Avanel

  1. The said event is from yesterday, and today I had events with logon type 11. Logon type 11 events should be related to me having/using a regular and admin profile? Since the regular require the admin password for some applications. Correct me if I'm wrong. It's actually event ID 4648, my bad for misleading you. The said event is about svchost.exe with a process id with 0x60c, which based on what people said isn't an svchost PID. Checked for such a PID with SysInternals (Procmon) and couldn't find anything. I'd be thankful if you could help me understand the below attached pictures.
  2. Everything seems fine in the regular profile, no inbound conmections or anything. I did post on reddit about svchost.exe and someone said that it's weird. In the Event Viewer log tab there was an audit with Event ID 4797 C:\Windows\System32\svchost.exe as Process name And the Process ID was : 0x60c Someone said that none of the svchost has services with ID 0x60c and indeed I couldn't find the service nor it's thread.
  3. Here's the autorun thingie. Hopefully there is no sensitive information inside. BigPoof.zip
  4. Also should I switch the selective boot to normal boot?
  5. "Google Chrome Elevation Services" "Google Chrome Update (gupdate)" "Google Chrome Update (gupdatem)" "Adobe Flash Player Update Service" "Intel(R) Rapid Storage Technology" "Intel(R) Smart Connect Technology" "Mozilla Maintenance Service" "NVIDIA Display Container LS" - These are the non-windows services that are currently found "checked" in the System Configuration. ========================================================================================= In the task manager startup I have the following enabled - Delayed Launcher -GrooveMonitor Utility -ISCT SysTray (Intel Corporation) -Realtek HD Audio Manager -Windows Security notification icon =========================================================================================
  6. Hi, Maurice! I created a new local account without any administrator rights. So based on what you say I can use the account without having to worry about someone getting access or anything?
  7. Oh, okay. There was no need to stop startups as I only have the barebacks like Chrome, Malwarebytes and such. Going to make another account. But can someone force login in the administrator account while i'm in the normal one?
  8. System Configuration look odd though. Shouldn't there be a name inside the red marking? Even the icon is missing, looks like a blank space.
  9. I flushed and changed my DNS, so far I haven't gotten any new inbound connections blocked. Maybe some inbound connections are related to some of the services or the applications that I have installed, but I doubt that since one of the IP's is from a chinese game based company and I don't use their products and the other IPs are from webprotection companies. So far it looks like they are just probing my port, but not sure what else could happen. Note: The 1st Link doesn't open and literally redirects me to this post.
  10. Hi, Maurice! I've been keeping tabs on my Event Viewer and there are some really strange things happening. To me it looks that someone has access to my computer/or impersonates the system. ========================================================== Event ID 4798 A user's local group membership was enumerated. Subject: Security ID: SYSTEM Account Name: DESKTOP-[My computer's name] Account Domain: [My Domain] Logon ID: 0x3E7 User: Security ID: DESKTOP-[My computer's name]\Guest Account Name: Guest Account Domain: [My computer's name] Process Information: Process ID: 0x10a8 Process Name: C:\Windows\System32\CompatTelRunner.exe Note: Guest account is disabled. ========================================================= Event ID 5059 Key migration operation. Subject: Security ID: DESKTOP-[My computer's name]\[My username] Account Name: [My username] Account Domain: [My computer's name] Logon ID: 0x1ED2EEC Process Information: Process ID: 2192 Process Creation Time: ‎2019‎-‎12‎-‎31T09:20:54.516725200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0 Note: This event "Creation Time" - 2019-12-31 09:20:54 (Was done while the computer was turned off) ================================================================================= Event ID 5061 Cryptographic operation. Subject: Security ID: DESKTOP-[My computer's name]\[My username] Account Name: [My username] Account Domain: [My computer's name] Logon ID: 0x1ED2EEC Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: ================================================================================== Evend ID 5058 Key file operation. Subject: Security ID: DESKTOP-[My computer's name]\[My username] Account Name: [My username] Account Domain: [My computer's name] Logon ID: 0x1ED2EEC Process Information: Process ID: 2192 Process Creation Time: ‎2019‎-‎12‎-‎31T09:20:54.516725200Z Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\Users\UserAsrock\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_f7e753de-6f4c-4d67-b54c-7bca67216763 Operation: Read persisted key from file. Return Code: 0x0 ============================================================================== Event ID 4648 A logon was attempted using explicit credentials. Subject: Security ID: SYSTEM Account Name: DESKTOP-[My computer's name]$ Account Domain: [My Domain] Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: [My username] Account Domain: DESKTOP-[My computer's name] Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x60c Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: [Not my IP] Port: 0 This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command. ================================================================================== Event ID 4797 An attempt was made to query the existence of a blank password for an account. Subject: Security ID: DESKTOP-[My computer's name]\[My username] Account Name: [My username] Account Domain: DESKTOP-[My computer's name] Logon ID: 0x1ED2EEC Additional Information: Caller Workstation: DESKTOP-[My computer's name] Target Account Name: Administrator Target Account Domain: DESKTOP-[My computer's name] mbar-log-2019-12-31 (12-09-46).txt
  11. Could the inbound connections be related to my user and password or port being know or just poor DNS or Ethernet protection? NOTE: What about the detected item in RogueKiller? Safe or Remove? MSERT Log attached. MsertLog.txt
  12. A good 30 seconds after the scan finished I got another Inbound Connection Blocked. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 12/30/19 Protection Event Time: 9:09 PM Log File: da6d7f31-2b37-11ea-b0f2-d0509931000b.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.16987 License: Trial -System Information- OS: Windows 10 (Build 18362.418) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , , Blocked, -1, -1, 0.0.0 -Website Data- Category: Trojan Domain: IP Address: 37.49.231.108 Port: 5060 Type: Inbound File: (end) RogueKillerScan.txt
  13. Hi, Maurice! The scan turned out clear and nothing strange was found out. The top picture is from firewall, more precisely the "allowed apps". I just have no idea why FirewallAPI.dll is there and why it has that number behind it. As for the Inbound connections that keep on getting blocked every now and then...honestly I have no idea which services might be triggering them and why would their IP's be Russian and Chinese. I wouldn't have really cared if I'm blocking outbound, but inbound are another story.
  14. Hi, Maurice! I keep on getting these inbound connections blocked and firewall added some random whitelisted things. Note: Attached the logs and the ones marked in red are inbound + the strange firewall thing that should usually be firewall.dll only. log1.txt log2.txt log3.txt
  15. Hi! - What I was confused about was why I had spybot installed in the C drive without my consensus and how. - Another thing that popped up today was a bulk logon audit failures in the Event Viewer all of them from chrome.exe . - succesful audits which were "Credential Manager was read" and audits that were "a user's local membership was enumerated". (This audit had my account name as a subject and for some odd reason the username was called "guest", but I have no other usernames on this computer.) Currently waiting for the ESET scan to finish.
  16. I just noticed something unusual. I had Spybot Search and Destroy and Farbar installed for some reason, yet I haven't downloaded them, they weren't even downloaded in the default download folder.
  17. I forgot to ask about something regarding the Threat Scan. Is it normal for the scan to jump from 100k scanned to 200k instantly?
  18. Actually there was something suspicious. I used Adwcleaner before I started this thread. Will attach the 1st report I've got. P.S: My friend keeps on repeating that maybe it's a DNS Hijack. Here are both the Malwarebytes Threat Scan log and the 1st AdwCleaner run. AdwCleaner[C00].txt Scan.txt
  19. [1] Done. [2] Done. [3] Done, but is this save for sensitive information like logins and credentials? [4] Done, same question as [3]? [5] Done. AdwCleaner[S02].txt
  20. P.S: Before everything started going out of control I did open a pdf fail accidentally, but after download it was like "broken", couldn't be found in the downloaded folder, nor opened.
  21. Hi Maurice, how can I get affected by ads so fast, as this is a cleanly installed windows? The blocked IP and URL have been reported for phising from what I found from IPTracker and similar. On top of that before I clean installed windows I was a victim of spam mail and phising attack, but so far only this IP was blocked and nothing else was found. P.S: A friend of mine mentioned something about DNS Hijacking. mbst-grab-results.zip
  22. Malwarebytes keeps on blocking a site even though I have no browsers opened and recently the site has been in the "allow list" for no apparent reason. This happens even after a clean windows installation and my email was apparently under a phising attack (spam mail and threat mails). At certain times my download speed also drop from 90mbit to 0.2mbit (always happens between 10-12 AM and PM.) Did all scans with whatever there is and nothing. I'm not a tech person, so I'd be thankful if someone could help me out. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 12/28/19 Protection Event Time: 4:47 PM Log File: fe607220-2980-11ea-93c7-d0509931000b.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.785 Update Package Version: 1.0.16883 License: Trial -System Information- OS: Windows 10 (Build 18362.418) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , , Blocked, -1, -1, 0.0.0 -Website Data- Category: Trojan Domain: IP Address: 62.210.207.229 Port: 1900 Type: Inbound File: (end)
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.