none
Suspicious login attempts made in Vista Home premium. Event id's 4648, 4625, 4624 & 4672 present in huge numbers

    Question

  • Hi Folks,
    I've got a weird problem with Vista Home Premium. Mine is a fairly new machine. It's a HP Pavilion DV6 1127ee laptop & came preinstalled with Vista Home premium SP1. I noticed 2 weeks ago that since the next day I bought it, I can see security events 4648 which says "A logon was attempted using explicit credentials" in huge numbers. They don't appear in a regular interval; at least that's what they seem to me. Event ID's 4625 "An account failed to logon" follows 4624 "An account was successfully logged on" & then comes 4672 stating "Special privileges assigned to new logon". It was only 2 weeks ago that I set a password to my admin account (the default admin was disabled) & also created a standard user. Soon after that I noticed an increase in event 4648. To me initially it sounded like there's a malware trying to crack my accounts. I saw events for all of my accounts; System, default administrator, guest, my admin account & the standard user account. I have Norton Internet Security preinstalled & didn't find anything. I ran Sophos as well without any findings. I tried hijack this. It didn't find anything unusual in the registry. Then, I tried windows one live care, no viruses; however, it found more than 170+ wrong entries in the registry but couldn't fix 5 of them. The only reason it gave was taht there's an error. I had all the updates installed for my version of vista. I had installed SP2 even. Having found unsatisfactory help from HP total care & as per their advice, I did a recovery with the set of dvd's that I created after first logon. It formatted my windows drive & reinstalled vista. Now, I created 2 new accounts with a password set to them. One was an admin & the other a standard user. Soon after that the logs appeared with those event id's again. One important thing to notice is that I did not connect my machine to any kind of network when these logs started to appear after the reinstall. This looks spooky to me. I updated my ethernet & wifi drivers hoping to resolve it but no luck. Find the logs below....

    A logon was attempted using explicit credentials.

    Subject:

    Security ID: SYSTEM

    Account Name: HIFZULFURQAN$

    Account Domain: WORKGROUP

    Logon ID: 0x3e7

    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Account Whose Credentials Were Used:

    Account Name: SYSTEM

    Account Domain: NT AUTHORITY

    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Target Server:

    Target Server Name: localhost

    Additional Information: localhost

    Process Information:

    Process ID: 0x2e0

    Process Name: C:\Windows\System32\services.exe

    Network Information:

    Network Address: -

    Port: -

     

    Subject:

    Security ID: SYSTEM

    Account Name: HIFZULFURQAN$

    Account Domain: WORKGROUP

    Logon ID: 0x3e7

    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Account Whose Credentials Were Used:

    Account Name: SYSTEM

    Account Domain: NT AUTHORITY

    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Target Server:

    Target Server Name: localhost

    Additional Information: localhost

    Process Information:

    Process ID: 0x2a8

    Process Name: C:\Windows\System32\services.exe

    Network Information:

    Network Address: -

    Port: -


    A logon was attempted using explicit credentials.

    Subject:

    Security ID: SYSTEM

    Account Name: HIFZULFURQAN$

    Account Domain: WORKGROUP

    Logon ID: 0x3e7

    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Account Whose Credentials Were Used:

    Account Name: Hifzul

    Account Domain: Hifzulfurqan

    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Target Server:

    Target Server Name: localhost

    Additional Information: localhost

    Process Information:

    Process ID: 0x308

    Process Name: C:\Windows\System32\winlogon.exe

    Network Information:

    Network Address: 127.0.0.1

    Port: 0

    A logon was attempted using explicit credentials.

    Subject:

    Security ID: SYSTEM

    Account Name: HIFZULFURQAN$

    Account Domain: WORKGROUP

    Logon ID: 0x3e7

    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Account Whose Credentials Were Used:

    Account Name: Hifzul

    Account Domain: Hifzulfurqan

    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Target Server:

    Target Server Name: localhost

    Additional Information: localhost

    Process Information:

    Process ID: 0x2f8

    Process Name: C:\Windows\System32\winlogon.exe

    Network Information:

    Network Address: 127.0.0.1

    Port: 0

    event 4625

    An account failed to log on.

    Subject:

    Security ID: Hifzulfurqan\Hifzul

    Account Name: Hifzul

    Account Domain: Hifzulfurqan

    Logon ID: 0xa3dc4

    Logon Type: 4

    Account For Which Logon Failed:

    Security ID: NULL SID

    Account Name: mashi

    Account Domain:

    Failure Information:

    Failure Reason: Unknown user name or bad password.

    Status: 0xc000006e

    Sub Status: 0xc000006e

    Process Information:

    Caller Process ID: 0xf10

    Caller Process Name: C:\Windows\explorer.exe

    Network Information:

    Workstation Name: WIN-9J7WZFANR8K

    Source Network Address: -

    Source Port: -

    Detailed Authentication Information:

    Logon Process: Advapi

    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

    Transited Services: -

    Package Name (NTLM only): -

    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.

    - Transited services indicate which intermediate services have participated in this logon request.

    - Package name indicates which sub-protocol was used among the NTLM protocols.

    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    An account failed to log on.

    Subject:

    Security ID: Hifzulfurqan\Hifzul

    Account Name: Hifzul

    Account Domain: Hifzulfurqan

    Logon ID: 0xa3dc4

    Logon Type: 4

    Account For Which Logon Failed:

    Security ID: NULL SID

    Account Name: Guest

    Account Domain:

    Failure Information:

    Failure Reason: Account currently disabled.

    Status: 0xc000006e

    Sub Status: 0xc0000072

    Process Information:

    Caller Process ID: 0xf10

    Caller Process Name: C:\Windows\explorer.exe

    Network Information:

    Workstation Name: WIN-9J7WZFANR8K

    Source Network Address: -

    Source Port: -

    Detailed Authentication Information:

    Logon Process: Advapi

    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

    Transited Services: -

    Package Name (NTLM only): -

    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.

    - Transited services indicate which intermediate services have participated in this logon request.

    - Package name indicates which sub-protocol was used among the NTLM protocols.



    Any help would be greatly appreciated!!

    Thanks!!

    A logon was attempted using explicit credentials.
    Saturday, July 04, 2009 5:21 PM

Answers

  • Well one thing i can suggest is probably some program installed on your computer say like the HP toolkit or any HP application or any antivirus or any other application which has a online update feature is trying to contact the running service using all the combination of the login names....i dont think its a virus issue,,,
    IF YOU CAN BACK UP YOUR DATA TO SOME OTHER DRIVE AND TRY A CLEAN FORMAT INSTALL IT MAY BE MORE INFORMATIVE.....
    try running the "tasklist" command in the elevated prompt and find a list of suspecting applications running..

    also try "netstat -an" in another command window and then see for the application using the port.....

    however this is not a solution but will atleast take us in a right path...try it and please post the results am eager to solve this issue....:)
    Regards, KOWSHAL H.M. a.k.a W@R10CK
    Thursday, July 09, 2009 11:39 AM

All replies

  • Is there a tech out there who can help, please?
    Monday, July 06, 2009 6:38 AM
  • Do you have any startup scripts configured which deals with specific server logons or server shares..????

    and when you performed a recovery did you have the previous data in the hard disk..????? or was it a complete wipe out?

    coz i can see there are many logons relating to the server names i.e. using the ACL formats so was your computer on a domain before and if yes is the name of the domain similar to any of the login names you see in the log???

    also had youenabled your computer to have shred access on the ADMIN$ ???
    Regards, KOWSHAL H.M. a.k.a W@R10CK
    Monday, July 06, 2009 9:04 AM
  • Hi Kowshal, Thanks for taking interest. There're no startup scripts configured. My machine is a stand alone machine. I'm using Windows Vista Home Premium. It can't joined to a domain.
    Yes, the previous data was present in teh HDD but, during the recovery, the machine was formatted. I think it was a quick format automatically done by the HP recovery software as it took less than 2 mins. Those login names are the accounts in my machine. My machine was never on the domain.

    there're absolutely no shares enabled on my machine.

    regards,
    technofreakie
    Wednesday, July 08, 2009 5:54 PM
  • Well one thing i can suggest is probably some program installed on your computer say like the HP toolkit or any HP application or any antivirus or any other application which has a online update feature is trying to contact the running service using all the combination of the login names....i dont think its a virus issue,,,
    IF YOU CAN BACK UP YOUR DATA TO SOME OTHER DRIVE AND TRY A CLEAN FORMAT INSTALL IT MAY BE MORE INFORMATIVE.....
    try running the "tasklist" command in the elevated prompt and find a list of suspecting applications running..

    also try "netstat -an" in another command window and then see for the application using the port.....

    however this is not a solution but will atleast take us in a right path...try it and please post the results am eager to solve this issue....:)
    Regards, KOWSHAL H.M. a.k.a W@R10CK
    Thursday, July 09, 2009 11:39 AM