gfi hacker check

[Pants]

Hacker check is showing 13 failed logons on one of my own computers that I'm testing gfi on. I checked the Windows security logs closer. It's logon type '5' using services.exe. Any tips on what this could be? I've read that services.exe could be replaced with a malicious version. Not sure what steps to take next, although I am looking into what services I may have installed that would do this.

 

[MobileTechie]

It's just as likely to be a legit service using the wrong logon details.

E.g. it's using old admin account details after a password change or just set to using the wrong account (system vs admin etc)

That GFI "hacker check" is kind of misnamed if you ask me since it automatically puts "hacker" in your mind when 99% of the time it's nothing of the sort.

Check out your logs in general to see if a service failed to start because of a failed logon,.

 

[Pants]

Hey thanks. I looked in Windows 'system' logs and there are services that failed to start at the same time the failed logons were logged.

Services apparently failed to start because the local password (SAM) file was in the 'wrong state to perform the security operation'. Not sure why it was in the wrong state, but at least I know how to investigate this next time. I've never really used the event logs before, but I can see why they are useful, now.

 

[MobileTechie]

No worries.

If you let me know the error code and service name I might be able to help with it.