Solved

Event ID 4740 all my domain accounts where locked out with the same caller Computer Name, what does this mean? am i getting attacked?!

Posted on 2011-02-18
6
3,427 Views
Last Modified: 2012-05-11
Hi all,

every single account on my domain was just locked out with event ID 4740 and the caller computer name came from a machine in another office for all events

what is the caller computer name? the computer that made the lockout happen?

are we being attacked internally?

Thansk for a speedy response
0
Comment
Question by:awilderbeast
  • 3
  • 3
6 Comments
 
LVL 2

Expert Comment

by:FellFreeDom
ID: 34925343
I think that you've got a Kido virus.
please check for windows update and try to use kido killer tool
http://support.kaspersky.com/kis2009/error?qid=208279973
0
 
LVL 1

Author Comment

by:awilderbeast
ID: 34925366
sorry it did nearly all the domain accounts

that machine has got kaspersky for business on it all our machines do :S


the caller computer name, does that mean thats the machine that caused the lockout of the accounts?
0
 
LVL 2

Expert Comment

by:FellFreeDom
ID: 34925425
does that mean thats the machine that caused the lockout of the accounts?
yep
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 1

Author Comment

by:awilderbeast
ID: 34925472
ok run kk on that computer

came back with the below!

thats the only machine i didnt put kaspersky on it,

running kaspersky nearly killed the machines power its that old
will have to replace it or put it back on and the user will have to cope with a slow machine!

how does kido generally get on the machine?
USB, download?

Thanks for your help
Net-Worm.Win32.Kido removing tool, Kaspersky Lab 2010
version 3.4.14  Mar 19 2010 10:17:17
scanning        jobs ...

scanning        processes ...

scanning        threads ...
Infected thread was killed in process svchost.exe with PID 1068
Infected thread was killed in process svchost.exe with PID 1068
Infected thread was killed in process svchost.exe with PID 1068
Infected thread was killed in process svchost.exe with PID 1068
Infected thread was killed in process svchost.exe with PID 1068
Infected thread was killed in process svchost.exe with PID 1068
Infected thread was killed in process svchost.exe with PID 1068

scanning        modules in svchost.exe...
Spliced function NtQueryInformationProcess fixed in ntdll.dll module of process
with PID 1068
Spliced function NetpwPathCanonicalize fixed in netapi32.dll module of process w
ith PID 1068
Spliced function NtQueryInformationProcess fixed in ntdll.dll module of process
with PID 1216
Spliced function DnsQuery_A fixed in dnsapi.dll module of process with PID 1216
Spliced function DnsQuery_UTF8 fixed in dnsapi.dll module of process with PID 12
16
Spliced function DnsQuery_W fixed in dnsapi.dll module of process with PID 1216
Spliced function Query_Main fixed in dnsapi.dll module of process with PID 1216
scanning        modules in services.exe...
scanning        modules in explorer.exe...

scanning        C:\WINDOWS\system32 ...
C:\WINDOWS\system32\okfkhbhj.dll        infected Net-Worm.Win32.Kido ...
cured
scanning        C:\Program Files\Internet Explorer\ ...
scanning        C:\Program Files\Movie Maker\ ...
scanning        C:\Program Files\Windows Media Player\ ...
scanning        C:\Program Files\Windows NT\ ...
scanning        C:\Documents and Settings\AlexWilloughby.WORKS\Application Data
...
scanning        C:\DOCUME~1\ALEXWI~1.WOR\LOCALS~1\Temp\ ...
scanning        Flash drives ...

completed
Infected jobs:                  0
Infected files:                 1
Infected threads:               7
Spliced functions:              7
Cured files:                    1
Fixed registry keys:            3

Press any key to continue . . .

Open in new window

0
 
LVL 2

Accepted Solution

by:
FellFreeDom earned 500 total points
ID: 34925692
how does kido generally get on the machine?
USB, download?
you have to know that no one AV is NOT 100% guarantee =)
so it's doesn't matter how kido gets you.
use Windows Update, always use it, and it will be more safe to you and your company =)
0
 
LVL 1

Author Closing Comment

by:awilderbeast
ID: 34925704
Thanks alot!
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Migrate 2003 domain controllers to 2012 18 79
what about DCpro 2 25
Windows Password recovery 7 32
Unable to print after system state restore 32 18
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now