Anonymous logons in event viewer question.....

[Max Burke]

I have the following appearing regularly in the event viewer security
log; I have been trying to track down why and what (if anything) I can
or need to do about this anonymous logon.....

So far all the web sites (including Microsoft's) only talk about Win 2K,
NT, and XP Professional....
None of them mention XP Home at all except for vague references about it
can be caused by having the welcome screen enabled, and that this was
fixed in XP SP1. My computer is fully up to date with all updates and
patches.

There are some other vague references (mostly talking about Win2K again)
that it also can/does happen with LAN connected computers (I have an old
486 running Win95a connected through a LAN to this computer) and that
it's some sort of system logon event that allows LAN connections to
work.....

[ XXXXXX = computer name, logon names, etc]

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 18/10/2003
Time: 6:24:27 p.m.
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: XXXXXXXXX
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x11ED0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}


On a related note I'm also seeing every so often:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 18/10/2003
Time: 8:57:51 p.m.
User: XXXXXXXX\XXXX
Computer: XXXXXXX
Description:
Change Password Attempt:
Target Account Name: HelpAssistant
Target Domain: XXXXXXX
Target Account ID: XXXXXXX\HelpAssistant
Caller User Name: XXXXXXX
Caller Domain: XXXXXXXXX
Caller Logon ID: (0x0,0xC55E)
Privileges: -

This failure happens for all registered user accounts;

Me. (my logon)
The hidden admistrator account.
The help assistant account.
The hidden support account.
The guest account.

Most often it's when the computer is turned on or rebooted, but
occasionally after the computer has been running for several hours. Most
of the time I'm not connected to the internet when it happens. Also I am
the only one who has physical access to both computers. (They're sitting
next to each other on my desk)

I have Zone alarm installed on my system, and also have ICF running; I
run PC-cillian 2002 and keep up to date their virus def files. I have
turned off all unneeded services, MBSA report no unnecessary services
are running. I do regularly scans (weekly using Ad-Aware and Spybot
S&D) and run Trojan scanners once a week as well.....

Again I haven't been able to find out anything helpful on any websites,
mostly they talk about Win2K, and XP Professional and about setting
security policies for logons which cant be done in XP Home.....

Is there anything I can do to track down what this audit failure means
and what I need to do (if anything) to stop the attempted password
changes from happening....

One last question;
When the guest account is turned of in Control Panel / User Accounts /
Guest account [off] why does it still show as logging on in the security
event viewer log?

 

[Kelly]

Hi Max,

Some info here:
http://www.eventid.net/display.asp?eventid=540&source=Security

/top10faqs.htm

I have the following appearing regularly in the event viewer security
log; I have been trying to track down why and what (if anything) I can
or need to do about this anonymous logon.....

So far all the web sites (including Microsoft's) only talk about Win 2K,
NT, and XP Professional....
None of them mention XP Home at all except for vague references about it
can be caused by having the welcome screen enabled, and that this was
fixed in XP SP1. My computer is fully up to date with all updates and
patches.

There are some other vague references (mostly talking about Win2K again)
that it also can/does happen with LAN connected computers (I have an old
486 running Win95a connected through a LAN to this computer) and that
it's some sort of system logon event that allows LAN connections to
work.....

[ XXXXXX = computer name, logon names, etc]

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 18/10/2003
Time: 6:24:27 p.m.
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: XXXXXXXXX
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x11ED0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}


On a related note I'm also seeing every so often:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 18/10/2003
Time: 8:57:51 p.m.
User: XXXXXXXX\XXXX
Computer: XXXXXXX
Description:
Change Password Attempt:
Target Account Name: HelpAssistant
Target Domain: XXXXXXX
Target Account ID: XXXXXXX\HelpAssistant
Caller User Name: XXXXXXX
Caller Domain: XXXXXXXXX
Caller Logon ID: (0x0,0xC55E)
Privileges: -

This failure happens for all registered user accounts;

Me. (my logon)
The hidden admistrator account.
The help assistant account.
The hidden support account.
The guest account.

Most often it's when the computer is turned on or rebooted, but
occasionally after the computer has been running for several hours. Most
of the time I'm not connected to the internet when it happens. Also I am
the only one who has physical access to both computers. (They're sitting
next to each other on my desk)

I have Zone alarm installed on my system, and also have ICF running; I
run PC-cillian 2002 and keep up to date their virus def files. I have
turned off all unneeded services, MBSA report no unnecessary services
are running. I do regularly scans (weekly using Ad-Aware and Spybot
S&D) and run Trojan scanners once a week as well.....

Again I haven't been able to find out anything helpful on any websites,
mostly they talk about Win2K, and XP Professional and about setting
security policies for logons which cant be done in XP Home.....

Is there anything I can do to track down what this audit failure means
and what I need to do (if anything) to stop the attempted password
changes from happening....

One last question;
When the guest account is turned of in Control Panel / User Accounts /
Guest account [off] why does it still show as logging on in the security
event viewer log?
--
mlvburke@#%&*.net.nz
Replace the obvious with paradise to email me.
See Found Images at:
http://homepages.paradise.net.nz/~mlvburke/

 

[SA]

This is a stanb in the dark, but try scanning for spyware

I have the following appearing regularly in the event viewer security
log; I have been trying to track down why and what (if anything) I can
or need to do about this anonymous logon.....

So far all the web sites (including Microsoft's) only talk about Win 2K,
NT, and XP Professional....
None of them mention XP Home at all except for vague references about it
can be caused by having the welcome screen enabled, and that this was
fixed in XP SP1. My computer is fully up to date with all updates and
patches.

There are some other vague references (mostly talking about Win2K again)
that it also can/does happen with LAN connected computers (I have an old
486 running Win95a connected through a LAN to this computer) and that
it's some sort of system logon event that allows LAN connections to
work.....

[ XXXXXX = computer name, logon names, etc]

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 18/10/2003
Time: 6:24:27 p.m.
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: XXXXXXXXX
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x11ED0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}


On a related note I'm also seeing every so often:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 18/10/2003
Time: 8:57:51 p.m.
User: XXXXXXXX\XXXX
Computer: XXXXXXX
Description:
Change Password Attempt:
Target Account Name: HelpAssistant
Target Domain: XXXXXXX
Target Account ID: XXXXXXX\HelpAssistant
Caller User Name: XXXXXXX
Caller Domain: XXXXXXXXX
Caller Logon ID: (0x0,0xC55E)
Privileges: -

This failure happens for all registered user accounts;

Me. (my logon)
The hidden admistrator account.
The help assistant account.
The hidden support account.
The guest account.

Most often it's when the computer is turned on or rebooted, but
occasionally after the computer has been running for several hours. Most
of the time I'm not connected to the internet when it happens. Also I am
the only one who has physical access to both computers. (They're sitting
next to each other on my desk)

I have Zone alarm installed on my system, and also have ICF running; I
run PC-cillian 2002 and keep up to date their virus def files. I have
turned off all unneeded services, MBSA report no unnecessary services
are running. I do regularly scans (weekly using Ad-Aware and Spybot
S&D) and run Trojan scanners once a week as well.....

Again I haven't been able to find out anything helpful on any websites,
mostly they talk about Win2K, and XP Professional and about setting
security policies for logons which cant be done in XP Home.....

Is there anything I can do to track down what this audit failure means
and what I need to do (if anything) to stop the attempted password
changes from happening....

One last question;
When the guest account is turned of in Control Panel / User Accounts /
Guest account [off] why does it still show as logging on in the security
event viewer log?
--
mlvburke@#%&*.net.nz
Replace the obvious with paradise to email me.
See Found Images at:
http://homepages.paradise.net.nz/~mlvburke/

This is a stab in the dark, but try scanning for

 

[Max Burke]

SA scribbled:

This is a stanb in the dark, but try scanning for spyware

<end quote>

 

[Max Burke]

Kelly scribbled:

Hi Max,
Some info here:
http://www.eventid.net/display.asp?eventid=540&source=Security

Thanks for the link, but that was one of the first website I checked
out. (It's in my favourites security list)
I have had a response in another news group and read some other web
pages and the anonymous logon is most likely associated with my LAN
setup between this computer and my other computer running Win95a.....
Likewise the guest account also apparently has a part to play in LAN
setups and logons even when it's turned off in the 'local setting'.
MBSA says the guest account is secure when simple file sharing is
active.....

It's the change password failures in the event log that still remains as
a mystery though.......

Max Burke wrote:
I have the following appearing regularly in the event viewer security
log; I have been trying to track down why and what (if anything) I
can or need to do about this anonymous logon.....
So far all the web sites (including Microsoft's) only talk about Win
2K, NT, and XP Professional....
None of them mention XP Home at all except for vague references
about it can be caused by having the welcome screen enabled, and
that this was fixed in XP SP1. My computer is fully up to date with
all updates and patches.
There are some other vague references (mostly talking about Win2K
again) that it also can/does happen with LAN connected computers (I
have an old 486 running Win95a connected through a LAN to this
computer) and that it's some sort of system logon event that allows
LAN connections to work.....
[ XXXXXX = computer name, logon names, etc]
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 18/10/2003
Time: 6:24:27 p.m.
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: XXXXXXXXX
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x11ED0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}
On a related note I'm also seeing every so often:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 18/10/2003
Time: 8:57:51 p.m.
User: XXXXXXXX\XXXX
Computer: XXXXXXX
Description:
Change Password Attempt:
Target Account Name: HelpAssistant
Target Domain: XXXXXXX
Target Account ID: XXXXXXX\HelpAssistant
Caller User Name: XXXXXXX
Caller Domain: XXXXXXXXX
Caller Logon ID: (0x0,0xC55E)
Privileges: -
This failure happens for all registered user accounts;
Me. (my logon)
The hidden admistrator account.
The help assistant account.
The hidden support account.
The guest account.
Most often it's when the computer is turned on or rebooted, but
occasionally after the computer has been running for several hours.
Most of the time I'm not connected to the internet when it happens.
Also I am the only one who has physical access to both computers.
(They're sitting next to each other on my desk)
I have Zone alarm installed on my system, and also have ICF running;
I run PC-cillian 2002 and keep up to date their virus def files. I
have turned off all unneeded services, MBSA report no unnecessary
services are running. I do regularly scans (weekly using Ad-Aware
and Spybot S&D) and run Trojan scanners once a week as well.....
Again I haven't been able to find out anything helpful on any
websites, mostly they talk about Win2K, and XP Professional and
about setting security policies for logons which cant be done in XP
Home.....
Is there anything I can do to track down what this audit failure
means and what I need to do (if anything) to stop the attempted
password changes from happening....
One last question;
When the guest account is turned of in Control Panel / User Accounts
/ Guest account [off] why does it still show as logging on in the
security event viewer log?
--

 

[Kelly]

No problem, Max and I do wish you luck. If you haven't seen any of these:
http://tinyurl.com/s09i , I hope they lead you in a positive direction. Let
us know how you make out.

/top10faqs.htm

Kelly scribbled:
Hi Max,
Some info here:
http://www.eventid.net/display.asp?eventid=540&source=Security

Thanks for the link, but that was one of the first website I checked
out. (It's in my favourites security list)
I have had a response in another news group and read some other web
pages and the anonymous logon is most likely associated with my LAN
setup between this computer and my other computer running Win95a.....
Likewise the guest account also apparently has a part to play in LAN
setups and logons even when it's turned off in the 'local setting'.
MBSA says the guest account is secure when simple file sharing is
active.....

It's the change password failures in the event log that still remains as
a mystery though.......

Max Burke wrote:
I have the following appearing regularly in the event viewer security
log; I have been trying to track down why and what (if anything) I
can or need to do about this anonymous logon.....
So far all the web sites (including Microsoft's) only talk about Win
2K, NT, and XP Professional....
None of them mention XP Home at all except for vague references
about it can be caused by having the welcome screen enabled, and
that this was fixed in XP SP1. My computer is fully up to date with
all updates and patches.
There are some other vague references (mostly talking about Win2K
again) that it also can/does happen with LAN connected computers (I
have an old 486 running Win95a connected through a LAN to this
computer) and that it's some sort of system logon event that allows
LAN connections to work.....
[ XXXXXX = computer name, logon names, etc]
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 18/10/2003
Time: 6:24:27 p.m.
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: XXXXXXXXX
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x11ED0)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}
On a related note I'm also seeing every so often:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 18/10/2003
Time: 8:57:51 p.m.
User: XXXXXXXX\XXXX
Computer: XXXXXXX
Description:
Change Password Attempt:
Target Account Name: HelpAssistant
Target Domain: XXXXXXX
Target Account ID: XXXXXXX\HelpAssistant
Caller User Name: XXXXXXX
Caller Domain: XXXXXXXXX
Caller Logon ID: (0x0,0xC55E)
Privileges: -
This failure happens for all registered user accounts;
Me. (my logon)
The hidden admistrator account.
The help assistant account.
The hidden support account.
The guest account.
Most often it's when the computer is turned on or rebooted, but
occasionally after the computer has been running for several hours.
Most of the time I'm not connected to the internet when it happens.
Also I am the only one who has physical access to both computers.
(They're sitting next to each other on my desk)
I have Zone alarm installed on my system, and also have ICF running;
I run PC-cillian 2002 and keep up to date their virus def files. I
have turned off all unneeded services, MBSA report no unnecessary
services are running. I do regularly scans (weekly using Ad-Aware
and Spybot S&D) and run Trojan scanners once a week as well.....
Again I haven't been able to find out anything helpful on any
websites, mostly they talk about Win2K, and XP Professional and
about setting security policies for logons which cant be done in XP
Home.....
Is there anything I can do to track down what this audit failure
means and what I need to do (if anything) to stop the attempted
password changes from happening....
One last question;
When the guest account is turned of in Control Panel / User Accounts
/ Guest account [off] why does it still show as logging on in the
security event viewer log?
--

--
mlvburke@#%&*.net.nz
Replace the obvious with paradise to email me.
See Found Images at:
http://homepages.paradise.net.nz/~mlvburke/

 

[techstarcs OC]

i've seen this many times.. still can't fix it.

I have seen this problem on several xp home pc's. I work as a consultant and do house calls for repairs.

It is a worm or trojan that was loaded at one point. Because of their stealthiness (word?) you don't notice it till you scan or look for it. Most of the time the pc calls home... downloads a script, embeds it as a driver in normal and sometimes safe mode, then runs on every reboot. So no matter what you do to secure the system.. it turns right back around and modifies reg keys and cripples anti-virus apps. aka a rootkit.

most of the time they're not all rootkits... but instead just hidden from the windows interface. No scanner can see these things unless you remove the drive and scan it with a clean pc.

I suggest removing the drive..
attaching a ide to usb (or sata to usb if you have an sata HD)
scanning with a different computer
remove infected files
(if they are system files.. good luck.. call a pc specialist for safety)
reinstall the drive in your pc
reboot and update like mad. install anti-virus and scan
install anti-spy apps and scan. (please use legit anti-spyware.. google hijack this, spybot, ad aware, removeIT pro, and many others... if it sounds like spyware attacker, spyware striker, spysheriff, etc.. GOOGLE IT)

good luck.