Re: Log file full of security problems!

Mark Grantom wrote:
I am hoping that someone can help me with the problem that I am
having with my small peer-to-peer network. The network consists of
three computers, all running windows XP Pro edition. The "main"
computer hosts a SQL server (the free version). I enabled the
logging of events on this computer. Recently, I inadvertently ran
the system for approximately 1 month with out a firewall, and with
the antivirus program disabled. I currently use the computer
Associates version of an antivirus program that comes with my DSL
phone line and I also have run from the beginning MS Defender. I
remotely access my system using Microsoft's remote desktop.
Recently, whenever I log onto the system I get a message indicating
that "the security log for this computer is full". I have cleared
the log file, and it immediately fills back up. Under the security
tab, I have hundreds if not thousands of entries that look as
follows:

Event Type: Failure Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 577
Date: 11/2/2006
Time: 10:19:25 AM
User: INTEL\Mark
Computer: INTEL
Description:
Privileged Service Called:
Server: Security
Service: -
Primary User Name: Mark
Primary Domain: INTEL
Primary Logon ID: (0x0,0x1451D)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeTcbPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I also have hundreds of entries as follows:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 11/2/2006
Time: 11:44:56 AM
User: NT AUTHORITY\SYSTEM
Computer: INTEL
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Mark
Domain: INTEL
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: INTEL

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Obviously, I am concerned that I may have some sort of Trojan program
on my system. Although, I have scanned with both Microsoft defender,
and the antivirus program, and nothing is found. I would greatly
appreciate any assistance in determining what may be causing this
problem with my System. Thanks in advance.

I'm unlikely to have your needed answer, but here's a couple thoughts.

Disconnect from the network and single out the exposed pc.

Disable the logging for the time being; Clear the logs or copy them to
another media for study later if you think you'll need them. For the moment
you obviously don't need those logs; that volume is useless in an ongoing
basis right now.

Check the Event Viewer logs; copy/Clear those, too.

MS Defender is OK, but not the end-all. You should add Adaware and Sypbot
S&D at least to this arsenal. I also have WinPatrol which I like, and
SpyWare Blaster. With spyware, no single app as yet can do everything all
the rest of them can do. You need as many reputable ones as you can find.
Adaware and Spybot found the most problems in my case; lately I've been
lucky and haven't had a problem in many months.

CA's antivirus is OK, I forget whose it is, but it's a reputable one. That
said however, I'd additionally download Avast or AVG scanners and run those
too, just for grins. If they find nothing, then you can go back to the CA
av.

Be certain to UPDATE EVERYTHING before you use it to scan.

Get the firewall, av, anti-spyware, etc., all completly updated and run all
scans ASAP.
If you'r eusing a NAT router, there may be logs there too, BTW.

Once the machine "feels" clean, exercise it well to be certain everything
you want/need is in good shape and no problems.
Then you can reconnect it to the network and think about turning the
logging audits etc. back on.

Hopefully, any actual problems will show up during the above process.

Pop`





.

Relevant Pages

  • RE: Anon Logon Events 538/540
    ... The event 540 logs the Successful Network Logon and the event 538 logs the ... Successful Network Logoff. ... Windows 2000, and Windows XP) ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Log file full of security problems!
    ... "Mark Grantom" wrote: ... Associates version of an antivirus program that comes with my DSL ... Primary Logon ID: ... Disable the logging for the time being; Clear the logs or copy them to ...
    (microsoft.public.windowsxp.network_web)
  • Re: local policy of this system does not permit you to logon interactively
    ... Mark, I came across this same message, and had limited success with this KB ... Although if you system is no longer on a network, I'm not sure if it will be ... > security on my personal system through the ... > How can I override the logon or bypass it so I can correct ...
    (microsoft.public.win2000.security)
  • RE: security logon failures
    ... Network Windows logs logon. ... server through IIS resource, such as OWA and RWW with different username ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant use WM6 to access network shares
    ... unfortunately nothing in any of the event logs. ... the logon prompt. ... So for whatever reason it's just not passing my credentials ... Can get to about any other share on the network. ...
    (microsoft.public.pocketpc.wireless)