crcsupport
asked on
unknown network access form a computer
I have some weird problem, in the windows event, one (op-03) of computers in our domain keeps being logged on in security log of our voice recording server, but the computer(op-3) doesn't have any mapped drive, no background service to connect to the recording server. I thought maybe somehow old DNS record was logging an incorrect computer name, but A record looks fine. So, somehow the computer accesses the server in some way, but can't figure. below is the security event keeps coming up everyday from the pc named op-03 which should not access the server. I scanned virus, spyware, cleaned up registry, deleted and recreated user profile on the pc, still comes up.
voice recording server: windows xp
op-03: windows xp
below is 3 security logs recorded in the voice recording server which shows continuous access events from OP-03.
Please note that I intentionally enabled security audit to see who accesses the voice recording server. The problem I have is not Windows security event is being filled up, but there are access is made to the server which should not be. When the log is recorded, I see the user's behavior on the computer, can't find anything unusual he does, so some background service seems accessing the server.
Event ID:538
User Logoff:
User Name: OP-03$
Domain: cxxxxxx
Logon ID: (0x0,0xB8CAF1)
Logon Type: 3
Event ID: 540:
uccessful Network Logon:
User Name: OP-03$
Domain: cxxxxxx
Logon ID: (0x0,0xB8CAF1)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {c3cc3624-9067-2b57-279d-3 0c169daae3 b}
For more information, see Help and Support Center at
Event ID:576
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0xB8CAF1)
Privileges: SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
voice recording server: windows xp
op-03: windows xp
below is 3 security logs recorded in the voice recording server which shows continuous access events from OP-03.
Please note that I intentionally enabled security audit to see who accesses the voice recording server. The problem I have is not Windows security event is being filled up, but there are access is made to the server which should not be. When the log is recorded, I see the user's behavior on the computer, can't find anything unusual he does, so some background service seems accessing the server.
Event ID:538
User Logoff:
User Name: OP-03$
Domain: cxxxxxx
Logon ID: (0x0,0xB8CAF1)
Logon Type: 3
Event ID: 540:
uccessful Network Logon:
User Name: OP-03$
Domain: cxxxxxx
Logon ID: (0x0,0xB8CAF1)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {c3cc3624-9067-2b57-279d-3
For more information, see Help and Support Center at
Event ID:576
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0xB8CAF1)
Privileges: SeChangeNotifyPrivilege
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.