Link to home
Start Free TrialLog in
Avatar of crcsupport
crcsupportFlag for United States of America

asked on

unknown network access form a computer

I have some weird problem, in the windows event, one (op-03) of computers in our domain keeps being logged on in security log of our voice recording server, but the computer(op-3) doesn't have any mapped drive, no background service to connect to the recording server. I thought maybe somehow old DNS record was logging an incorrect computer name, but A record looks fine. So, somehow the computer accesses the server in some way, but can't figure. below is the security event keeps coming up everyday from the pc named op-03 which should not access the server. I scanned virus, spyware, cleaned up registry, deleted and recreated user profile on the pc, still comes up.

voice recording server: windows xp
op-03: windows xp

below is 3 security logs recorded in the voice recording server which shows continuous access events from OP-03.

Please note that I intentionally enabled security audit to see who accesses the voice recording server. The problem I have is not Windows security event is being filled up, but there are access is made to the server which should not be. When the log is recorded, I see the user's behavior on the computer, can't find anything unusual he does, so some background service seems accessing the server.
 
Event ID:538
User Logoff:
       User Name:      OP-03$
       Domain:            cxxxxxx
       Logon ID:            (0x0,0xB8CAF1)
       Logon Type:      3

Event ID: 540:
uccessful Network Logon:
       User Name:      OP-03$
       Domain:            cxxxxxx
       Logon ID:            (0x0,0xB8CAF1)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      
       Logon GUID:      {c3cc3624-9067-2b57-279d-30c169daae3b}

For more information, see Help and Support Center at

Event ID:576
Special privileges assigned to new logon:
       User Name:      
       Domain:            
       Logon ID:            (0x0,0xB8CAF1)
       Privileges:            SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial