unknown network access form a computer

I have some weird problem, in the windows event, one (op-03) of computers in our domain keeps being logged on in security log of our voice recording server, but the computer(op-3) doesn't have any mapped drive, no background service to connect to the recording server. I thought maybe somehow old DNS record was logging an incorrect computer name, but A record looks fine. So, somehow the computer accesses the server in some way, but can't figure. below is the security event keeps coming up everyday from the pc named op-03 which should not access the server. I scanned virus, spyware, cleaned up registry, deleted and recreated user profile on the pc, still comes up.

voice recording server: windows xp
op-03: windows xp

below is 3 security logs recorded in the voice recording server which shows continuous access events from OP-03.

Please note that I intentionally enabled security audit to see who accesses the voice recording server. The problem I have is not Windows security event is being filled up, but there are access is made to the server which should not be. When the log is recorded, I see the user's behavior on the computer, can't find anything unusual he does, so some background service seems accessing the server.
Event ID:538
User Logoff:
       User Name:      OP-03$
       Domain:            cxxxxxx
       Logon ID:            (0x0,0xB8CAF1)
       Logon Type:      3

Event ID: 540:
uccessful Network Logon:
       User Name:      OP-03$
       Domain:            cxxxxxx
       Logon ID:            (0x0,0xB8CAF1)
       Logon Type:      3
       Logon Process:      Kerberos
       Authentication Package:      Kerberos
       Workstation Name:      
       Logon GUID:      {c3cc3624-9067-2b57-279d-30c169daae3b}

For more information, see Help and Support Center at

Event ID:576
Special privileges assigned to new logon:
       User Name:      
       Logon ID:            (0x0,0xB8CAF1)
       Privileges:            SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
Indeed from the 537, 540 and 576 it does indicate successful logoff, successful login through network and Special privileges assigned to new logon (in this case the rights such as SeChangeNotifyPrivilege. Prior to that, if this is not intended the remote login from network may have activities of guessing login credential and if audit is enable, you probably find the failed attempts in 529 (Unknown user name or bad password)
@ http://support.microsoft.com/kb/174074

But I guess it is unlikely since it is a service call and this EE link seems to be of similar symptoms - it suspected "computer browser service" and "malware doing"
@ http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_24198772.html

On that both machines, you may also want to run the tool below and perform AV in both machines
a) LastActivityView to displays a log of actions made by the user and events occurred on this computer. At least we know what that login is doing and any anomalies like going to specific folder, executing some files etc
@ http://www.nirsoft.net/utils/computer_activity_view.html

Also "SeChangeNotifyPrivilege" in user right means able to "Bypass traverse checking" and that means able to go straight with an URN link to folder or repository mapped drive. This privilege is granted to all users in a normal system configuration and is used multiple times for each file opened. This audit event record is intended to warn an administrator that such a privilege has been assigned.

Strange thing it is not running AD or sort of server since both are XP, likely it is trying to share access and RPC. May need more drill in to the machine if it normal for that or have installed any service or s/w
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.