I'm coming in late on this thread, but has the machine in question been rebooted? Could it be something as simple as a disconnected RDP session?
- Sean On Wed, Oct 21, 2009 at 2:55 PM, Jimmy Tran <[email protected]> wrote: > I went to the link and everything checked out ok. This machine isn't > mission critical so I could reimage it but I'd like to try to figure out the > problem. > > Thanks, > > Jimmy > > -----Original Message----- > From: Kennedy, Jim [mailto:[email protected]] > Sent: Tuesday, October 20, 2009 6:20 PM > To: NT System Admin Issues > Subject: RE: Constantly getting locked of 2003 domain > > > Those random letter strings at the bottom are not good. This worm usually > blocks most of the anti-virus websites. See if you can get to > trendmicro.com or mcafee or symantec. Or hit this link and see if you can > see their logo's.... > > http://www.confickerworkinggroup.org/infection_test/cfeyechart.html > > Can you just fdisk this machine, or is it mission critical? > > ________________________________________ > From: Jason Morris [[email protected]] > Sent: Tuesday, October 20, 2009 4:46 PM > To: NT System Admin Issues > Subject: RE: Constantly getting locked of 2003 domain > > Sorry, missed CurrentVersion > > [cid:[email protected]] > > From: Jimmy Tran [mailto:[email protected]] > Sent: Tuesday, October 20, 2009 3:33 PM > To: NT System Admin Issues > Subject: RE: Constantly getting locked of 2003 domain > > This is what I get which looks normal: > > > > [cid:[email protected]] > > Jimmy > > From: Jason Morris [mailto:[email protected]] > Sent: Tuesday, October 20, 2009 1:10 PM > To: NT System Admin Issues > Subject: RE: Constantly getting locked of 2003 domain > > Thats because Conficker runs as the Network Services Account. > > Look under: > HKLM\Software\Microsoft\Windows NT\SVCHost\NETSVCS and see if there is any > gobbledygook at the bottom of the entries. Ths your DLL that is running > under Windows\System32. > > > > From: Jimmy Tran [mailto:[email protected]] > Sent: Tuesday, October 20, 2009 3:08 PM > To: NT System Admin Issues > Subject: RE: Constantly getting locked of 2003 domain > > No services running under my account when logged in as a different user. > Jimmy > > > From: Roger Wright [mailto:[email protected]] > Sent: Tuesday, October 20, 2009 1:06 PM > To: NT System Admin Issues > Subject: Re: Constantly getting locked of 2003 domain > > Any services running under your account with an old password? > > > Roger Wright > ___ > > Sent from Tampa, FL, United States > On Tue, Oct 20, 2009 at 4:00 PM, Jimmy Tran <[email protected]<mailto: > [email protected]>> wrote: > Every 5 minutes or so, I get lock out of our domain. I ran EventCombMT and > traced it back to a specific machine. Does anyone have any suggestions on > what I can do to figure out what program/service is attempting to contact > the DC with an incorrect password?ve been dealing with this all morning and > it is driving me crazy. > > > Windows 2003 Domain > Windows XP SP3 machine > > Thanks, > > Jimmy > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------------------ > > The pages accompanying this email transmission contain information from > MJMC, Inc., which > > is confidential and/or privileged. The information is to be for the use of > the individual > > or entity named on this cover sheet. If you are not the intended recipient, > you are > > hereby notified that any disclosure, dissemination, distribution, or > copying of this > > communication is strictly prohibited. If you received this transmission in > error, please > > immediately notify us by telephone so that we can arrange for the retrieval > of the original > > document. > > > > > > > > > > > ------------------------------------------------------------------------------------------ > The pages accompanying this email transmission contain information from > MJMC, Inc., which > is confidential and/or privileged. The information is to be for the use of > the individual > or entity named on this cover sheet. If you are not the intended recipient, > you are > hereby notified that any disclosure, dissemination, distribution, or > copying of this > communication is strictly prohibited. If you received this transmission in > error, please > immediately notify us by telephone so that we can arrange for the retrieval > of the original > document. > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
