!?!?! On Thu, Oct 22, 2009 at 11:20 AM, Jimmy Tran <[email protected]> wrote:
> No, but the report I got back shows more than 5 machines causing this > problem. I am beginning to think it is Conficker. I am going to scan for > that now. > > > > JImmy > > > > *From:* Jay Dale [mailto:[email protected]] > *Sent:* Thursday, October 22, 2009 8:17 AM > > *To:* NT System Admin Issues > *Subject:* RE: Constantly getting locked of 2003 domain > > > > Have you tried removing the machine from the domain and re-adding it? > > > > Jay > > > > *From:* Jimmy Tran [mailto:[email protected]] > *Sent:* Thursday, October 22, 2009 10:05 AM > *To:* NT System Admin Issues > *Subject:* RE: Constantly getting locked of 2003 domain > > > > Ok, I have an update: When I run EventCombMT, i got this in a log: > > > > 644,AUDIT SUCCESS,Security,Thu Oct 22 07:58:22 2009,NT > AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: “me” > Target Account ID: %{S-1-5-21-38480843-1985368713-1186029154-3529} > Caller Machine Name: ABC Caller User Name: DC$ Caller Domain: > Domain Caller Logon ID: (0x0,0x3E7) > > > > Does this mean anything to anyone? I obviously modified the domain and > machine fields. I did get this message in the past but now the caller > machine name is coming up with different machines. Now I’m really stuck. > It’s happening from more that one machine. > > > > HELP!!!! > > > > Jimmy > > > > *From:* James Rankin [mailto:[email protected]] > *Sent:* Thursday, October 22, 2009 12:57 AM > *To:* NT System Admin Issues > *Subject:* Re: Constantly getting locked of 2003 domain > > > > Is a service configured to use a domain account on the machine? How about a > scheduled task with stored credentials? > > Viewing the logon type number should help narrow this down > > 2009/10/22 KenM <[email protected]> > > I didnt read through all the replies so I do not know if this was > recomended or not > http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en > > > > > > > > > > On Wed, Oct 21, 2009 at 7:40 PM, Jimmy Tran <[email protected]> wrote: > > Joe: When I go to control panel > user accounts > advanced > manage > passwords, I don't see anything in there. I was logged as myself as well. > I did start deleting some apps that I thought could have been causing the > problem so lets see if the problem still continues. > > Sean: I did restart many times. > > -Jimmy > > > -----Original Message----- > From: Joe Tinney [mailto:[email protected]] > Sent: Wednesday, October 21, 2009 4:32 PM > To: NT System Admin Issues > Subject: RE: Constantly getting locked of 2003 domain > > A colleague of mine recently encountered this with his account. It turned > out that he had stored his credentials on the machine and then, after he had > to change his password, he started getting locked out. > > For Windows XP, there seem to be user-level and system-level stored > passwords. You view them both similarly, but administrators stored passwords > seem to always be stored at the system level. To view them, go to: Control > Panel > User Accounts > Advanced > Manage Passwords. > > Unfortunately, you can't view the user-level passwords from there and the > only way I've found to view it via the GUI is to be logged in as that user. > To view them when you are a non-admin, go to Control Panel > User Accounts. > It will ask for an admin password but do not give it one. That would result > in seeing the system level passwords you could see as an admin. At the > bottom of that dialog box there is a link to manage your passwords. If you > click on that link you can see your user-level stored passwords. > > You can also run "rundll32.exe keymgr.dll, KRShowKeyMgr" without the quotes > and it will pull up the Stored Passwords window. > > It may not be the issue at all but it has been in the past here. > > Good luck! > > -----Original Message----- > From: Jimmy Tran [mailto:[email protected]] > Sent: Wednesday, October 21, 2009 6:56 PM > To: NT System Admin Issues > Subject: RE: Constantly getting locked of 2003 domain > > I went to the link and everything checked out ok. This machine isn't > mission critical so I could reimage it but I'd like to try to figure out the > problem. > > Thanks, > > Jimmy > > -----Original Message----- > From: Kennedy, Jim [mailto:[email protected]] > Sent: Tuesday, October 20, 2009 6:20 PM > To: NT System Admin Issues > Subject: RE: Constantly getting locked of 2003 domain > > > Those random letter strings at the bottom are not good. This worm usually > blocks most of the anti-virus websites. See if you can get to > trendmicro.com or mcafee or symantec. Or hit this link and see if you can > see their logo's.... > > http://www.confickerworkinggroup.org/infection_test/cfeyechart.html > > Can you just fdisk this machine, or is it mission critical? > > ________________________________________ > From: Jason Morris [[email protected]] > Sent: Tuesday, October 20, 2009 4:46 PM > To: NT System Admin Issues > Subject: RE: Constantly getting locked of 2003 domain > > Sorry, missed CurrentVersion > > [cid:[email protected]] > > From: Jimmy Tran [mailto:[email protected]] > Sent: Tuesday, October 20, 2009 3:33 PM > To: NT System Admin Issues > Subject: RE: Constantly getting locked of 2003 domain > > This is what I get which looks normal: > > > > [cid:[email protected]] > > Jimmy > > From: Jason Morris [mailto:[email protected]] > Sent: Tuesday, October 20, 2009 1:10 PM > To: NT System Admin Issues > Subject: RE: Constantly getting locked of 2003 domain > > Thats because Conficker runs as the Network Services Account. > > Look under: > HKLM\Software\Microsoft\Windows NT\SVCHost\NETSVCS and see if there is any > gobbledygook at the bottom of the entries. Ths your DLL that is running > under Windows\System32. > > > > From: Jimmy Tran [mailto:[email protected]] > Sent: Tuesday, October 20, 2009 3:08 PM > To: NT System Admin Issues > Subject: RE: Constantly getting locked of 2003 domain > > No services running under my account when logged in as a different user > Jimmy > > > From: Roger Wright [mailto:[email protected]] > Sent: Tuesday, October 20, 2009 1:06 PM > To: NT System Admin Issues > Subject: Re: Constantly getting locked of 2003 domain > > Any services running under your account with an old password? > > > Roger Wright > ___ > > Sent from Tampa, FL, United States > On Tue, Oct 20, 2009 at 4:00 PM, Jimmy Tran <[email protected]<mailto: > [email protected]>> wrote: > Every 5 minutes or so, I get lock out of our domain. I ran EventCombMT and > traced it back to a specific machine. Does anyone have any suggestions on > what I can do to figure out what program/service is attempting to contact > the DC with an incorrect password?ve been dealing with this all morning and > it is driving me crazy. > > > Windows 2003 Domain > Windows XP SP3 machine > > Thanks, > > Jimmy > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------------------ > > The pages accompanying this email transmission contain information from > MJMC, Inc., which > > is confidential and/or privileged. The information is to be for the use of > the individual > > or entity named on this cover sheet. If you are not the intended recipient, > you are > > hereby notified that any disclosure, dissemination, distribution, or > copying of this > > communication is strictly prohibited. If you received this transmission in > error, please > > immediately notify us by telephone so that we can arrange for the retrieval > of the original > > document. > > > > > > > > > > > ------------------------------------------------------------------------------------------ > The pages accompanying this email transmission contain information from > MJMC, Inc., which > is confidential and/or privileged. The information is to be for the use of > the individual > or entity named on this cover sheet. If you are not the intended recipient, > you are > hereby notified that any disclosure, dissemination, distribution, or > copying of this > communication is strictly prohibited. If you received this transmission in > error, please > immediately notify us by telephone so that we can arrange for the retrieval > of the original > document. > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > http://raythestray.blogspotcom <http://raythestray.blogspot.com/> > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
