Is that machine still locking accounts? I have to tell you, this is the exact same thing Conficker does.
From: Jimmy Tran [mailto:[email protected]] Sent: Thursday, October 22, 2009 1:34 PM To: NT System Admin Issues Subject: RE: Constantly getting locked of 2003 domain I followed the instructions below with no success. When I ran the Sunbelt Conficker_SSCleaner, it never prompted me to reboot. Does that sound right? Jimmy From: Jason Morris [mailto:[email protected]] Sent: Thursday, October 22, 2009 8:31 AM To: NT System Admin Issues Subject: RE: Constantly getting locked of 2003 domain I think I said it was Conficker 3 days ago and recommended you pull that one machine from the network and scan it. Download the MS KB890830 which is their Malicious Software Removal Tool. This will allow you to scan an entire computer and fix it. I recommend scanning it as many times as it takes to get you at least 1 clean deep scan Also get the Sunbelt Conficker_SSCleaner. Run it in safe mode and make sure to reboot the computer as many times as necessary. For XP and Server 2003: Get KB967715 and KB958644 files. If you have any x64, make sure you get the proper versions. The KBs won't install unless you're on XP SP3 and Server 2003 SP2. XP and Server each have different versions of these files so make sure you get both. Good luck, Jason From: Jimmy Tran [mailto:[email protected]] Sent: Thursday, October 22, 2009 10:20 AM To: NT System Admin Issues Subject: RE: Constantly getting locked of 2003 domain No, but the report I got back shows more than 5 machines causing this problem. I am beginning to think it is Conficker. I am going to scan for that now. JImmy From: Jay Dale [mailto:[email protected]] Sent: Thursday, October 22, 2009 8:17 AM To: NT System Admin Issues Subject: RE: Constantly getting locked of 2003 domain Have you tried removing the machine from the domain and re-adding it? Jay From: Jimmy Tran [mailto:[email protected]] Sent: Thursday, October 22, 2009 10:05 AM To: NT System Admin Issues Subject: RE: Constantly getting locked of 2003 domain Ok, I have an update: When I run EventCombMT, i got this in a log: 644,AUDIT SUCCESS,Security,Thu Oct 22 07:58:22 2009,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: "me" Target Account ID: %{S-1-5-21-38480843-1985368713-1186029154-3529} Caller Machine Name: ABC Caller User Name: DC$ Caller Domain: Domain Caller Logon ID: (0x0,0x3E7) Does this mean anything to anyone? I obviously modified the domain and machine fields. I did get this message in the past but now the caller machine name is coming up with different machines. Now I'm really stuck. It's happening from more that one machine. HELP!!!! Jimmy From: James Rankin [mailto:[email protected]] Sent: Thursday, October 22, 2009 12:57 AM To: NT System Admin Issues Subject: Re: Constantly getting locked of 2003 domain Is a service configured to use a domain account on the machine? How about a scheduled task with stored credentials? Viewing the logon type number should help narrow this down 2009/10/22 KenM <[email protected]<mailto:[email protected]>> I didnt read through all the replies so I do not know if this was recomended or not http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en On Wed, Oct 21, 2009 at 7:40 PM, Jimmy Tran <[email protected]<mailto:[email protected]>> wrote: Joe: When I go to control panel > user accounts > advanced > manage passwords, I don't see anything in there. I was logged as myself as well. I did start deleting some apps that I thought could have been causing the problem so lets see if the problem still continues. Sean: I did restart many times. -Jimmy -----Original Message----- From: Joe Tinney [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, October 21, 2009 4:32 PM To: NT System Admin Issues Subject: RE: Constantly getting locked of 2003 domain A colleague of mine recently encountered this with his account. It turned out that he had stored his credentials on the machine and then, after he had to change his password, he started getting locked out. For Windows XP, there seem to be user-level and system-level stored passwords. You view them both similarly, but administrators stored passwords seem to always be stored at the system level. To view them, go to: Control Panel > User Accounts > Advanced > Manage Passwords. Unfortunately, you can't view the user-level passwords from there and the only way I've found to view it via the GUI is to be logged in as that user. To view them when you are a non-admin, go to Control Panel > User Accounts. It will ask for an admin password but do not give it one. That would result in seeing the system level passwords you could see as an admin. At the bottom of that dialog box there is a link to manage your passwords. If you click on that link you can see your user-level stored passwords. You can also run "rundll32.exe keymgr.dll, KRShowKeyMgr" without the quotes and it will pull up the Stored Passwords window. It may not be the issue at all but it has been in the past here. Good luck! -----Original Message----- From: Jimmy Tran [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, October 21, 2009 6:56 PM To: NT System Admin Issues Subject: RE: Constantly getting locked of 2003 domain I went to the link and everything checked out ok. This machine isn't mission critical so I could reimage it but I'd like to try to figure out the problem. Thanks, Jimmy -----Original Message----- From: Kennedy, Jim [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, October 20, 2009 6:20 PM To: NT System Admin Issues Subject: RE: Constantly getting locked of 2003 domain Those random letter strings at the bottom are not good. This worm usually blocks most of the anti-virus websites. See if you can get to trendmicro.com<http://trendmicro.com/> or mcafee or symantec. Or hit this link and see if you can see their logo's.... http://www.confickerworkinggroup.org/infection_test/cfeyechart.html Can you just fdisk this machine, or is it mission critical? ________________________________________ From: Jason Morris [[email protected]<mailto:[email protected]>] Sent: Tuesday, October 20, 2009 4:46 PM To: NT System Admin Issues Subject: RE: Constantly getting locked of 2003 domain Sorry, missed CurrentVersion [cid:[email protected]] From: Jimmy Tran [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, October 20, 2009 3:33 PM To: NT System Admin Issues Subject: RE: Constantly getting locked of 2003 domain This is what I get which looks normal: [cid:[email protected]] Jimmy From: Jason Morris [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, October 20, 2009 1:10 PM To: NT System Admin Issues Subject: RE: Constantly getting locked of 2003 domain Thats because Conficker runs as the Network Services Account. Look under: HKLM\Software\Microsoft\Windows NT\SVCHost\NETSVCS and see if there is any gobbledygook at the bottom of the entries. Ths your DLL that is running under Windows\System32. From: Jimmy Tran [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, October 20, 2009 3:08 PM To: NT System Admin Issues Subject: RE: Constantly getting locked of 2003 domain No services running under my account when logged in as a different user Jimmy From: Roger Wright [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, October 20, 2009 1:06 PM To: NT System Admin Issues Subject: Re: Constantly getting locked of 2003 domain Any services running under your account with an old password? Roger Wright ___ Sent from Tampa, FL, United States On Tue, Oct 20, 2009 at 4:00 PM, Jimmy Tran <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> wrote: Every 5 minutes or so, I get lock out of our domain. I ran EventCombMT and traced it back to a specific machine. Does anyone have any suggestions on what I can do to figure out what program/service is attempting to contact the DC with an incorrect password?ve been dealing with this all morning and it is driving me crazy. Windows 2003 Domain Windows XP SP3 machine Thanks, Jimmy ------------------------------------------------------------------------------------------ The pages accompanying this email transmission contain information from MJMC, Inc., which is confidential and/or privileged. The information is to be for the use of the individual or entity named on this cover sheet. If you are not the intended recipient, you are hereby notified that any disclosure, dissemination, distribution, or copying of this communication is strictly prohibited. If you received this transmission in error, please immediately notify us by telephone so that we can arrange for the retrieval of the original document. ------------------------------------------------------------------------------------------ The pages accompanying this email transmission contain information from MJMC, Inc., which is confidential and/or privileged. The information is to be for the use of the individual or entity named on this cover sheet. If you are not the intended recipient, you are hereby notified that any disclosure, dissemination, distribution, or copying of this communication is strictly prohibited. If you received this transmission in error, please immediately notify us by telephone so that we can arrange for the retrieval of the original document. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." http://raythestray.blogspotcom<http://raythestray.blogspot.com> ------------------------------------------------------------------------------------------ The pages accompanying this email transmission contain information from MJMC, Inc., which is confidential and/or privileged. The information is to be for the use of the individual or entity named on this cover sheet. If you are not the intended recipient, you are hereby notified that any disclosure, dissemination, distribution, or copying of this communication is strictly prohibited. If you received this transmission in error, please immediately notify us by telephone so that we can arrange for the retrieval of the original document. ------------------------------------------------------------------------------------------ The pages accompanying this email transmission contain information from MJMC, Inc., which is confidential and/or privileged. The information is to be for the use of the individual or entity named on this cover sheet. If you are not the intended recipient, you are hereby notified that any disclosure, dissemination, distribution, or copying of this communication is strictly prohibited. If you received this transmission in error, please immediately notify us by telephone so that we can arrange for the retrieval of the original document. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
