Re: Event 681 in Security Log

"flux blocker" <fluxblocker@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:717036F9-9157-415A-90C4-B80E3C2FC6DB@xxxxxxxxxxxxxxxx
We have Win2k Server SP4 with XP Pro SP2. Some of our DC servers have event
ID 681 show up in the security log at random intervals during the night when
no one is in the building. The event, according to the event description, is
generated from a computer inside our office, not from an external host. This
happens every night and we've looked at video from security cameras to verify
no one is in the building. Here is an example of one of the events:
The logon to account: useraccount
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation COMPUTER
failed. The error code was: 3221225583
I am aware that this error code means "user logon outside authorized hours".
This is correct because this user is not allowed to log on during certain
hours.
What I don't understand is what is causing the event to be logged when no
one is in the building and no one is attempting to log on at that station. I
can only guess it is some process running on the PC. The PC is left on but
the user is logged completely out - not simply a locked console. If anyone
has any suggestions as to the cause of this I would be most grateful.
Thanks in advance!
flux

Check the user's computer for malware.
So How Did I Get Infected Anyway?
http://www.wilderssecurity.com/showthread.php?t=27971

Help with Hijackware
All MS - MVP Sites.
http://aumha.org/a/parasite.htm
(http://aumha.org/a/quickfix.htm)
http://www.elephantboycomputers.com/page2.html#Removing_Malware
(http://mvps.org/winhelp2002/unwanted.htm)
(http://inetexplorer.mvps.org/darnit.html)
(http://www.mvps.org/sramesh2k/Malware_Defence.htm)

Unexplained computer behavior may be caused by deceptive software.
http://support.microsoft.com/kb/827315

--
Frank Saunders, MS-MVP OE/WM
http://www.fjsmjs.com
Answer in newsgroup. Don't send mail.


.