Re: Event 627 Failure of Change Password Attempt

Anything is certainly possible. Something that would be interesting to try
is to use Process Explorer from Microsoft/Sysinternals to see what processes
are running on your computer and the publisher name associated with the
process/executable. Any process that does not have a publisher name
associated with it would be suspect but not a necessarily proof of a
malicious process though you could submit anything you question to
http://www.virustotal.com/ or such.

Steve

http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx
--- Process Explorer
http://www.microsoft.com/technet/sysinternals/Utilities/AutoRuns.mspx ---
Autoruns


"kn0tu" <kn0tu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A1C57B59-2975-4F95-887B-940DB6D46FF0@xxxxxxxxxxxxxxxx
Steve,

I would agree with you about the Guest account. However there were
password
change attempts on the Aspnet account also.

BTW, I downloaded and installed Spyware Doctor and it found some tracking
cookies. No viruses though.

I have been getting some error messages about not being able to write to
my
hard disk, but when I look at Event Viewer there are no errors recorded.
I
think I am being spoofed.

I think I may be the victim of some Remote Access Trojan that has yet to
be
named and handled by the major software companies.
--
kn0tu


"Steven L Umbach" wrote:

Though that is odd behavior I really tend to doubt your computer was
hacked
in that a hacker does not target the guest account as they wan
administrator
access but since your computer is XP Home it is not possible to access
the
computer remotely via the administrator account which generally has a
blank
password anyhow and is available only in Safe Mode logon.

Possibly malware or spyware could cause such activity to disable your
ability to access shares on your computer from another computer on the
network by setting a guest password. To get more details would require
process tracking activities to see what processes are running at the time
of
the failed password changes though that is very difficult on XP Home due
to
it's lack of ability of advanced logging.

No you can not manage privileges which are also called user rights in XP
Home via a GUI as that would take command line tool call NTrights.

If you have not done so yet do a full spyware scan with an additional
program. The free version of Spyware Doctor from http://pack.google.com
is
very good and worth trying. If you can not track it down and everything
is
working correctly you may want to just live with it. Otherwise you could
try
using msconfig to try and selectively disable startup items [most likely
non
Microsoft items] to see if you can narrow down a particular process that
is
causing the activity.

Steve

http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://support.microsoft.com/kb/310353


"kn0tu" <kn0tu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7784712C-A0D2-448B-9780-29907C92B7B0@xxxxxxxxxxxxxxxx
I am getting dozens of these entries in the Security Log with both
Guest
and
ASPNET. This leads me to believe my machine has been hacked. Is this
true?

My machine is a Pentium 4 running XP SP2 Home and is up to date with
patches, or so Microsoft Baseline Security Analyzer says. I have a
firewall
security suite which has a anti-virus component and it is up to date as
well
with about 276,000 signatures.

The events I am getting are:


Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 10/20/2007
Time: 8:19:42 PM
User: GATEWAY-DESKTOP\Owner
Computer: GATEWAY-DESKTOP
Description:
Change Password Attempt:
Target Account Name: Guest
Target Domain: GATEWAY-DESKTOP
Target Account ID: GATEWAY-DESKTOP\Guest
Caller User Name: Owner
Caller Domain: GATEWAY-DESKTOP
Caller Logon ID: (0x0,0x11346)
Privileges: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


I have noticed other things like when I go to My Computer>Manage there
is
no way to set or modify privileges. Is this restricted in XP Home?
--
kn0tu





.

Relevant Pages

  • Re: Event 627 Failure of Change Password Attempt
    ... I would agree with you about the Guest account. ... I downloaded and installed Spyware Doctor and it found some tracking ... Target Account Name: Guest ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Getting alot of these emails
    ... Thank you for posting in the SBS newsgroup. ... this issue can occur if your SBS 2003 server is ... Disable the Guest account in your SBS 2003 server and enable Stronger ... Microsoft is providing this information as a convenience to you. ...
    (microsoft.public.windows.server.sbs)
  • Re: Logoff / Slow Bootups / Outlook attachements / Outlook Not res
    ... are going to be using two of the problematic machines. ... When you logon the problematic user account on the good user's computer, ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: ATTN : Microsoft - Security Event 529....Second Request for help....
    ... Routing Engine, Microsoft Exchange Information Store, Microsoft Exchange ... System Attendant service' logon on account is "Local System Account", ...
    (microsoft.public.windows.server.sbs)
  • Re: Performance issue, MS software
    ... Marks a disabled account; Marks a locked account Lexmark 5200 Series ... Microsoft Office Document Image Writer Driver on Microsoft Document ... Standard floppy disk controller ... Office OneNote MUI (English) 2007 ...
    (microsoft.public.windows.vista.performance_maintenance)