Sign in with
Sign up | Sign in
Your question

Help, I've been hacked

Last response: in Windows XP
Share
Anonymous
March 6, 2005 12:09:03 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have very very stramge entries in my registry and event viewer that are
adding up to no good.

I have talked with Microsoft today, and what we tried did not solve the
problem.
I really don't want to wait until Monday to call them back.

Does anyone know where I might find where remote access connection manager
is in the registry?

More about : hacked

Anonymous
March 6, 2005 12:32:13 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

[[Remote Access Auto Connection Manager is on by default in Windows XP
Professional computers that are not members of a domain and in Windows XP
Home Edition.]]

Open Services and disable Remote Access Auto Connection Manager...

Start | Run | Type: services.msc | Click OK |
Scroll down to and double click: Remote Access Auto Connection Manager |
If the service is running, click the Stop button | When it has stopped,
under Startup
type set to Disabled | Apply | OK |

Do the same for Remote Access Connection Manager & Remote Desktop Help
Session Manager.

Right click My Computer | Properties | Remote tab |
Make sure that both of these are UNChecked:
? Allow Remote Assistance invitations to be sent from this computer
? Allow users to connect remotely to this computer

Turn on a firewall.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:E8DF3AE0-4FCB-47DB-8EEA-BAED4DBF1773@microsoft.com,
TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> I have very very stramge entries in my registry and event viewer that
> are adding up to no good.
>
> I have talked with Microsoft today, and what we tried did not solve
> the problem.
> I really don't want to wait until Monday to call them back.
>
> Does anyone know where I might find where remote access connection
> manager is in the registry?
Anonymous
March 6, 2005 1:33:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Shenan,

Thank you so much for the great tips and advice. Also, thank you for taking
the time to go through this with me.

Let me tell you a little more about my system, and that I don't mind
spending time keeping my computer in a good healthy state.
I have spen numerous hours doing this very thing.

But also, now that I have got this problem, I have spent at least 8 hours at
a time, if not more, every day, for weeks trying to get it straightened back
out again.

Yes, I am running xp. It came installed with SP-2. My computer is an Intel,
and about 2 months old.
As of this past Thursday, I am using Road Runner.

I do have the installation disks that I have running on my system, handy
with their keys.

I use Nero 6 for my cd burning.
I use Zone Alarm for my firewall. But not before this trouble started. I was
using the Windows firewall, and doing the updates automatically.

I have done the Panda scan, the MeAfee scan, Trend Micro, and the eTrustEZ
scans.
They find nothing.

I get my updates automatically from Windows Update, and have installed a
dozen or so patches in the last two months.
I also go into the catalog and look for patches I may need.
The ones I do download, I am then told that the ones on my computer are
newer than the ones I've downloaded. So, I choose the option to save the ones
I already have.

The computer came with the free version of AVG installed. That is the
anvirus I was using when about a month ago I got hit with a virus called
parser.class.
From then on, when ever AVG did the scans, it showed up as shell32.dll had
been changed.
I have never been able to find out any info on the parser.class.

I do weekly updates with my programs such as SpySweeper, and AdAware, things
of that nature.

Most of the iunfor mation I have been able to gather with the problems on my
computer is through ZoneAlarm, and the Event Viewer.

The properties of each listing in Event Viewer were very alarming, and
caused me to bring it to my then diap-up ISP's attention.
I was then told to call the FBI.
Which I did. That was 3 days ago.

In all honesty, I believe I have a two fold problem. A few nasty worms, and
a local hacker.

I believe the worms are remotely accessing my computer, and I keep getting
hits from a place in China, trying to penetrate different ports.

I have disabled Windows Messenger from the start. I would also like to
disable Bluetooth somehow. I did not even know this was installed on my pc,
as there is no icon in the control panel for it, nor is there any entry in
the task manager.
The only way I knew I was running it, was Zone Alarm had it listed as one of
the programs running in the backgound.
I have no wireless devices plugged into my computer. I don't want anything
wireless plugged into or that can remotely access my computer.

You see, I am now totally afraid of any RF signals..LOL
No, really, this does get worse.
Stay with me here.

We have caught our wonderful neighbor tapping our telephones. This is to the
point of even listening in on the conversations in the room when the phone
was on the hook. Yes, this is possible.
The FBI is investigating that too.
This wonderful neighbor has also been heard making personal threats to his
buddies in his driveway.

Okay, yes, I am scared. The phones have been unplugged for 3 weeks now. The
computer speakers are gone. The computer microphone is gone.

Maybe I am taking this a bit far, but I really don't think so. Not with what
that is going on around here.

Yes, my local police are involved now too.

I am going to get that jerk put behind bars. It may take awhile, but it will
happen.
He has violated me and my family too much. It is to the point of being
stalked.

Now, back to the computer.

When I got hit with the parser.class, I had downloaded a file from the
internet into a new folder I made just for that purpose.
I then scanned it, and AVG said it was clean.
So, I proceeded to install it.
It was then that the box popped up (the one with the ugly gremlins) saying I
had been hit with parser.class.
AVG would not let me dlete it, repair it, or quarantine it. Nothing.
I was stuck.

I have since bought and installed Norton's Antivirus 2005. I have always
liked Nortons, and that is what I have used for years on my 98SE, and ME
systems.

Okay, that was just a couple of weeks ago that I ditched the AVG, and
installed Norton's.

But, I was still having problems. So, I installed a antivirus I ran across,
called Avast!
It has found about 6 or 7 viruses in the last couple of days, that Norton's
has totally missed.

So, I have uninstalled Norton's. But, it is acting like a virus itself, I
can't get rid of all the files.

I have found so many strange entries in the registry, and .dll's Zone Alarm
has listed.
These are dll's that a remote program uses, and I am not able to disable
them. or remove them.

Let me explain why I think it is both the nasty worms and a local hacker
causing my problems.
Now, these problems started when I was using a local dial up ISP.

Let me start first with the local hacker.

In the properties of the Event Viewer on the Security listings, there have
been 55 Unknown user name or bad password attempts with in a 7 day period.

There are at least 50 warnings in the properties on the System listings for
TCP/IP has reached the security limit imposed on the number of concurrent TCP
connect attempts.
Some were listed as using the Log In name as anonymous.

It got to the point where it took me 12 times to dial up to get a
connection. When I did get connected, I would be bounced right back off in a
matter of seconds.
Over and over again.

So, I carried my computer to my ISP, and had them look at it, thinking there
was something wrong with my modem. They checked it out, and were able to
connect time and time again, with no problems at all. They thought there was
something wrong with my phone line causing the problem.

The tech enter in a code in the modem properties, to stabalize things.
That worked great.
I didn't have that trouble again. Until a week ago.
It started again, even with the code entered.

Bear in mind, I have used this phone line for 15 years. For the last 5 of
those years, I have made this line a dedicated computer line, plugged into
the back of my computer, and dialed up to the same ISP daily.
I could tell when something was not right.

I am now with Road Runner, and these warning and such are still being made
to this day.
I have not cancelled my dial up account, thinking if I left it open, it may
help the authorities catch who ever is behind all this.
Also, I went with another provider, to stay out of the way of the
investigations.

Now for the worms.
The properties in Event viewer has listed things like MSGina as a Login In
Process name, and other weird names. I know the ones like CHAP are a needed
thing.
But, Secondary Logon Service?

There are way too many to count listings of Failure Audits saying:
IPSec Services failed to get the complete list of network interfaces on the
machine. This can be a potential security hazard to the machine since some of
the network interfaces may not get the protection as desired by the applied
IPSec filters. Please run IPSec monitor snap-in to further diagnose the
problem.

Also way too many to count Remote Access connections.

This is where I had posted the question about the Remote Access Connection
Manager.
I did a search on that and came up with this:
https://www.gotomypc.com/tr/over/remote_access_connecti...

The ZoneAlarm had sent up alerts telling me things like it had blocked my
computer from sending out packets to a computer disguising itself as my ISP.

This is the point where my server and I called in the FBI.

Now, as far as system retore, well ...LOL
(I know this is far from funny, it's just that I feel almost feel brain dead
now going through all of this.)
I have "Win32:Trojan-gen. {Other}" has been found in "C:\System Volume
Information\_restore{3C87EDD3-CBF4-4856-90B0-93F337A97205}\RP12\A0003283.exe"
file.

I am by no means a computer genius, but I don't know how to or what to do
with that new info. Except maybe to cry. But, I know that won't help either.

Okay, I think my story is about complete now, at least to give you an idea
of what the computer problems are.

Maybe I should just have it formatted and a clean install done?

Also, maybe my family and I just need to move away.

Thank you for listening Shenan.

Kim
Related resources
Can't find your answer ? Ask !
Anonymous
March 6, 2005 1:35:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thank you Wesley.

I am going to do that right now!

Kim

"Wesley Vogel" wrote:

> [[Remote Access Auto Connection Manager is on by default in Windows XP
> Professional computers that are not members of a domain and in Windows XP
> Home Edition.]]
>
> Open Services and disable Remote Access Auto Connection Manager...
>
> Start | Run | Type: services.msc | Click OK |
> Scroll down to and double click: Remote Access Auto Connection Manager |
> If the service is running, click the Stop button | When it has stopped,
> under Startup
> type set to Disabled | Apply | OK |
>
> Do the same for Remote Access Connection Manager & Remote Desktop Help
> Session Manager.
>
> Right click My Computer | Properties | Remote tab |
> Make sure that both of these are UNChecked:
> Â? Allow Remote Assistance invitations to be sent from this computer
> Â? Allow users to connect remotely to this computer
>
> Turn on a firewall.
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:E8DF3AE0-4FCB-47DB-8EEA-BAED4DBF1773@microsoft.com,
> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> > I have very very stramge entries in my registry and event viewer that
> > are adding up to no good.
> >
> > I have talked with Microsoft today, and what we tried did not solve
> > the problem.
> > I really don't want to wait until Monday to call them back.
> >
> > Does anyone know where I might find where remote access connection
> > manager is in the registry?
>
>
Anonymous
March 6, 2005 2:01:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Wesley,
Here ae the results from what I just did in the services.msc.

The Remote Access Auto Connection was already stopped, and I did the type
set to disabled.

The Remote Desktop Help Session Manager, was also stopped, and I did the
type set to disabled.

The Remote Access Connection Manager would not allow me to stop it.
The type set is set to Start, but I got an error saying :
Could not stop the Remote Access Connection Manager on Local Computer.
Error 1053: The service did not respond to the start or control request in a
timely fashion.
Anyway, I did the type set to Disabled.

I am not sure if I should have, but I stopped the secondary logon, and set
it to disabled too.

It looks like there are alot of things there I would like to disable, but I
won't without some kind of assistance first.

Now, when I right click on my computer/properties/remote tab, it is
unchecked to Allow REmote Assistance invitations to be sent from this
computer.
There was not another option listed.

Kim

"Wesley Vogel" wrote:

> [[Remote Access Auto Connection Manager is on by default in Windows XP
> Professional computers that are not members of a domain and in Windows XP
> Home Edition.]]
>
> Open Services and disable Remote Access Auto Connection Manager...
>
> Start | Run | Type: services.msc | Click OK |
> Scroll down to and double click: Remote Access Auto Connection Manager |
> If the service is running, click the Stop button | When it has stopped,
> under Startup
> type set to Disabled | Apply | OK |
>
> Do the same for Remote Access Connection Manager & Remote Desktop Help
> Session Manager.
>
> Right click My Computer | Properties | Remote tab |
> Make sure that both of these are UNChecked:
> Â? Allow Remote Assistance invitations to be sent from this computer
> Â? Allow users to connect remotely to this computer
>
> Turn on a firewall.
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:E8DF3AE0-4FCB-47DB-8EEA-BAED4DBF1773@microsoft.com,
> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> > I have very very stramge entries in my registry and event viewer that
> > are adding up to no good.
> >
> > I have talked with Microsoft today, and what we tried did not solve
> > the problem.
> > I really don't want to wait until Monday to call them back.
> >
> > Does anyone know where I might find where remote access connection
> > manager is in the registry?
>
>
Anonymous
March 6, 2005 2:25:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I failed to mention that even though I set the Remote Access Connection
Manager to disabled, it still shows that it is started.

Also, last night, no matter how many times I removed www.checkpoint.com from
the list in ZoneAlarm, to be allowed access, it popped right back in there on
the list again.
Now it seems to be gone.
I'm glad of that.

But, I am trying everything I can on the ZoneAlarm settings to be able to
access websites. Even places like the TechNet Discussion Group, and
Microsoft.com.
I can add them to the site list, and even add to the trusted sites list, but
I have to turn off the firewall to get websites to download on my computer
for me.

Does anyone have any idea what I can do to access websites on the list that
won't show, or of another good firewall that is a little more user friendly?


"TxRose" wrote:

> Hi Wesley,
> Here ae the results from what I just did in the services.msc.
>
> The Remote Access Auto Connection was already stopped, and I did the type
> set to disabled.
>
> The Remote Desktop Help Session Manager, was also stopped, and I did the
> type set to disabled.
>
> The Remote Access Connection Manager would not allow me to stop it.
> The type set is set to Start, but I got an error saying :
> Could not stop the Remote Access Connection Manager on Local Computer.
> Error 1053: The service did not respond to the start or control request in a
> timely fashion.
> Anyway, I did the type set to Disabled.
>
> I am not sure if I should have, but I stopped the secondary logon, and set
> it to disabled too.
>
> It looks like there are alot of things there I would like to disable, but I
> won't without some kind of assistance first.
>
> Now, when I right click on my computer/properties/remote tab, it is
> unchecked to Allow REmote Assistance invitations to be sent from this
> computer.
> There was not another option listed.
>
> Kim
>
> "Wesley Vogel" wrote:
>
> > [[Remote Access Auto Connection Manager is on by default in Windows XP
> > Professional computers that are not members of a domain and in Windows XP
> > Home Edition.]]
> >
> > Open Services and disable Remote Access Auto Connection Manager...
> >
> > Start | Run | Type: services.msc | Click OK |
> > Scroll down to and double click: Remote Access Auto Connection Manager |
> > If the service is running, click the Stop button | When it has stopped,
> > under Startup
> > type set to Disabled | Apply | OK |
> >
> > Do the same for Remote Access Connection Manager & Remote Desktop Help
> > Session Manager.
> >
> > Right click My Computer | Properties | Remote tab |
> > Make sure that both of these are UNChecked:
> > Â? Allow Remote Assistance invitations to be sent from this computer
> > Â? Allow users to connect remotely to this computer
> >
> > Turn on a firewall.
> >
> > --
> > Hope this helps. Let us know.
> >
> > Wes
> > MS-MVP Windows Shell/User
> >
> > In news:E8DF3AE0-4FCB-47DB-8EEA-BAED4DBF1773@microsoft.com,
> > TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> > > I have very very stramge entries in my registry and event viewer that
> > > are adding up to no good.
> > >
> > > I have talked with Microsoft today, and what we tried did not solve
> > > the problem.
> > > I really don't want to wait until Monday to call them back.
> > >
> > > Does anyone know where I might find where remote access connection
> > > manager is in the registry?
> >
> >
Anonymous
March 6, 2005 4:30:00 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

TxRose wrote:
<snipping inline - comments at the end>
> I am running xp. It came installed with SP-2. My computer is an
> Intel, and about 2 months old.
> As of this past Thursday, I am using Road Runner.
>
> I do have the installation disks that I have running on my system,
> handy with their keys.
>
> I use Nero 6 for my cd burning.
> I use Zone Alarm for my firewall. But not before this trouble
> started. I was using the Windows firewall, and doing the updates
> automatically.
>
> I have done the Panda scan, the MeAfee scan, Trend Micro, and the
> eTrustEZ scans.
> They find nothing.
>
> I get my updates automatically from Windows Update, and have
> installed a dozen or so patches in the last two months.
> I also go into the catalog and look for patches I may need.
>
> The computer came with the free version of AVG installed. That is the
> anvirus I was using when about a month ago I got hit with a virus
> called parser.class.
>
> I have never been able to find out any info on the parser.class.
>
> I do weekly updates with my programs such as SpySweeper, and AdAware,
> things of that nature.
>
> I was then told to call the FBI.
> Which I did. That was 3 days ago.
>
> In all honesty, I believe I have a two fold problem. A few nasty
> worms, and a local hacker.
>
> I believe the worms are remotely accessing my computer, and I keep
> getting hits from a place in China, trying to penetrate different
> ports.
>
> We have caught our wonderful neighbor tapping our telephones. This is
> to the point of even listening in on the conversations in the room
> when the phone was on the hook. Yes, this is possible.
> The FBI is investigating that too.
> This wonderful neighbor has also been heard making personal threats
> to his buddies in his driveway.
>
> Okay, yes, I am scared. The phones have been unplugged for 3 weeks
> now. The computer speakers are gone. The computer microphone is gone.
>
> Yes, my local police are involved now too.
>
> When I got hit with the parser.class, I had downloaded a file from the
> internet into a new folder I made just for that purpose.
> I then scanned it, and AVG said it was clean.
> So, I proceeded to install it.
> It was then that the box popped up (the one with the ugly gremlins)
> saying I had been hit with parser.class.
> AVG would not let me dlete it, repair it, or quarantine it. Nothing.
> I was stuck.
>
> I have since bought and installed Norton's Antivirus 2005. I have
> always liked Nortons, and that is what I have used for years on my
> 98SE, and ME systems.
>
> Okay, that was just a couple of weeks ago that I ditched the AVG, and
> installed Norton's.
>
> But, I was still having problems. So, I installed a antivirus I ran
> across, called Avast!
> It has found about 6 or 7 viruses in the last couple of days, that
> Norton's has totally missed.
>
> So, I have uninstalled Norton's. But, it is acting like a virus
> itself, I can't get rid of all the files.
>
> I have found so many strange entries in the registry, and .dll's Zone
> Alarm has listed.
> These are dll's that a remote program uses, and I am not able to
> disable them. or remove them.
>
> Let me explain why I think it is both the nasty worms and a local
> hacker causing my problems.
> Now, these problems started when I was using a local dial up ISP.
>
> Let me start first with the local hacker.
>
> In the properties of the Event Viewer on the Security listings, there
> have been 55 Unknown user name or bad password attempts with in a 7
> day period.
>
> There are at least 50 warnings in the properties on the System
> listings for TCP/IP has reached the security limit imposed on the
> number of concurrent TCP connect attempts.
> Some were listed as using the Log In name as anonymous.
>
> It got to the point where it took me 12 times to dial up to get a
> connection. When I did get connected, I would be bounced right back
> off in a matter of seconds.
> Over and over again.
>
> So, I carried my computer to my ISP, and had them look at it,
> thinking there was something wrong with my modem. They checked it
> out, and were able to connect time and time again, with no problems
> at all. They thought there was something wrong with my phone line
> causing the problem.
>
> The tech enter in a code in the modem properties, to stabalize things.
> That worked great.
> I didn't have that trouble again. Until a week ago.
> It started again, even with the code entered.
>
> Bear in mind, I have used this phone line for 15 years. For the last
> 5 of those years, I have made this line a dedicated computer line,
> plugged into the back of my computer, and dialed up to the same ISP
> daily.
> I could tell when something was not right.
>
> I am now with Road Runner, and these warning and such are still being
> made to this day.
> I have not cancelled my dial up account, thinking if I left it open,
> it may help the authorities catch who ever is behind all this.
> Also, I went with another provider, to stay out of the way of the
> investigations.
>
> Also way too many to count Remote Access connections.
>
> This is where I had posted the question about the Remote Access
> Connection Manager.
> I did a search on that and came up with this:
> https://www.gotomypc.com/tr/over/remote_access_connecti...
>
> The ZoneAlarm had sent up alerts telling me things like it had
> blocked my computer from sending out packets to a computer disguising
> itself as my ISP.
>
> This is the point where my server and I called in the FBI.
>
> I have "Win32:Trojan-gen. {Other}" has been found in "C:\System Volume
> Information\_restore{3C87EDD3-CBF4-4856-90B0-93F337A97205}\RP12\A0003283.exe"
> file.
>
> I am by no means a computer genius, but I don't know how to or what
> to do with that new info. Except maybe to cry. But, I know that won't
> help either.
>
> Okay, I think my story is about complete now, at least to give you an
> idea of what the computer problems are.
>
> Maybe I should just have it formatted and a clean install done?
>
> Thank you for listening Shenan.

Okay - I snipped some, but left the majority. You do seem to have a few
issues here.

Here is what I would do for my peace of mind (at least with the computer) if
I was in your shoes.

I would purchase a DSL/Cable Modem router with Firewall. I suggest
something like this:
http://www.netgear.com/products/details/DG834.php
and install it. Be sure to change the username/password needed to access it
and be sure that remote administration on the device is turned OFF. Also,
some cable modems/dsl modems must be powered off for a number of minutes
before they will allow a different device (such as a router) to be connected
after you have already "registered" one system. Also - some places actually
make you call and register the device that will be connected to the modem
directly by he MAC address - do whatever your ISP requires.

I would then backup my critical documents to CD/DVD.. Word files, contacts,
excel spreadsheets, database files, email, etc..

At this point, I would collect all my cd/serial numbers and insallation
media (that may mean burning certain applications to CD for later install.)
I would also download and burn to CD the Windows XP Service Pack 2
installation file. Also - I would download and burn to CD my favorite
AntiVirus software and Firewall software along with the keys I need to use
them. With the antivirus software - I would also download the manual update
file for the definitions - so I could update my antivirus the first time
without connecting to the Internet.

I would then set a password to even turn ON the computer in the system BIOS.
You can set two different ones in most modern system BIOSes.. One to change
settings in the BIOS and one to even get past the BIOS and actually boot the
PC. If you are truly paranoid about physical access to the computer, then
turning it off when you are not around and having these two set can really
deter amatuer "hackers" - also make sure the machine is set to boot from
HARD DRIVE first - but only AFTER you do the following CLEAN INSTALLATION.
You need it to boot from the CD until you are done.

Then I would perform a clean installation on my computer by doing the
following.

- Disconnect from the Internet and any means to connect to the Internet.
- Using my Windows XP CD to boot (like I was doing an installation) - I
would continue through the installation prompts until it asked me which
partition to install on. I would then choose to delete all partitions and
create double the number of partitions I had before. (If I had one, I would
create two, if I had two, I would create four - so on.) Then use the tools
to further format these partitions (FULL NTFS format.) But I would NOT
continue the installation from here... This was merely to erradicate from
normal means of recovery - everything on the hard drive.
- Then again using the Windows XP CD - I would boot from it and continue
through the Installation. When it asked which partition to install on, I
would delete all partitions and create two partitions.. The first would be
8GB to 20GB in size. The second would be the remainder of the drive. I
would then format (FULL, not quick) the partitions and finish the
installation.
- Once the installation is completed (assuming my CD did not have SP2 on it)
I would then immediately - before doing anything else - install SP2.
Remember - you are still no where near an internet connecton - you are using
the CD you burned with the SP2 installation file on it.
- Then I would go through my user accounts and make sure they all have good
passwords. I would rename the administrator account to something TOTALLY
bizzare and make that password particularly difficult - over 14 characters
for sure. guest would be definitely disabled.
- I would also turn off any and all remote desktop/remote assistant
features.
- I would insure the Windows Firewall was on and there was NO exceptions
turned on.
(for now - you can turn off the Windows firewall and install your own
firewall later - but for now - this security is what you need.)
- I would then install the AntiVirus software of choice and update it using
the file I mentioned earlier. I would set it to auto-update daily after 3PM
and scan automatically once a week.
- Then I would go through my list of services and set to manual any that I
do not need/use. I would also do the same for other startups.
- I would also turn OFF Automatic Updates and set the Windows Security
Center not to tell me I have it off.

Now - finally - I would feel secure enough to connect to the Internet
through my properly configured firewall router. It gives my my private IP,
so the machine itself is not publically accessible from the Internet without
reconfiguring the router.

After connected to the Internet, I would visit this site:
http://windowsupdate.microsoft.com/
and download/install all updates there EXCEPT hrdware updates.

After (however many reboots the previous step takes) Windows Updates, I
would then download and install the latest HARDWARE drivers from my system.
Video, Network, Sound, Chipset, etc.

Then, as crazy as it may sound - I would download and install the Microsoft
AntiSpyware Beta. It is based off one of the best antispyware app out there
(Giant AntiSpyware) and it has good ACTIVE antispyware abilities. I would
also download and install/updte/scan with Lavasoft AdAware, Spybot Search
and Destroy (immunize as well), SpywareBlaster(immunization only) and
IE-SpyAd(immunization only.)

Now you are fairly secure and safe behind your hardware and software
firewalls as well as your AntiSpyware and AntiVirus applications and the
general knowledge you already seem to have.

You could install your preferred firewall application now - if you like.
However, for most I do not feel this is necessary - particularly wih the
hardware firewall in place. I do suggest using a software one even with the
hardware on - but the Windows XP one should be sufficient - as if they can
get through your hardware firewall, they can likely get through whatever
software one you throw at them.

If you also follow all the advice I gave previously (particularly about
passwords, etc) and maintain all the applications and patches and lock your
CDs/keys safely in a secured area - then you should be fairly safe from
intrusion and from most malware on the Internet - given you do not install
it yourself.

Install all of your applications - be careful about what you install -
search for it on the Internet and insure it is not a known carrier of
malware. If you want to install applications you previously downloaded,
then download them anew instead of using an older (and possibly compromised)
installation file. This also insures you have the latest versions!

Good luck to you with all of your issues!

PS.. Your system restore problem is fixed by turning off/back on the system
restore feature - cleaing it out.

--
<- Shenan ->
--
The information is provided "as is", it is suggested you research for
yourself before you take any advice - you are the one ultimately
responsible for your actions/problems/solutions. Know what you are
getting into before you jump in with both feet.
Anonymous
March 6, 2005 5:23:52 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Kim,

Reboot.

And then check on the Remote Access Connection Manager in Services, it
probably won't have started since you disabled it.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:452BD71A-2811-4B73-AFCA-5A9930F9F063@microsoft.com,
TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> Hi Wesley,
> Here ae the results from what I just did in the services.msc.
>
> The Remote Access Auto Connection was already stopped, and I did the
> type set to disabled.
>
> The Remote Desktop Help Session Manager, was also stopped, and I did
> the type set to disabled.
>
> The Remote Access Connection Manager would not allow me to stop it.
> The type set is set to Start, but I got an error saying :
> Could not stop the Remote Access Connection Manager on Local Computer.
> Error 1053: The service did not respond to the start or control
> request in a timely fashion.
> Anyway, I did the type set to Disabled.
>
> I am not sure if I should have, but I stopped the secondary logon,
> and set it to disabled too.
>
> It looks like there are alot of things there I would like to disable,
> but I won't without some kind of assistance first.
>
> Now, when I right click on my computer/properties/remote tab, it is
> unchecked to Allow REmote Assistance invitations to be sent from this
> computer.
> There was not another option listed.
>
> Kim
>
> "Wesley Vogel" wrote:
>
>> [[Remote Access Auto Connection Manager is on by default in Windows
>> XP Professional computers that are not members of a domain and in
>> Windows XP Home Edition.]]
>>
>> Open Services and disable Remote Access Auto Connection Manager...
>>
>> Start | Run | Type: services.msc | Click OK |
>> Scroll down to and double click: Remote Access Auto Connection
>> Manager | If the service is running, click the Stop button | When it
>> has stopped, under Startup
>> type set to Disabled | Apply | OK |
>>
>> Do the same for Remote Access Connection Manager & Remote Desktop
>> Help Session Manager.
>>
>> Right click My Computer | Properties | Remote tab |
>> Make sure that both of these are UNChecked:
>> Â? Allow Remote Assistance invitations to be sent from this computer
>> Â? Allow users to connect remotely to this computer
>>
>> Turn on a firewall.
>>
>> --
>> Hope this helps. Let us know.
>>
>> Wes
>> MS-MVP Windows Shell/User
>>
>> In news:E8DF3AE0-4FCB-47DB-8EEA-BAED4DBF1773@microsoft.com,
>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>> I have very very stramge entries in my registry and event viewer
>>> that are adding up to no good.
>>>
>>> I have talked with Microsoft today, and what we tried did not solve
>>> the problem.
>>> I really don't want to wait until Monday to call them back.
>>>
>>> Does anyone know where I might find where remote access connection
>>> manager is in the registry?
Anonymous
March 6, 2005 9:21:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Wes,
Yes, it appears that did help.
It shows disabled, instead of being started.
I also see no entries listed of a remote access in the event viewer.
Whoo hoo..LOL

This entry in the event viewer looks good:
The Remote Access Connection Manager service was successfully sent a stop
control.
Thank you for helping me get that turned off.

However, when I just rebooted, I did see these, which do not look good in my
opinion, but I could be wrong:

The first one has been going on for a long time, and is still showing.

Logon Failure:
Reason: Unknown user name or bad password
User Name: Owner
Domain: OWNER-1E81AA74C
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: OWNER-1E81AA74C

The protected system file c:\windows\system32\racpldlg.dll could not be
verified as valid because Windows File Protection is terminating. Use the SFC
utility to verify the integrity of the file at a later time.

The TCP/IP NetBIOS Helper service depends on the AFD service which failed to
start because of the following error:
A device attached to the system is not functioning.

Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0011099706B4. The
following error occurred:
The semaphore timeout period has expired. . Your computer will continue to
try and obtain an address on its own from the network address (DHCP) server.

Your computer has detected that the IP address 66.25.204.98 for the Network
Card with network address 0011099706B4 is already in use on the network. Your
computer will automatically attempt to obtain a different address.

Your computer has detected that the IP address 0.0.0.0 for the Network Card
with network address 0011099706B4 is already in use on the network. Your
computer will automatically attempt to obtain a different address.

Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0011099706B4. The
following error occurred:
The semaphore timeout period has expired. . Your computer will continue to
try and obtain an address on its own from the network address (DHCP) server.

The following boot-start or system-start driver(s) failed to load:
Aavmker4
AFD
aswTdi
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
vsdatant

Looks like a fun time huh?

Kim

"Wesley Vogel" wrote:

> Kim,
>
> Reboot.
>
> And then check on the Remote Access Connection Manager in Services, it
> probably won't have started since you disabled it.
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:452BD71A-2811-4B73-AFCA-5A9930F9F063@microsoft.com,
> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> > Hi Wesley,
> > Here ae the results from what I just did in the services.msc.
> >
> > The Remote Access Auto Connection was already stopped, and I did the
> > type set to disabled.
> >
> > The Remote Desktop Help Session Manager, was also stopped, and I did
> > the type set to disabled.
> >
> > The Remote Access Connection Manager would not allow me to stop it.
> > The type set is set to Start, but I got an error saying :
> > Could not stop the Remote Access Connection Manager on Local Computer.
> > Error 1053: The service did not respond to the start or control
> > request in a timely fashion.
> > Anyway, I did the type set to Disabled.
> >
> > I am not sure if I should have, but I stopped the secondary logon,
> > and set it to disabled too.
> >
> > It looks like there are alot of things there I would like to disable,
> > but I won't without some kind of assistance first.
> >
> > Now, when I right click on my computer/properties/remote tab, it is
> > unchecked to Allow REmote Assistance invitations to be sent from this
> > computer.
> > There was not another option listed.
> >
> > Kim
> >
> > "Wesley Vogel" wrote:
> >
> >> [[Remote Access Auto Connection Manager is on by default in Windows
> >> XP Professional computers that are not members of a domain and in
> >> Windows XP Home Edition.]]
> >>
> >> Open Services and disable Remote Access Auto Connection Manager...
> >>
> >> Start | Run | Type: services.msc | Click OK |
> >> Scroll down to and double click: Remote Access Auto Connection
> >> Manager | If the service is running, click the Stop button | When it
> >> has stopped, under Startup
> >> type set to Disabled | Apply | OK |
> >>
> >> Do the same for Remote Access Connection Manager & Remote Desktop
> >> Help Session Manager.
> >>
> >> Right click My Computer | Properties | Remote tab |
> >> Make sure that both of these are UNChecked:
> >> � Allow Remote Assistance invitations to be sent from this computer
> >> � Allow users to connect remotely to this computer
> >>
> >> Turn on a firewall.
> >>
> >> --
> >> Hope this helps. Let us know.
> >>
> >> Wes
> >> MS-MVP Windows Shell/User
> >>
> >> In news:E8DF3AE0-4FCB-47DB-8EEA-BAED4DBF1773@microsoft.com,
> >> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> >>> I have very very stramge entries in my registry and event viewer
> >>> that are adding up to no good.
> >>>
> >>> I have talked with Microsoft today, and what we tried did not solve
> >>> the problem.
> >>> I really don't want to wait until Monday to call them back.
> >>>
> >>> Does anyone know where I might find where remote access connection
> >>> manager is in the registry?
>
>
Anonymous
March 6, 2005 9:35:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Shenan,
Wow, that sounds like a great plan. How soon can you be here?
LOL
Just kidding. I'm sorry, but I don't see how I could do all that. I'm not
that computer savvy. Those instructions went way over my head.
Did I mention I'm blonde?...LOL

I do agree with you though. It seems as a clean install would be my best bet.
I would have to pay someone to do those sorts of things for me, which I
don't mind doing at all. I'd rather be safe.

I really appreciate the help you've given me.
Kim

"Shenan Stanley" wrote:

> TxRose wrote:
> <snipping inline - comments at the end>
> > I am running xp. It came installed with SP-2. My computer is an
> > Intel, and about 2 months old.
> > As of this past Thursday, I am using Road Runner.
> >
> > I do have the installation disks that I have running on my system,
> > handy with their keys.
> >
> > I use Nero 6 for my cd burning.
> > I use Zone Alarm for my firewall. But not before this trouble
> > started. I was using the Windows firewall, and doing the updates
> > automatically.
> >
> > I have done the Panda scan, the MeAfee scan, Trend Micro, and the
> > eTrustEZ scans.
> > They find nothing.
> >
> > I get my updates automatically from Windows Update, and have
> > installed a dozen or so patches in the last two months.
> > I also go into the catalog and look for patches I may need.
> >
> > The computer came with the free version of AVG installed. That is the
> > anvirus I was using when about a month ago I got hit with a virus
> > called parser.class.
> >
> > I have never been able to find out any info on the parser.class.
> >
> > I do weekly updates with my programs such as SpySweeper, and AdAware,
> > things of that nature.
> >
> > I was then told to call the FBI.
> > Which I did. That was 3 days ago.
> >
> > In all honesty, I believe I have a two fold problem. A few nasty
> > worms, and a local hacker.
> >
> > I believe the worms are remotely accessing my computer, and I keep
> > getting hits from a place in China, trying to penetrate different
> > ports.
> >
> > We have caught our wonderful neighbor tapping our telephones. This is
> > to the point of even listening in on the conversations in the room
> > when the phone was on the hook. Yes, this is possible.
> > The FBI is investigating that too.
> > This wonderful neighbor has also been heard making personal threats
> > to his buddies in his driveway.
> >
> > Okay, yes, I am scared. The phones have been unplugged for 3 weeks
> > now. The computer speakers are gone. The computer microphone is gone.
> >
> > Yes, my local police are involved now too.
> >
> > When I got hit with the parser.class, I had downloaded a file from the
> > internet into a new folder I made just for that purpose.
> > I then scanned it, and AVG said it was clean.
> > So, I proceeded to install it.
> > It was then that the box popped up (the one with the ugly gremlins)
> > saying I had been hit with parser.class.
> > AVG would not let me dlete it, repair it, or quarantine it. Nothing.
> > I was stuck.
> >
> > I have since bought and installed Norton's Antivirus 2005. I have
> > always liked Nortons, and that is what I have used for years on my
> > 98SE, and ME systems.
> >
> > Okay, that was just a couple of weeks ago that I ditched the AVG, and
> > installed Norton's.
> >
> > But, I was still having problems. So, I installed a antivirus I ran
> > across, called Avast!
> > It has found about 6 or 7 viruses in the last couple of days, that
> > Norton's has totally missed.
> >
> > So, I have uninstalled Norton's. But, it is acting like a virus
> > itself, I can't get rid of all the files.
> >
> > I have found so many strange entries in the registry, and .dll's Zone
> > Alarm has listed.
> > These are dll's that a remote program uses, and I am not able to
> > disable them. or remove them.
> >
> > Let me explain why I think it is both the nasty worms and a local
> > hacker causing my problems.
> > Now, these problems started when I was using a local dial up ISP.
> >
> > Let me start first with the local hacker.
> >
> > In the properties of the Event Viewer on the Security listings, there
> > have been 55 Unknown user name or bad password attempts with in a 7
> > day period.
> >
> > There are at least 50 warnings in the properties on the System
> > listings for TCP/IP has reached the security limit imposed on the
> > number of concurrent TCP connect attempts.
> > Some were listed as using the Log In name as anonymous.
> >
> > It got to the point where it took me 12 times to dial up to get a
> > connection. When I did get connected, I would be bounced right back
> > off in a matter of seconds.
> > Over and over again.
> >
> > So, I carried my computer to my ISP, and had them look at it,
> > thinking there was something wrong with my modem. They checked it
> > out, and were able to connect time and time again, with no problems
> > at all. They thought there was something wrong with my phone line
> > causing the problem.
> >
> > The tech enter in a code in the modem properties, to stabalize things.
> > That worked great.
> > I didn't have that trouble again. Until a week ago.
> > It started again, even with the code entered.
> >
> > Bear in mind, I have used this phone line for 15 years. For the last
> > 5 of those years, I have made this line a dedicated computer line,
> > plugged into the back of my computer, and dialed up to the same ISP
> > daily.
> > I could tell when something was not right.
> >
> > I am now with Road Runner, and these warning and such are still being
> > made to this day.
> > I have not cancelled my dial up account, thinking if I left it open,
> > it may help the authorities catch who ever is behind all this.
> > Also, I went with another provider, to stay out of the way of the
> > investigations.
> >
> > Also way too many to count Remote Access connections.
> >
> > This is where I had posted the question about the Remote Access
> > Connection Manager.
> > I did a search on that and came up with this:
> > https://www.gotomypc.com/tr/over/remote_access_connecti...
> >
> > The ZoneAlarm had sent up alerts telling me things like it had
> > blocked my computer from sending out packets to a computer disguising
> > itself as my ISP.
> >
> > This is the point where my server and I called in the FBI.
> >
> > I have "Win32:Trojan-gen. {Other}" has been found in "C:\System Volume
> > Information\_restore{3C87EDD3-CBF4-4856-90B0-93F337A97205}\RP12\A0003283.exe"
> > file.
> >
> > I am by no means a computer genius, but I don't know how to or what
> > to do with that new info. Except maybe to cry. But, I know that won't
> > help either.
> >
> > Okay, I think my story is about complete now, at least to give you an
> > idea of what the computer problems are.
> >
> > Maybe I should just have it formatted and a clean install done?
> >
> > Thank you for listening Shenan.
>
> Okay - I snipped some, but left the majority. You do seem to have a few
> issues here.
>
> Here is what I would do for my peace of mind (at least with the computer) if
> I was in your shoes.
>
> I would purchase a DSL/Cable Modem router with Firewall. I suggest
> something like this:
> http://www.netgear.com/products/details/DG834.php
> and install it. Be sure to change the username/password needed to access it
> and be sure that remote administration on the device is turned OFF. Also,
> some cable modems/dsl modems must be powered off for a number of minutes
> before they will allow a different device (such as a router) to be connected
> after you have already "registered" one system. Also - some places actually
> make you call and register the device that will be connected to the modem
> directly by he MAC address - do whatever your ISP requires.
>
> I would then backup my critical documents to CD/DVD.. Word files, contacts,
> excel spreadsheets, database files, email, etc..
>
> At this point, I would collect all my cd/serial numbers and insallation
> media (that may mean burning certain applications to CD for later install.)
> I would also download and burn to CD the Windows XP Service Pack 2
> installation file. Also - I would download and burn to CD my favorite
> AntiVirus software and Firewall software along with the keys I need to use
> them. With the antivirus software - I would also download the manual update
> file for the definitions - so I could update my antivirus the first time
> without connecting to the Internet.
>
> I would then set a password to even turn ON the computer in the system BIOS.
> You can set two different ones in most modern system BIOSes.. One to change
> settings in the BIOS and one to even get past the BIOS and actually boot the
> PC. If you are truly paranoid about physical access to the computer, then
> turning it off when you are not around and having these two set can really
> deter amatuer "hackers" - also make sure the machine is set to boot from
> HARD DRIVE first - but only AFTER you do the following CLEAN INSTALLATION.
> You need it to boot from the CD until you are done.
>
> Then I would perform a clean installation on my computer by doing the
> following.
>
> - Disconnect from the Internet and any means to connect to the Internet.
> - Using my Windows XP CD to boot (like I was doing an installation) - I
> would continue through the installation prompts until it asked me which
> partition to install on. I would then choose to delete all partitions and
> create double the number of partitions I had before. (If I had one, I would
> create two, if I had two, I would create four - so on.) Then use the tools
> to further format these partitions (FULL NTFS format.) But I would NOT
> continue the installation from here... This was merely to erradicate from
> normal means of recovery - everything on the hard drive.
> - Then again using the Windows XP CD - I would boot from it and continue
> through the Installation. When it asked which partition to install on, I
> would delete all partitions and create two partitions.. The first would be
> 8GB to 20GB in size. The second would be the remainder of the drive. I
> would then format (FULL, not quick) the partitions and finish the
> installation.
> - Once the installation is completed (assuming my CD did not have SP2 on it)
> I would then immediately - before doing anything else - install SP2.
> Remember - you are still no where near an internet connecton - you are using
> the CD you burned with the SP2 installation file on it.
> - Then I would go through my user accounts and make sure they all have good
> passwords. I would rename the administrator account to something TOTALLY
> bizzare and make that password particularly difficult - over 14 characters
> for sure. guest would be definitely disabled.
> - I would also turn off any and all remote desktop/remote assistant
> features.
> - I would insure the Windows Firewall was on and there was NO exceptions
> turned on.
> (for now - you can turn off the Windows firewall and install your own
> firewall later - but for now - this security is what you need.)
> - I would then install the AntiVirus software of choice and update it using
> the file I mentioned earlier. I would set it to auto-update daily after 3PM
> and scan automatically once a week.
> - Then I would go through my list of services and set to manual any that I
> do not need/use. I would also do the same for other startups.
> - I would also turn OFF Automatic Updates and set the Windows Security
> Center not to tell me I have it off.
>
> Now - finally - I would feel secure enough to connect to the Internet
> through my properly configured firewall router. It gives my my private IP,
> so the machine itself is not publically accessible from the Internet without
> reconfiguring the router.
>
> After connected to the Internet, I would visit this site:
> http://windowsupdate.microsoft.com/
> and download/install all updates there EXCEPT hrdware updates.
>
> After (however many reboots the previous step takes) Windows Updates, I
> would then download and install the latest HARDWARE drivers from my system.
> Video, Network, Sound, Chipset, etc.
>
> Then, as crazy as it may sound - I would download and install the Microsoft
> AntiSpyware Beta. It is based off one of the best antispyware app out there
> (Giant AntiSpyware) and it has good ACTIVE antispyware abilities. I would
> also download and install/updte/scan with Lavasoft AdAware, Spybot Search
> and Destroy (immunize as well), SpywareBlaster(immunization only) and
> IE-SpyAd(immunization only.)
>
> Now you are fairly secure and safe behind your hardware and software
> firewalls as well as your AntiSpyware and AntiVirus applications and the
> general knowledge you already seem to have.
>
> You could install your preferred firewall application now - if you like.
> However, for most I do not feel this is necessary - particularly wih the
> hardware firewall in place. I do suggest using a software one even with the
> hardware on - but the Windows XP one should be sufficient - as if they can
> get through your hardware firewall, they can likely get through whatever
> software one you throw at them.
>
> If you also follow all the advice I gave previously (particularly about
> passwords, etc) and maintain all the applications and patches and lock your
> CDs/keys safely in a secured area - then you should be fairly safe from
> intrusion and from most malware on the Internet - given you do not install
> it yourself.
>
> Install all of your applications - be careful about what you install -
> search for it on the Internet and insure it is not a known carrier of
> malware. If you want to install applications you previously downloaded,
> then download them anew instead of using an older (and possibly compromised)
> installation file. This also insures you have the latest versions!
>
> Good luck to you with all of your issues!
>
> PS.. Your system restore problem is fixed by turning off/back on the system
> restore feature - cleaing it out.
>
> --
> <- Shenan ->
> --
> The information is provided "as is", it is suggested you research for
> yourself before you take any advice - you are the one ultimately
> responsible for your actions/problems/solutions. Know what you are
> getting into before you jump in with both feet.
>
>
>
Anonymous
March 6, 2005 9:39:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Shenan,
Wow, that sounds like a great plan. How soon can you be here?
LOL
Just kidding. I'm sorry, but I don't see how I could do all that. I'm not
that computer savvy. Those instructions went way over my head.
Did I mention I'm blonde?...LOL

I do agree with you though. It seems as a clean install would be my best bet.
I would have to pay someone to do those sorts of things for me, which I
don't mind doing at all. I'd rather be safe.

I really appreciate the help you've given me.
Kim

"Shenan Stanley" wrote:

> TxRose wrote:
> <snipping inline - comments at the end>
> > I am running xp. It came installed with SP-2. My computer is an
> > Intel, and about 2 months old.
> > As of this past Thursday, I am using Road Runner.
> >
> > I do have the installation disks that I have running on my system,
> > handy with their keys.
> >
> > I use Nero 6 for my cd burning.
> > I use Zone Alarm for my firewall. But not before this trouble
> > started. I was using the Windows firewall, and doing the updates
> > automatically.
> >
> > I have done the Panda scan, the MeAfee scan, Trend Micro, and the
> > eTrustEZ scans.
> > They find nothing.
> >
> > I get my updates automatically from Windows Update, and have
> > installed a dozen or so patches in the last two months.
> > I also go into the catalog and look for patches I may need.
> >
> > The computer came with the free version of AVG installed. That is the
> > anvirus I was using when about a month ago I got hit with a virus
> > called parser.class.
> >
> > I have never been able to find out any info on the parser.class.
> >
> > I do weekly updates with my programs such as SpySweeper, and AdAware,
> > things of that nature.
> >
> > I was then told to call the FBI.
> > Which I did. That was 3 days ago.
> >
> > In all honesty, I believe I have a two fold problem. A few nasty
> > worms, and a local hacker.
> >
> > I believe the worms are remotely accessing my computer, and I keep
> > getting hits from a place in China, trying to penetrate different
> > ports.
> >
> > We have caught our wonderful neighbor tapping our telephones. This is
> > to the point of even listening in on the conversations in the room
> > when the phone was on the hook. Yes, this is possible.
> > The FBI is investigating that too.
> > This wonderful neighbor has also been heard making personal threats
> > to his buddies in his driveway.
> >
> > Okay, yes, I am scared. The phones have been unplugged for 3 weeks
> > now. The computer speakers are gone. The computer microphone is gone.
> >
> > Yes, my local police are involved now too.
> >
> > When I got hit with the parser.class, I had downloaded a file from the
> > internet into a new folder I made just for that purpose.
> > I then scanned it, and AVG said it was clean.
> > So, I proceeded to install it.
> > It was then that the box popped up (the one with the ugly gremlins)
> > saying I had been hit with parser.class.
> > AVG would not let me dlete it, repair it, or quarantine it. Nothing.
> > I was stuck.
> >
> > I have since bought and installed Norton's Antivirus 2005. I have
> > always liked Nortons, and that is what I have used for years on my
> > 98SE, and ME systems.
> >
> > Okay, that was just a couple of weeks ago that I ditched the AVG, and
> > installed Norton's.
> >
> > But, I was still having problems. So, I installed a antivirus I ran
> > across, called Avast!
> > It has found about 6 or 7 viruses in the last couple of days, that
> > Norton's has totally missed.
> >
> > So, I have uninstalled Norton's. But, it is acting like a virus
> > itself, I can't get rid of all the files.
> >
> > I have found so many strange entries in the registry, and .dll's Zone
> > Alarm has listed.
> > These are dll's that a remote program uses, and I am not able to
> > disable them. or remove them.
> >
> > Let me explain why I think it is both the nasty worms and a local
> > hacker causing my problems.
> > Now, these problems started when I was using a local dial up ISP.
> >
> > Let me start first with the local hacker.
> >
> > In the properties of the Event Viewer on the Security listings, there
> > have been 55 Unknown user name or bad password attempts with in a 7
> > day period.
> >
> > There are at least 50 warnings in the properties on the System
> > listings for TCP/IP has reached the security limit imposed on the
> > number of concurrent TCP connect attempts.
> > Some were listed as using the Log In name as anonymous.
> >
> > It got to the point where it took me 12 times to dial up to get a
> > connection. When I did get connected, I would be bounced right back
> > off in a matter of seconds.
> > Over and over again.
> >
> > So, I carried my computer to my ISP, and had them look at it,
> > thinking there was something wrong with my modem. They checked it
> > out, and were able to connect time and time again, with no problems
> > at all. They thought there was something wrong with my phone line
> > causing the problem.
> >
> > The tech enter in a code in the modem properties, to stabalize things.
> > That worked great.
> > I didn't have that trouble again. Until a week ago.
> > It started again, even with the code entered.
> >
> > Bear in mind, I have used this phone line for 15 years. For the last
> > 5 of those years, I have made this line a dedicated computer line,
> > plugged into the back of my computer, and dialed up to the same ISP
> > daily.
> > I could tell when something was not right.
> >
> > I am now with Road Runner, and these warning and such are still being
> > made to this day.
> > I have not cancelled my dial up account, thinking if I left it open,
> > it may help the authorities catch who ever is behind all this.
> > Also, I went with another provider, to stay out of the way of the
> > investigations.
> >
> > Also way too many to count Remote Access connections.
> >
> > This is where I had posted the question about the Remote Access
> > Connection Manager.
> > I did a search on that and came up with this:
> > https://www.gotomypc.com/tr/over/remote_access_connecti...
> >
> > The ZoneAlarm had sent up alerts telling me things like it had
> > blocked my computer from sending out packets to a computer disguising
> > itself as my ISP.
> >
> > This is the point where my server and I called in the FBI.
> >
> > I have "Win32:Trojan-gen. {Other}" has been found in "C:\System Volume
> > Information\_restore{3C87EDD3-CBF4-4856-90B0-93F337A97205}\RP12\A0003283.exe"
> > file.
> >
> > I am by no means a computer genius, but I don't know how to or what
> > to do with that new info. Except maybe to cry. But, I know that won't
> > help either.
> >
> > Okay, I think my story is about complete now, at least to give you an
> > idea of what the computer problems are.
> >
> > Maybe I should just have it formatted and a clean install done?
> >
> > Thank you for listening Shenan.
>
> Okay - I snipped some, but left the majority. You do seem to have a few
> issues here.
>
> Here is what I would do for my peace of mind (at least with the computer) if
> I was in your shoes.
>
> I would purchase a DSL/Cable Modem router with Firewall. I suggest
> something like this:
> http://www.netgear.com/products/details/DG834.php
> and install it. Be sure to change the username/password needed to access it
> and be sure that remote administration on the device is turned OFF. Also,
> some cable modems/dsl modems must be powered off for a number of minutes
> before they will allow a different device (such as a router) to be connected
> after you have already "registered" one system. Also - some places actually
> make you call and register the device that will be connected to the modem
> directly by he MAC address - do whatever your ISP requires.
>
> I would then backup my critical documents to CD/DVD.. Word files, contacts,
> excel spreadsheets, database files, email, etc..
>
> At this point, I would collect all my cd/serial numbers and insallation
> media (that may mean burning certain applications to CD for later install.)
> I would also download and burn to CD the Windows XP Service Pack 2
> installation file. Also - I would download and burn to CD my favorite
> AntiVirus software and Firewall software along with the keys I need to use
> them. With the antivirus software - I would also download the manual update
> file for the definitions - so I could update my antivirus the first time
> without connecting to the Internet.
>
> I would then set a password to even turn ON the computer in the system BIOS.
> You can set two different ones in most modern system BIOSes.. One to change
> settings in the BIOS and one to even get past the BIOS and actually boot the
> PC. If you are truly paranoid about physical access to the computer, then
> turning it off when you are not around and having these two set can really
> deter amatuer "hackers" - also make sure the machine is set to boot from
> HARD DRIVE first - but only AFTER you do the following CLEAN INSTALLATION.
> You need it to boot from the CD until you are done.
>
> Then I would perform a clean installation on my computer by doing the
> following.
>
> - Disconnect from the Internet and any means to connect to the Internet.
> - Using my Windows XP CD to boot (like I was doing an installation) - I
> would continue through the installation prompts until it asked me which
> partition to install on. I would then choose to delete all partitions and
> create double the number of partitions I had before. (If I had one, I would
> create two, if I had two, I would create four - so on.) Then use the tools
> to further format these partitions (FULL NTFS format.) But I would NOT
> continue the installation from here... This was merely to erradicate from
> normal means of recovery - everything on the hard drive.
> - Then again using the Windows XP CD - I would boot from it and continue
> through the Installation. When it asked which partition to install on, I
> would delete all partitions and create two partitions.. The first would be
> 8GB to 20GB in size. The second would be the remainder of the drive. I
> would then format (FULL, not quick) the partitions and finish the
> installation.
> - Once the installation is completed (assuming my CD did not have SP2 on it)
> I would then immediately - before doing anything else - install SP2.
> Remember - you are still no where near an internet connecton - you are using
> the CD you burned with the SP2 installation file on it.
> - Then I would go through my user accounts and make sure they all have good
> passwords. I would rename the administrator account to something TOTALLY
> bizzare and make that password particularly difficult - over 14 characters
> for sure. guest would be definitely disabled.
> - I would also turn off any and all remote desktop/remote assistant
> features.
> - I would insure the Windows Firewall was on and there was NO exceptions
> turned on.
> (for now - you can turn off the Windows firewall and install your own
> firewall later - but for now - this security is what you need.)
> - I would then install the AntiVirus software of choice and update it using
> the file I mentioned earlier. I would set it to auto-update daily after 3PM
> and scan automatically once a week.
> - Then I would go through my list of services and set to manual any that I
> do not need/use. I would also do the same for other startups.
> - I would also turn OFF Automatic Updates and set the Windows Security
> Center not to tell me I have it off.
>
> Now - finally - I would feel secure enough to connect to the Internet
> through my properly configured firewall router. It gives my my private IP,
> so the machine itself is not publically accessible from the Internet without
> reconfiguring the router.
>
> After connected to the Internet, I would visit this site:
> http://windowsupdate.microsoft.com/
> and download/install all updates there EXCEPT hrdware updates.
>
> After (however many reboots the previous step takes) Windows Updates, I
> would then download and install the latest HARDWARE drivers from my system.
> Video, Network, Sound, Chipset, etc.
>
> Then, as crazy as it may sound - I would download and install the Microsoft
> AntiSpyware Beta. It is based off one of the best antispyware app out there
> (Giant AntiSpyware) and it has good ACTIVE antispyware abilities. I would
> also download and install/updte/scan with Lavasoft AdAware, Spybot Search
> and Destroy (immunize as well), SpywareBlaster(immunization only) and
> IE-SpyAd(immunization only.)
>
> Now you are fairly secure and safe behind your hardware and software
> firewalls as well as your AntiSpyware and AntiVirus applications and the
> general knowledge you already seem to have.
>
> You could install your preferred firewall application now - if you like.
> However, for most I do not feel this is necessary - particularly wih the
> hardware firewall in place. I do suggest using a software one even with the
> hardware on - but the Windows XP one should be sufficient - as if they can
> get through your hardware firewall, they can likely get through whatever
> software one you throw at them.
>
> If you also follow all the advice I gave previously (particularly about
> passwords, etc) and maintain all the applications and patches and lock your
> CDs/keys safely in a secured area - then you should be fairly safe from
> intrusion and from most malware on the Internet - given you do not install
> it yourself.
>
> Install all of your applications - be careful about what you install -
> search for it on the Internet and insure it is not a known carrier of
> malware. If you want to install applications you previously downloaded,
> then download them anew instead of using an older (and possibly compromised)
> installation file. This also insures you have the latest versions!
>
> Good luck to you with all of your issues!
>
> PS.. Your system restore problem is fixed by turning off/back on the system
> restore feature - cleaing it out.
>
> --
> <- Shenan ->
> --
> The information is provided "as is", it is suggested you research for
> yourself before you take any advice - you are the one ultimately
> responsible for your actions/problems/solutions. Know what you are
> getting into before you jump in with both feet.
>
>
>
Anonymous
March 7, 2005 10:39:25 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Kim,

Event ID & the Event Source are very important.

To open the Event Viewer...
Start | Run | Type: eventvwr | OK

For any Events that seem related to the problem...

Double click the event in Event Viewer | Click: the button below the second
arrow (looks like two pages) [[Copies the details of the event to the
Clipboard.]] | Paste into Notepad | Click:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Read all info | Copy and paste to Notepad | Click the [+] Related Knowledge
Base articles | Follow any links that might be useful

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427

Event Viewer overview
http://www.microsoft.com/resources/documentation/window...

This can also be very useful.
You need to have the Event ID & the Event Source.

To view Windows XP Events and Errors, type the Source (for example, Print)
and/or the Event code (for example, 20) into the ID field, then click the Go
button. Source and Event codes may be found in the Event Viewer logs.

Windows XP Home/Professional Events and Errors
http://www.microsoft.com/technet/support/ee/search.aspx...

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:36B7EF3A-84CB-43FF-AE71-0809F24ED301@microsoft.com,
TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> Hi Wes,
> Yes, it appears that did help.
> It shows disabled, instead of being started.
> I also see no entries listed of a remote access in the event viewer.
> Whoo hoo..LOL
>
> This entry in the event viewer looks good:
> The Remote Access Connection Manager service was successfully sent a
> stop control.
> Thank you for helping me get that turned off.
>
> However, when I just rebooted, I did see these, which do not look
> good in my opinion, but I could be wrong:
>
> The first one has been going on for a long time, and is still
> showing.
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Owner
> Domain: OWNER-1E81AA74C
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: OWNER-1E81AA74C
>
> The protected system file c:\windows\system32\racpldlg.dll could not
> be verified as valid because Windows File Protection is terminating.
> Use the SFC utility to verify the integrity of the file at a later
> time.
>
> The TCP/IP NetBIOS Helper service depends on the AFD service which
> failed to start because of the following error:
> A device attached to the system is not functioning.
>
> Your computer was not able to renew its address from the network
> (from the DHCP Server) for the Network Card with network address
> 0011099706B4. The following error occurred:
> The semaphore timeout period has expired. . Your computer will
> continue to try and obtain an address on its own from the network
> address (DHCP) server.
>
> Your computer has detected that the IP address 66.25.204.98 for the
> Network Card with network address 0011099706B4 is already in use on
> the network. Your computer will automatically attempt to obtain a
> different address.
>
> Your computer has detected that the IP address 0.0.0.0 for the
> Network Card with network address 0011099706B4 is already in use on
> the network. Your computer will automatically attempt to obtain a
> different address.
>
> Your computer was not able to renew its address from the network
> (from the DHCP Server) for the Network Card with network address
> 0011099706B4. The following error occurred:
> The semaphore timeout period has expired. . Your computer will
> continue to try and obtain an address on its own from the network
> address (DHCP) server.
>
> The following boot-start or system-start driver(s) failed to load:
> Aavmker4
> AFD
> aswTdi
> Fips
> intelppm
> IPSec
> MRxSmb
> NetBIOS
> NetBT
> RasAcd
> Rdbss
> Tcpip
> vsdatant
>
> Looks like a fun time huh?
>
> Kim
>
> "Wesley Vogel" wrote:
>
>> Kim,
>>
>> Reboot.
>>
>> And then check on the Remote Access Connection Manager in Services,
>> it probably won't have started since you disabled it.
>>
>> --
>> Hope this helps. Let us know.
>>
>> Wes
>> MS-MVP Windows Shell/User
>>
>> In news:452BD71A-2811-4B73-AFCA-5A9930F9F063@microsoft.com,
>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>> Hi Wesley,
>>> Here ae the results from what I just did in the services.msc.
>>>
>>> The Remote Access Auto Connection was already stopped, and I did the
>>> type set to disabled.
>>>
>>> The Remote Desktop Help Session Manager, was also stopped, and I did
>>> the type set to disabled.
>>>
>>> The Remote Access Connection Manager would not allow me to stop it.
>>> The type set is set to Start, but I got an error saying :
>>> Could not stop the Remote Access Connection Manager on Local
>>> Computer. Error 1053: The service did not respond to the start or
>>> control request in a timely fashion.
>>> Anyway, I did the type set to Disabled.
>>>
>>> I am not sure if I should have, but I stopped the secondary logon,
>>> and set it to disabled too.
>>>
>>> It looks like there are alot of things there I would like to
>>> disable, but I won't without some kind of assistance first.
>>>
>>> Now, when I right click on my computer/properties/remote tab, it is
>>> unchecked to Allow REmote Assistance invitations to be sent from
>>> this computer.
>>> There was not another option listed.
>>>
>>> Kim
>>>
>>> "Wesley Vogel" wrote:
>>>
>>>> [[Remote Access Auto Connection Manager is on by default in Windows
>>>> XP Professional computers that are not members of a domain and in
>>>> Windows XP Home Edition.]]
>>>>
>>>> Open Services and disable Remote Access Auto Connection Manager...
>>>>
>>>> Start | Run | Type: services.msc | Click OK |
>>>> Scroll down to and double click: Remote Access Auto Connection
>>>> Manager | If the service is running, click the Stop button | When
>>>> it has stopped, under Startup
>>>> type set to Disabled | Apply | OK |
>>>>
>>>> Do the same for Remote Access Connection Manager & Remote Desktop
>>>> Help Session Manager.
>>>>
>>>> Right click My Computer | Properties | Remote tab |
>>>> Make sure that both of these are UNChecked:
>>>> � Allow Remote Assistance invitations to be sent from this
>>>> computer � Allow users to connect remotely to this computer
>>>>
>>>> Turn on a firewall.
>>>>
>>>> --
>>>> Hope this helps. Let us know.
>>>>
>>>> Wes
>>>> MS-MVP Windows Shell/User
>>>>
>>>> In news:E8DF3AE0-4FCB-47DB-8EEA-BAED4DBF1773@microsoft.com,
>>>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>>>> I have very very stramge entries in my registry and event viewer
>>>>> that are adding up to no good.
>>>>>
>>>>> I have talked with Microsoft today, and what we tried did not
>>>>> solve the problem.
>>>>> I really don't want to wait until Monday to call them back.
>>>>>
>>>>> Does anyone know where I might find where remote access connection
>>>>> manager is in the registry?
Anonymous
March 8, 2005 11:17:05 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Wes,
Yes that information does help. Thank you.
I agree that the information of the Event ID & the Event Source are very
important.
To bad it wasn't you that I talked with while on the phone with Microsoft.

The Microsoft tech and I talked for hours on the phone yesterday, and I was
told that my computer is clean, and everything is fine. We tried all sorts of
things looking for viruses/worms. We purged the cache, cleared out SSL state,
ran scans, and cleaned out passwords, and even deleted a couple of folders in
the registry.
I ended up telling him I would just take my computer into the shop. I was
told it would be a waste of my money..LOL
He did not seem to care about the info of the Event ID & the Event Source.
I am still having way too many unknown user name/bad password entries.
I also do not like the successful ANONYMOUS LOGONs.

Maybe I'm crazy, but these two entires alone, do not look right to me, as
they are still happening.

Thanks for the links. Especially the one for events and errors help.

Kim

"Wesley Vogel" wrote:

> Kim,
>
> Event ID & the Event Source are very important.
>
> To open the Event Viewer...
> Start | Run | Type: eventvwr | OK
>
> For any Events that seem related to the problem...
>
> Double click the event in Event Viewer | Click: the button below the second
> arrow (looks like two pages) [[Copies the details of the event to the
> Clipboard.]] | Paste into Notepad | Click:
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Read all info | Copy and paste to Notepad | Click the [+] Related Knowledge
> Base articles | Follow any links that might be useful
>
> HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
> http://support.microsoft.com/default.aspx?scid=kb;en-us;308427
>
> Event Viewer overview
> http://www.microsoft.com/resources/documentation/window...
>
> This can also be very useful.
> You need to have the Event ID & the Event Source.
>
> To view Windows XP Events and Errors, type the Source (for example, Print)
> and/or the Event code (for example, 20) into the ID field, then click the Go
> button. Source and Event codes may be found in the Event Viewer logs.
>
> Windows XP Home/Professional Events and Errors
> http://www.microsoft.com/technet/support/ee/search.aspx...
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:36B7EF3A-84CB-43FF-AE71-0809F24ED301@microsoft.com,
> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> > Hi Wes,
> > Yes, it appears that did help.
> > It shows disabled, instead of being started.
> > I also see no entries listed of a remote access in the event viewer.
> > Whoo hoo..LOL
> >
> > This entry in the event viewer looks good:
> > The Remote Access Connection Manager service was successfully sent a
> > stop control.
> > Thank you for helping me get that turned off.
> >
> > However, when I just rebooted, I did see these, which do not look
> > good in my opinion, but I could be wrong:
> >
> > The first one has been going on for a long time, and is still
> > showing.
> >
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: Owner
> > Domain: OWNER-1E81AA74C
> > Logon Type: 2
> > Logon Process: Advapi
> > Authentication Package: Negotiate
> > Workstation Name: OWNER-1E81AA74C
> >
> > The protected system file c:\windows\system32\racpldlg.dll could not
> > be verified as valid because Windows File Protection is terminating.
> > Use the SFC utility to verify the integrity of the file at a later
> > time.
> >
> > The TCP/IP NetBIOS Helper service depends on the AFD service which
> > failed to start because of the following error:
> > A device attached to the system is not functioning.
> >
> > Your computer was not able to renew its address from the network
> > (from the DHCP Server) for the Network Card with network address
> > 0011099706B4. The following error occurred:
> > The semaphore timeout period has expired. . Your computer will
> > continue to try and obtain an address on its own from the network
> > address (DHCP) server.
> >
> > Your computer has detected that the IP address 66.25.204.98 for the
> > Network Card with network address 0011099706B4 is already in use on
> > the network. Your computer will automatically attempt to obtain a
> > different address.
> >
> > Your computer has detected that the IP address 0.0.0.0 for the
> > Network Card with network address 0011099706B4 is already in use on
> > the network. Your computer will automatically attempt to obtain a
> > different address.
> >
> > Your computer was not able to renew its address from the network
> > (from the DHCP Server) for the Network Card with network address
> > 0011099706B4. The following error occurred:
> > The semaphore timeout period has expired. . Your computer will
> > continue to try and obtain an address on its own from the network
> > address (DHCP) server.
> >
> > The following boot-start or system-start driver(s) failed to load:
> > Aavmker4
> > AFD
> > aswTdi
> > Fips
> > intelppm
> > IPSec
> > MRxSmb
> > NetBIOS
> > NetBT
> > RasAcd
> > Rdbss
> > Tcpip
> > vsdatant
> >
> > Looks like a fun time huh?
> >
> > Kim
> >
> > "Wesley Vogel" wrote:
> >
> >> Kim,
> >>
> >> Reboot.
> >>
> >> And then check on the Remote Access Connection Manager in Services,
> >> it probably won't have started since you disabled it.
> >>
> >> --
> >> Hope this helps. Let us know.
> >>
> >> Wes
> >> MS-MVP Windows Shell/User
> >>
> >> In news:452BD71A-2811-4B73-AFCA-5A9930F9F063@microsoft.com,
> >> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> >>> Hi Wesley,
> >>> Here ae the results from what I just did in the services.msc.
> >>>
> >>> The Remote Access Auto Connection was already stopped, and I did the
> >>> type set to disabled.
> >>>
> >>> The Remote Desktop Help Session Manager, was also stopped, and I did
> >>> the type set to disabled.
> >>>
> >>> The Remote Access Connection Manager would not allow me to stop it.
> >>> The type set is set to Start, but I got an error saying :
> >>> Could not stop the Remote Access Connection Manager on Local
> >>> Computer. Error 1053: The service did not respond to the start or
> >>> control request in a timely fashion.
> >>> Anyway, I did the type set to Disabled.
> >>>
> >>> I am not sure if I should have, but I stopped the secondary logon,
> >>> and set it to disabled too.
> >>>
> >>> It looks like there are alot of things there I would like to
> >>> disable, but I won't without some kind of assistance first.
> >>>
> >>> Now, when I right click on my computer/properties/remote tab, it is
> >>> unchecked to Allow REmote Assistance invitations to be sent from
> >>> this computer.
> >>> There was not another option listed.
> >>>
> >>> Kim
> >>>
> >>> "Wesley Vogel" wrote:
> >>>
> >>>> [[Remote Access Auto Connection Manager is on by default in Windows
> >>>> XP Professional computers that are not members of a domain and in
> >>>> Windows XP Home Edition.]]
> >>>>
> >>>> Open Services and disable Remote Access Auto Connection Manager...
> >>>>
> >>>> Start | Run | Type: services.msc | Click OK |
> >>>> Scroll down to and double click: Remote Access Auto Connection
> >>>> Manager | If the service is running, click the Stop button | When
> >>>> it has stopped, under Startup
> >>>> type set to Disabled | Apply | OK |
> >>>>
> >>>> Do the same for Remote Access Connection Manager & Remote Desktop
> >>>> Help Session Manager.
> >>>>
> >>>> Right click My Computer | Properties | Remote tab |
> >>>> Make sure that both of these are UNChecked:
> >>>> � Allow Remote Assistance invitations to be sent from this
> >>>> computer � Allow users to connect remotely to this computer
> >>>>
> >>>> Turn on a firewall.
> >>>>
> >>>> --
> >>>> Hope this helps. Let us know.
> >>>>
> >>>> Wes
> >>>> MS-MVP Windows Shell/User
> >>>>
> >>>> In news:E8DF3AE0-4FCB-47DB-8EEA-BAED4DBF1773@microsoft.com,
> >>>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> >>>>> I have very very stramge entries in my registry and event viewer
> >>>>> that are adding up to no good.
> >>>>>
> >>>>> I have talked with Microsoft today, and what we tried did not
> >>>>> solve the problem.
> >>>>> I really don't want to wait until Monday to call them back.
> >>>>>
> >>>>> Does anyone know where I might find where remote access connection
> >>>>> manager is in the registry?
>
>
Anonymous
March 8, 2005 10:25:13 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Kim,

These??

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680

Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/?kbid=305822

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529

[[The event occurred on Windows XP if the machine environment meets the
following criteria:
- The machine is a member of a domain.
- The machine is using a machine local account.
- Logon failure auditing is enabled.
When the user logs off, Windows will write event ID 529 to the log file
because
the OS incorrectly tries to contact the domain controller (DC), despite the
fact that the machine is using a local account. Microsoft currently doesn't
provide a fix for this problem, but you can safely ignore this event ID.]]

Security Event 529 Is Logged for Local User Accounts
http://support.microsoft.com/?kbid=811082

Failure Events Are Logged When the Welcome Screen Is Enabled
http://support.microsoft.com/?kbid=305822

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:0A64EB31-56BB-4716-A7A7-6BF5085C43AA@microsoft.com,
TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> Hi Wes,
> Yes that information does help. Thank you.
> I agree that the information of the Event ID & the Event Source are
> very important.
> To bad it wasn't you that I talked with while on the phone with
> Microsoft.
>
> The Microsoft tech and I talked for hours on the phone yesterday, and
> I was told that my computer is clean, and everything is fine. We
> tried all sorts of things looking for viruses/worms. We purged the
> cache, cleared out SSL state, ran scans, and cleaned out passwords,
> and even deleted a couple of folders in the registry.
> I ended up telling him I would just take my computer into the shop. I
> was told it would be a waste of my money..LOL
> He did not seem to care about the info of the Event ID & the Event
> Source.
> I am still having way too many unknown user name/bad password entries.
> I also do not like the successful ANONYMOUS LOGONs.
>
> Maybe I'm crazy, but these two entires alone, do not look right to
> me, as they are still happening.
>
> Thanks for the links. Especially the one for events and errors help.
>
> Kim
>
> "Wesley Vogel" wrote:
>
>> Kim,
>>
>> Event ID & the Event Source are very important.
>>
>> To open the Event Viewer...
>> Start | Run | Type: eventvwr | OK
>>
>> For any Events that seem related to the problem...
>>
>> Double click the event in Event Viewer | Click: the button below the
>> second arrow (looks like two pages) [[Copies the details of the
>> event to the Clipboard.]] | Paste into Notepad | Click:
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>
>> Read all info | Copy and paste to Notepad | Click the [+] Related
>> Knowledge Base articles | Follow any links that might be useful
>>
>> HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;308427
>>
>> Event Viewer overview
>>
http://www.microsoft.com/resources/documentation/window...
>>
>> This can also be very useful.
>> You need to have the Event ID & the Event Source.
>>
>> To view Windows XP Events and Errors, type the Source (for example,
>> Print) and/or the Event code (for example, 20) into the ID field,
>> then click the Go button. Source and Event codes may be found in
>> the Event Viewer logs.
>>
>> Windows XP Home/Professional Events and Errors
>>
http://www.microsoft.com/technet/support/ee/search.aspx...
>>
>> --
>> Hope this helps. Let us know.
>>
>> Wes
>> MS-MVP Windows Shell/User
>>
>> In news:36B7EF3A-84CB-43FF-AE71-0809F24ED301@microsoft.com,
>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>> Hi Wes,
>>> Yes, it appears that did help.
>>> It shows disabled, instead of being started.
>>> I also see no entries listed of a remote access in the event viewer.
>>> Whoo hoo..LOL
>>>
>>> This entry in the event viewer looks good:
>>> The Remote Access Connection Manager service was successfully sent a
>>> stop control.
>>> Thank you for helping me get that turned off.
>>>
>>> However, when I just rebooted, I did see these, which do not look
>>> good in my opinion, but I could be wrong:
>>>
>>> The first one has been going on for a long time, and is still
>>> showing.
>>>
>>> Logon Failure:
>>> Reason: Unknown user name or bad password
>>> User Name: Owner
>>> Domain: OWNER-1E81AA74C
>>> Logon Type: 2
>>> Logon Process: Advapi
>>> Authentication Package: Negotiate
>>> Workstation Name: OWNER-1E81AA74C
>>>
>>> The protected system file c:\windows\system32\racpldlg.dll could not
>>> be verified as valid because Windows File Protection is terminating.
>>> Use the SFC utility to verify the integrity of the file at a later
>>> time.
>>>
>>> The TCP/IP NetBIOS Helper service depends on the AFD service which
>>> failed to start because of the following error:
>>> A device attached to the system is not functioning.
>>>
>>> Your computer was not able to renew its address from the network
>>> (from the DHCP Server) for the Network Card with network address
>>> 0011099706B4. The following error occurred:
>>> The semaphore timeout period has expired. . Your computer will
>>> continue to try and obtain an address on its own from the network
>>> address (DHCP) server.
>>>
>>> Your computer has detected that the IP address 66.25.204.98 for the
>>> Network Card with network address 0011099706B4 is already in use on
>>> the network. Your computer will automatically attempt to obtain a
>>> different address.
>>>
>>> Your computer has detected that the IP address 0.0.0.0 for the
>>> Network Card with network address 0011099706B4 is already in use on
>>> the network. Your computer will automatically attempt to obtain a
>>> different address.
>>>
>>> Your computer was not able to renew its address from the network
>>> (from the DHCP Server) for the Network Card with network address
>>> 0011099706B4. The following error occurred:
>>> The semaphore timeout period has expired. . Your computer will
>>> continue to try and obtain an address on its own from the network
>>> address (DHCP) server.
>>>
>>> The following boot-start or system-start driver(s) failed to load:
>>> Aavmker4
>>> AFD
>>> aswTdi
>>> Fips
>>> intelppm
>>> IPSec
>>> MRxSmb
>>> NetBIOS
>>> NetBT
>>> RasAcd
>>> Rdbss
>>> Tcpip
>>> vsdatant
>>>
>>> Looks like a fun time huh?
>>>
>>> Kim
>>>
>>> "Wesley Vogel" wrote:
>>>
>>>> Kim,
>>>>
>>>> Reboot.
>>>>
>>>> And then check on the Remote Access Connection Manager in Services,
>>>> it probably won't have started since you disabled it.
>>>>
>>>> --
>>>> Hope this helps. Let us know.
>>>>
>>>> Wes
>>>> MS-MVP Windows Shell/User
>>>>
>>>> In news:452BD71A-2811-4B73-AFCA-5A9930F9F063@microsoft.com,
>>>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>>>> Hi Wesley,
>>>>> Here ae the results from what I just did in the services.msc.
>>>>>
>>>>> The Remote Access Auto Connection was already stopped, and I did
>>>>> the type set to disabled.
>>>>>
>>>>> The Remote Desktop Help Session Manager, was also stopped, and I
>>>>> did the type set to disabled.
>>>>>
>>>>> The Remote Access Connection Manager would not allow me to stop
>>>>> it. The type set is set to Start, but I got an error saying :
>>>>> Could not stop the Remote Access Connection Manager on Local
>>>>> Computer. Error 1053: The service did not respond to the start or
>>>>> control request in a timely fashion.
>>>>> Anyway, I did the type set to Disabled.
>>>>>
>>>>> I am not sure if I should have, but I stopped the secondary logon,
>>>>> and set it to disabled too.
>>>>>
>>>>> It looks like there are alot of things there I would like to
>>>>> disable, but I won't without some kind of assistance first.
>>>>>
>>>>> Now, when I right click on my computer/properties/remote tab, it
>>>>> is unchecked to Allow REmote Assistance invitations to be sent
>>>>> from this computer.
>>>>> There was not another option listed.
>>>>>
>>>>> Kim
>>>>>
>>>>> "Wesley Vogel" wrote:
>>>>>
>>>>>> [[Remote Access Auto Connection Manager is on by default in
>>>>>> Windows XP Professional computers that are not members of a
>>>>>> domain and in Windows XP Home Edition.]]
>>>>>>
>>>>>> Open Services and disable Remote Access Auto Connection
>>>>>> Manager...
>>>>>>
>>>>>> Start | Run | Type: services.msc | Click OK |
>>>>>> Scroll down to and double click: Remote Access Auto Connection
>>>>>> Manager | If the service is running, click the Stop button | When
>>>>>> it has stopped, under Startup
>>>>>> type set to Disabled | Apply | OK |
>>>>>>
>>>>>> Do the same for Remote Access Connection Manager & Remote Desktop
>>>>>> Help Session Manager.
>>>>>>
>>>>>> Right click My Computer | Properties | Remote tab |
>>>>>> Make sure that both of these are UNChecked:
>>>>>> � Allow Remote Assistance invitations to be sent from
>>>>>> this computer � Allow users to connect remotely to this
>>>>>> computer
>>>>>>
>>>>>> Turn on a firewall.
>>>>>>
>>>>>> --
>>>>>> Hope this helps. Let us know.
>>>>>>
>>>>>> Wes
>>>>>> MS-MVP Windows Shell/User
>>>>>>
>>>>>> In news:E8DF3AE0-4FCB-47DB-8EEA-BAED4DBF1773@microsoft.com,
>>>>>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>>>>>> I have very very stramge entries in my registry and event viewer
>>>>>>> that are adding up to no good.
>>>>>>>
>>>>>>> I have talked with Microsoft today, and what we tried did not
>>>>>>> solve the problem.
>>>>>>> I really don't want to wait until Monday to call them back.
>>>>>>>
>>>>>>> Does anyone know where I might find where remote access
>>>>>>> connection manager is in the registry?
Anonymous
March 8, 2005 10:55:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

LOL Wes...

Actually I am now more confused.

I have checked out the articles at:

http://support.microsoft.com/?kbid=305822

http://support.microsoft.com/?kbid=811082

http://support.microsoft.com/?kbid=305822

Mine are similiar, but not the same. I am not sure if that matters or not.
There are always 4 failures in a row.

The first being:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: date
Time: time
User: NT AUTHORITY\SYSTEM
Computer: %computer name%
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: %user name%
Source Workstation: %computer name%
Error Code: 0xC000006A

Then

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: date
Time: time
User: NT AUTHORITY\SYSTEM
Computer: %computer name%
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: %user name%
Domain: %computer name%
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: %computer name%

Then

Both of the two errors above repeated once again.

What I got out of the MS articles is:

1. Disable the Welcome screen and use the classic logon screen
(which I don't know how to do)
2.This was supposed to be fixed with sp1. Guess what? It wasn't ...LOL
3.Turn off auditing of logon events.
To do this, the article on:
http://support.microsoft.com/?kbid=305822
tells me to:

To turn off auditing in the Microsoft Management Console (MMC) snap-in for
Group Policy:

1. Click Start, click Run, type gpedit.msc, and then click OK.

But

My computer stops me from going any farther, as I get an error saying my
computer can't find gpedit.msc.

2. In the left pane, expand the following items:• Local Computer Policy
• Computer Configuration
• Windows Settings
• Security Settings
• Local Policy
3. Click Audit Policy.
4. Double-click Audit Logon Events.
5. Click to clear the Success and Failure check boxes.
6. Click OK.
7. Close the Group Policy window.

Do you know why I would be getting this success event?

Date: Source: Security
Time: Category: Logon/Logoff
Type: Success A Event ID: 540
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: owner
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x2C33D)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

This is all getting to be too much. I just want to use my computer to have
fun, and enjoy myself.
All this spyware, adware, trojans, worms, yada yada yada is to the point of
being ridiculous.
If there is help on the way for us home computer users, it can't come soon
enough.

I don't ever remember having this many problems using 98, or ME. At least
not to my knowledge.
I'm sure they had their problems too,.....but everyday, I look at those
other 2 computers sitting there on the other side of the room, and my
thoughts are getting closer to swapping them out to use, instead of this XP
one..LOL

And, if those people in China and Korea don't stop pinging me, I think I'll
scream.

I just got probed by someone with the IP address of 205.98.250.77,
using the name:
SPACE AND NAVAL WARFARE SYSTEM COMMAND
City: WASHINGTON

Don't these people have anything better to do? And what's in it for them?

Thanks for the help Wes,

Kim

"Wesley Vogel" wrote:

> Kim,
>
> These??
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 680
>
> Failure Events Are Logged When the Welcome Screen Is Enabled
> http://support.microsoft.com/?kbid=305822
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
>
> [[The event occurred on Windows XP if the machine environment meets the
> following criteria:
> - The machine is a member of a domain.
> - The machine is using a machine local account.
> - Logon failure auditing is enabled.
> When the user logs off, Windows will write event ID 529 to the log file
> because
> the OS incorrectly tries to contact the domain controller (DC), despite the
> fact that the machine is using a local account. Microsoft currently doesn't
> provide a fix for this problem, but you can safely ignore this event ID.]]
>
> Security Event 529 Is Logged for Local User Accounts
> http://support.microsoft.com/?kbid=811082
>
> Failure Events Are Logged When the Welcome Screen Is Enabled
> http://support.microsoft.com/?kbid=305822
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:0A64EB31-56BB-4716-A7A7-6BF5085C43AA@microsoft.com,
> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> > Hi Wes,
> > Yes that information does help. Thank you.
> > I agree that the information of the Event ID & the Event Source are
> > very important.
> > To bad it wasn't you that I talked with while on the phone with
> > Microsoft.
> >
> > The Microsoft tech and I talked for hours on the phone yesterday, and
> > I was told that my computer is clean, and everything is fine. We
> > tried all sorts of things looking for viruses/worms. We purged the
> > cache, cleared out SSL state, ran scans, and cleaned out passwords,
> > and even deleted a couple of folders in the registry.
> > I ended up telling him I would just take my computer into the shop. I
> > was told it would be a waste of my money..LOL
> > He did not seem to care about the info of the Event ID & the Event
> > Source.
> > I am still having way too many unknown user name/bad password entries.
> > I also do not like the successful ANONYMOUS LOGONs.
> >
> > Maybe I'm crazy, but these two entires alone, do not look right to
> > me, as they are still happening.
> >
> > Thanks for the links. Especially the one for events and errors help.
> >
> > Kim
> >
> > "Wesley Vogel" wrote:
> >
> >> Kim,
> >>
> >> Event ID & the Event Source are very important.
> >>
> >> To open the Event Viewer...
> >> Start | Run | Type: eventvwr | OK
> >>
> >> For any Events that seem related to the problem...
> >>
> >> Double click the event in Event Viewer | Click: the button below the
> >> second arrow (looks like two pages) [[Copies the details of the
> >> event to the Clipboard.]] | Paste into Notepad | Click:
> >> For more information, see Help and Support Center at
> >> http://go.microsoft.com/fwlink/events.asp.
> >>
> >> Read all info | Copy and paste to Notepad | Click the [+] Related
> >> Knowledge Base articles | Follow any links that might be useful
> >>
> >> HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;308427
> >>
> >> Event Viewer overview
> >>
> http://www.microsoft.com/resources/documentation/window...
> >>
> >> This can also be very useful.
> >> You need to have the Event ID & the Event Source.
> >>
> >> To view Windows XP Events and Errors, type the Source (for example,
> >> Print) and/or the Event code (for example, 20) into the ID field,
> >> then click the Go button. Source and Event codes may be found in
> >> the Event Viewer logs.
> >>
> >> Windows XP Home/Professional Events and Errors
> >>
> http://www.microsoft.com/technet/support/ee/search.aspx...
> >>
> >> --
> >> Hope this helps. Let us know.
> >>
> >> Wes
> >> MS-MVP Windows Shell/User
> >>
> >> In news:36B7EF3A-84CB-43FF-AE71-0809F24ED301@microsoft.com,
> >> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> >>> Hi Wes,
> >>> Yes, it appears that did help.
> >>> It shows disabled, instead of being started.
> >>> I also see no entries listed of a remote access in the event viewer.
> >>> Whoo hoo..LOL
> >>>
> >>> This entry in the event viewer looks good:
> >>> The Remote Access Connection Manager service was successfully sent a
> >>> stop control.
> >>> Thank you for helping me get that turned off.
> >>>
> >>> However, when I just rebooted, I did see these, which do not look
> >>> good in my opinion, but I could be wrong:
> >>>
> >>> The first one has been going on for a long time, and is still
> >>> showing.
> >>>
> >>> Logon Failure:
> >>> Reason: Unknown user name or bad password
> >>> User Name: Owner
> >>> Domain: OWNER-1E81AA74C
> >>> Logon Type: 2
> >>> Logon Process: Advapi
> >>> Authentication Package: Negotiate
> >>> Workstation Name: OWNER-1E81AA74C
> >>>
> >>> The protected system file c:\windows\system32\racpldlg.dll could not
> >>> be verified as valid because Windows File Protection is terminating.
> >>> Use the SFC utility to verify the integrity of the file at a later
> >>> time.
> >>>
> >>> The TCP/IP NetBIOS Helper service depends on the AFD service which
> >>> failed to start because of the following error:
> >>> A device attached to the system is not functioning.
> >>>
> >>> Your computer was not able to renew its address from the network
> >>> (from the DHCP Server) for the Network Card with network address
> >>> 0011099706B4. The following error occurred:
> >>> The semaphore timeout period has expired. . Your computer will
> >>> continue to try and obtain an address on its own from the network
> >>> address (DHCP) server.
> >>>
> >>> Your computer has detected that the IP address 66.25.204.98 for the
> >>> Network Card with network address 0011099706B4 is already in use on
> >>> the network. Your computer will automatically attempt to obtain a
> >>> different address.
> >>>
> >>> Your computer has detected that the IP address 0.0.0.0 for the
> >>> Network Card with network address 0011099706B4 is already in use on
> >>> the network. Your computer will automatically attempt to obtain a
> >>> different address.
> >>>
> >>> Your computer was not able to renew its address from the network
> >>> (from the DHCP Server) for the Network Card with network address
> >>> 0011099706B4. The following error occurred:
> >>> The semaphore timeout period has expired. . Your computer will
> >>> continue to try and obtain an address on its own from the network
> >>> address (DHCP) server.
> >>>
> >>> The following boot-start or system-start driver(s) failed to load:
> >>> Aavmker4
> >>> AFD
> >>> aswTdi
> >>> Fips
> >>> intelppm
> >>> IPSec
> >>> MRxSmb
> >>> NetBIOS
> >>> NetBT
> >>> RasAcd
> >>> Rdbss
> >>> Tcpip
> >>> vsdatant
> >>>
> >>> Looks like a fun time huh?
> >>>
> >>> Kim
> >>>
> >>> "Wesley Vogel" wrote:
> >>>
> >>>> Kim,
> >>>>
> >>>> Reboot.
> >>>>
> >>>> And then check on the Remote Access Connection Manager in Services,
> >>>> it probably won't have started since you disabled it.
> >>>>
> >>>> --
> >>>> Hope this helps. Let us know.
> >>>>
> >>>> Wes
> >>>> MS-MVP Windows Shell/User
> >>>>
> >>>> In news:452BD71A-2811-4B73-AFCA-5A9930F9F063@microsoft.com,
> >>>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> >>>>> Hi Wesley,
> >>>>> Here ae the results from what I just did in the services.msc.
> >>>>>
> >>>>> The Remote Access Auto Connection was already stopped, and I did
> >>>>> the type set to disabled.
> >>>>>
> >>>>> The Remote Desktop Help Session Manager, was also stopped, and I
> >>>>> did the type set to disabled.
> >>>>>
> >>>>> The Remote Access Connection Manager would not allow me to stop
> >>>>> it. The type set is set to Start, but I got an error saying :
> >>>>> Could not stop the Remote Access Connection Manager on Local
> >>>>> Computer. Error 1053: The service did not respond to the start or
> >>>>> control request in a timely fashion.
> >>>>> Anyway, I did the type set to Disabled.
> >>>>>
> >>>>> I am not sure if I should have, but I stopped the secondary logon,
> >>>>> and set it to disabled too.
> >>>>>
> >>>>> It looks like there are alot of things there I would like to
> >>>>> disable, but I won't without some kind of assistance first.
> >>>>>
> >>>>> Now, when I right click on my computer/properties/remote tab, it
> >>>>> is unchecked to Allow REmote Assistance invitations to be sent
> >>>>> from this computer.
> >>>>> There was not another option listed.
> >>>>>
> >>>>> Kim
> >>>>>
> >>>>> "Wesley Vogel" wrote:
> >>>>>
> >>>>>> [[Remote Access Auto Connection Manager is on by default in
> >>>>>> Windows XP Professional computers that are not members of a
> >>>>>> domain and in Windows XP Home Edition.]]
> >>>>>>
> >>>>>> Open Services and disable Remote Access Auto Connection
> >>>>>> Manager...
> >>>>>>
> >>>>>> Start | Run | Type: services.msc | Click OK |
> >>>>>> Scroll down to and double click: Remote Access Auto Connection
> >>>>>> Manager | If the service is running, click the Stop button | When
> >>>>>> it has stopped, under Startup
> >>>>>> type set to Disabled | Apply | OK |
> >>>>>>
> >>>>>> Do the same for Remote Access Connection Manager & Remote Desktop
> >>>>>> Help Session Manager.
> >>>>>>
> >>>>>> Right click My Computer | Properties | Remote tab |
> >>>>>> Make sure that both of these are UNChecked:
> >>>>>> � Allow Remote Assistance invitations to be sent from
> >>>>>> this computer � Allow users to connect remotely to this
> >>>>>> computer
> >>>>>>
> >>>>>> Turn on a firewall.
> >>>>>>
> >>>>>> --
> >>>>>> Hope this helps. Let us know.
> >>>>>>
> >>>>>> Wes
> >>>>>> MS-MVP Windows Shell/User
> >>>>>>
> >>>>>> In news:E8DF3AE0-4FCB-47DB-8EEA-BAED4DBF1773@microsoft.com,
> >>>>>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> >>>>>>> I have very very stramge entries in my registry and event viewer
> >>>>>>> that are adding up to no good.
> >>>>>>>
> >>>>>>> I have talked with Microsoft today, and what we tried did not
> >>>>>>> solve the problem.
> >>>>>>> I really don't want to wait until Monday to call them back.
> >>>>>>>
> >>>>>>> Does anyone know where I might find where remote access
> >>>>>>> connection manager is in the registry?
>
>
Anonymous
March 9, 2005 11:55:48 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Kim,

My advice is to ignore Event ID 680 & 529. That's what I do. I get them
both quite often.

ID: 540 Source: Security

[[User Action
No user action is required.]]
http://www.microsoft.com/technet/support/ee/result.aspx...

After the novelty wears off you'll quit worrying about what the firewall
reports and just block every incoming. Although the SPACE AND NAVAL WARFARE
SYSTEM COMMAND is more interesting than anything I ever got. ;-) Maybe
they need some more computing power and heard about you. <LOL>

Keep having fun!

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:81A8C14C-071B-47D5-8BE4-AE5E5A6F52EC@microsoft.com,
TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
> LOL Wes...
>
> Actually I am now more confused.
>
> I have checked out the articles at:
>
> http://support.microsoft.com/?kbid=305822
>
> http://support.microsoft.com/?kbid=811082
>
> http://support.microsoft.com/?kbid=305822
>
> Mine are similiar, but not the same. I am not sure if that matters or
> not. There are always 4 failures in a row.
>
> The first being:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 680
> Date: date
> Time: time
> User: NT AUTHORITY\SYSTEM
> Computer: %computer name%
> Description:
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: %user name%
> Source Workstation: %computer name%
> Error Code: 0xC000006A
>
> Then
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: date
> Time: time
> User: NT AUTHORITY\SYSTEM
> Computer: %computer name%
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: %user name%
> Domain: %computer name%
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: %computer name%
>
> Then
>
> Both of the two errors above repeated once again.
>
> What I got out of the MS articles is:
>
> 1. Disable the Welcome screen and use the classic logon screen
> (which I don't know how to do)
> 2.This was supposed to be fixed with sp1. Guess what? It wasn't ...LOL
> 3.Turn off auditing of logon events.
> To do this, the article on:
> http://support.microsoft.com/?kbid=305822
> tells me to:
>
> To turn off auditing in the Microsoft Management Console (MMC)
> snap-in for Group Policy:
>
> 1. Click Start, click Run, type gpedit.msc, and then click OK.
>
> But
>
> My computer stops me from going any farther, as I get an error
> saying my computer can't find gpedit.msc.
>
> 2. In the left pane, expand the following items:• Local Computer
> Policy • Computer Configuration
> • Windows Settings
> • Security Settings
> • Local Policy
> 3. Click Audit Policy.
> 4. Double-click Audit Logon Events.
> 5. Click to clear the Success and Failure check boxes.
> 6. Click OK.
> 7. Close the Group Policy window.
>
> Do you know why I would be getting this success event?
>
> Date: Source: Security
> Time: Category: Logon/Logoff
> Type: Success A Event ID: 540
> User: NT AUTHORITY\ANONYMOUS LOGON
> Computer: owner
> Successful Network Logon:
> User Name:
> Domain:
> Logon ID: (0x0,0x2C33D)
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name:
> Logon GUID: {00000000-0000-0000-0000-000000000000}
>
> This is all getting to be too much. I just want to use my computer to
> have fun, and enjoy myself.
> All this spyware, adware, trojans, worms, yada yada yada is to the
> point of being ridiculous.
> If there is help on the way for us home computer users, it can't come
> soon enough.
>
> I don't ever remember having this many problems using 98, or ME. At
> least not to my knowledge.
> I'm sure they had their problems too,.....but everyday, I look at
> those other 2 computers sitting there on the other side of the room,
> and my thoughts are getting closer to swapping them out to use,
> instead of this XP one..LOL
>
> And, if those people in China and Korea don't stop pinging me, I
> think I'll scream.
>
> I just got probed by someone with the IP address of 205.98.250.77,
> using the name:
> SPACE AND NAVAL WARFARE SYSTEM COMMAND
> City: WASHINGTON
>
> Don't these people have anything better to do? And what's in it for
> them?
>
> Thanks for the help Wes,
>
> Kim
>
> "Wesley Vogel" wrote:
>
>> Kim,
>>
>> These??
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Account Logon
>> Event ID: 680
>>
>> Failure Events Are Logged When the Welcome Screen Is Enabled
>> http://support.microsoft.com/?kbid=305822
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Logon/Logoff
>> Event ID: 529
>>
>> [[The event occurred on Windows XP if the machine environment meets
>> the following criteria:
>> - The machine is a member of a domain.
>> - The machine is using a machine local account.
>> - Logon failure auditing is enabled.
>> When the user logs off, Windows will write event ID 529 to the log
>> file because
>> the OS incorrectly tries to contact the domain controller (DC),
>> despite the fact that the machine is using a local account.
>> Microsoft currently doesn't provide a fix for this problem, but you
>> can safely ignore this event ID.]]
>>
>> Security Event 529 Is Logged for Local User Accounts
>> http://support.microsoft.com/?kbid=811082
>>
>> Failure Events Are Logged When the Welcome Screen Is Enabled
>> http://support.microsoft.com/?kbid=305822
>>
>> --
>> Hope this helps. Let us know.
>>
>> Wes
>> MS-MVP Windows Shell/User
>>
>> In news:0A64EB31-56BB-4716-A7A7-6BF5085C43AA@microsoft.com,
>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>> Hi Wes,
>>> Yes that information does help. Thank you.
>>> I agree that the information of the Event ID & the Event Source are
>>> very important.
>>> To bad it wasn't you that I talked with while on the phone with
>>> Microsoft.
>>>
>>> The Microsoft tech and I talked for hours on the phone yesterday,
>>> and I was told that my computer is clean, and everything is fine. We
>>> tried all sorts of things looking for viruses/worms. We purged the
>>> cache, cleared out SSL state, ran scans, and cleaned out passwords,
>>> and even deleted a couple of folders in the registry.
>>> I ended up telling him I would just take my computer into the shop.
>>> I was told it would be a waste of my money..LOL
>>> He did not seem to care about the info of the Event ID & the Event
>>> Source.
>>> I am still having way too many unknown user name/bad password
>>> entries. I also do not like the successful ANONYMOUS LOGONs.
>>>
>>> Maybe I'm crazy, but these two entires alone, do not look right to
>>> me, as they are still happening.
>>>
>>> Thanks for the links. Especially the one for events and errors help.
>>>
>>> Kim
>>>
>>> "Wesley Vogel" wrote:
>>>
>>>> Kim,
>>>>
>>>> Event ID & the Event Source are very important.
>>>>
>>>> To open the Event Viewer...
>>>> Start | Run | Type: eventvwr | OK
>>>>
>>>> For any Events that seem related to the problem...
>>>>
>>>> Double click the event in Event Viewer | Click: the button below
>>>> the second arrow (looks like two pages) [[Copies the details of the
>>>> event to the Clipboard.]] | Paste into Notepad | Click:
>>>> For more information, see Help and Support Center at
>>>> http://go.microsoft.com/fwlink/events.asp.
>>>>
>>>> Read all info | Copy and paste to Notepad | Click the [+] Related
>>>> Knowledge Base articles | Follow any links that might be useful
>>>>
>>>> HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
>>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;308427
>>>>
>>>> Event Viewer overview
>>>>
>>
http://www.microsoft.com/resources/documentation/window...
>>>>
>>>> This can also be very useful.
>>>> You need to have the Event ID & the Event Source.
>>>>
>>>> To view Windows XP Events and Errors, type the Source (for example,
>>>> Print) and/or the Event code (for example, 20) into the ID field,
>>>> then click the Go button. Source and Event codes may be found in
>>>> the Event Viewer logs.
>>>>
>>>> Windows XP Home/Professional Events and Errors
>>>>
>>
http://www.microsoft.com/technet/support/ee/search.aspx...
>>>>
>>>> --
>>>> Hope this helps. Let us know.
>>>>
>>>> Wes
>>>> MS-MVP Windows Shell/User
>>>>
>>>> In news:36B7EF3A-84CB-43FF-AE71-0809F24ED301@microsoft.com,
>>>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>>>> Hi Wes,
>>>>> Yes, it appears that did help.
>>>>> It shows disabled, instead of being started.
>>>>> I also see no entries listed of a remote access in the event
>>>>> viewer. Whoo hoo..LOL
>>>>>
>>>>> This entry in the event viewer looks good:
>>>>> The Remote Access Connection Manager service was successfully
>>>>> sent a stop control.
>>>>> Thank you for helping me get that turned off.
>>>>>
>>>>> However, when I just rebooted, I did see these, which do not look
>>>>> good in my opinion, but I could be wrong:
>>>>>
>>>>> The first one has been going on for a long time, and is still
>>>>> showing.
>>>>>
>>>>> Logon Failure:
>>>>> Reason: Unknown user name or bad password
>>>>> User Name: Owner
>>>>> Domain: OWNER-1E81AA74C
>>>>> Logon Type: 2
>>>>> Logon Process: Advapi
>>>>> Authentication Package: Negotiate
>>>>> Workstation Name: OWNER-1E81AA74C
>>>>>
>>>>> The protected system file c:\windows\system32\racpldlg.dll could
>>>>> not be verified as valid because Windows File Protection is
>>>>> terminating. Use the SFC utility to verify the integrity of the
>>>>> file at a later time.
>>>>>
>>>>> The TCP/IP NetBIOS Helper service depends on the AFD service which
>>>>> failed to start because of the following error:
>>>>> A device attached to the system is not functioning.
>>>>>
>>>>> Your computer was not able to renew its address from the network
>>>>> (from the DHCP Server) for the Network Card with network address
>>>>> 0011099706B4. The following error occurred:
>>>>> The semaphore timeout period has expired. . Your computer will
>>>>> continue to try and obtain an address on its own from the network
>>>>> address (DHCP) server.
>>>>>
>>>>> Your computer has detected that the IP address 66.25.204.98 for
>>>>> the Network Card with network address 0011099706B4 is already in
>>>>> use on the network. Your computer will automatically attempt to
>>>>> obtain a different address.
>>>>>
>>>>> Your computer has detected that the IP address 0.0.0.0 for the
>>>>> Network Card with network address 0011099706B4 is already in use
>>>>> on the network. Your computer will automatically attempt to
>>>>> obtain a different address.
>>>>>
>>>>> Your computer was not able to renew its address from the network
>>>>> (from the DHCP Server) for the Network Card with network address
>>>>> 0011099706B4. The following error occurred:
>>>>> The semaphore timeout period has expired. . Your computer will
>>>>> continue to try and obtain an address on its own from the network
>>>>> address (DHCP) server.
>>>>>
>>>>> The following boot-start or system-start driver(s) failed to load:
>>>>> Aavmker4
>>>>> AFD
>>>>> aswTdi
>>>>> Fips
>>>>> intelppm
>>>>> IPSec
>>>>> MRxSmb
>>>>> NetBIOS
>>>>> NetBT
>>>>> RasAcd
>>>>> Rdbss
>>>>> Tcpip
>>>>> vsdatant
>>>>>
>>>>> Looks like a fun time huh?
>>>>>
>>>>> Kim
>>>>>
>>>>> "Wesley Vogel" wrote:
>>>>>
>>>>>> Kim,
>>>>>>
>>>>>> Reboot.
>>>>>>
>>>>>> And then check on the Remote Access Connection Manager in
>>>>>> Services, it probably won't have started since you disabled it.
>>>>>>
>>>>>> --
>>>>>> Hope this helps. Let us know.
>>>>>>
>>>>>> Wes
>>>>>> MS-MVP Windows Shell/User
>>>>>>
>>>>>> In news:452BD71A-2811-4B73-AFCA-5A9930F9F063@microsoft.com,
>>>>>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>>>>>> Hi Wesley,
>>>>>>> Here ae the results from what I just did in the services.msc.
>>>>>>>
>>>>>>> The Remote Access Auto Connection was already stopped, and I did
>>>>>>> the type set to disabled.
>>>>>>>
>>>>>>> The Remote Desktop Help Session Manager, was also stopped, and I
>>>>>>> did the type set to disabled.
>>>>>>>
>>>>>>> The Remote Access Connection Manager would not allow me to stop
>>>>>>> it. The type set is set to Start, but I got an error saying :
>>>>>>> Could not stop the Remote Access Connection Manager on Local
>>>>>>> Computer. Error 1053: The service did not respond to the start
>>>>>>> or control request in a timely fashion.
>>>>>>> Anyway, I did the type set to Disabled.
>>>>>>>
>>>>>>> I am not sure if I should have, but I stopped the secondary
>>>>>>> logon, and set it to disabled too.
>>>>>>>
>>>>>>> It looks like there are alot of things there I would like to
>>>>>>> disable, but I won't without some kind of assistance first.
>>>>>>>
>>>>>>> Now, when I right click on my computer/properties/remote tab, it
>>>>>>> is unchecked to Allow REmote Assistance invitations to be sent
>>>>>>> from this computer.
>>>>>>> There was not another option listed.
>>>>>>>
>>>>>>> Kim
>>>>>>>
>>>>>>> "Wesley Vogel" wrote:
>>>>>>>
>>>>>>>> [[Remote Access Auto Connection Manager is on by default in
>>>>>>>> Windows XP Professional computers that are not members of a
>>>>>>>> domain and in Windows XP Home Edition.]]
>>>>>>>>
>>>>>>>> Open Services and disable Remote Access Auto Connection
>>>>>>>> Manager...
>>>>>>>>
>>>>>>>> Start | Run | Type: services.msc | Click OK |
>>>>>>>> Scroll down to and double click: Remote Access Auto Connection
>>>>>>>> Manager | If the service is running, click the Stop button |
>>>>>>>> When
>>>>>>>> it has stopped, under Startup
>>>>>>>> type set to Disabled | Apply | OK |
>>>>>>>>
>>>>>>>> Do the same for Remote Access Connection Manager & Remote
>>>>>>>> Desktop
>>>>>>>> Help Session Manager.
>>>>>>>>
>>>>>>>> Right click My Computer | Properties | Remote tab |
>>>>>>>> Make sure that both of these are UNChecked:
>>>>>>>> � Allow Remote Assistance invitations to be
>>>>>>>> sent from this computer � Allow users to
>>>>>>>> connect remotely to this computer
>>>>>>>>
>>>>>>>> Turn on a firewall.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Hope this helps. Let us know.
>>>>>>>>
>>>>>>>> Wes
>>>>>>>> MS-MVP Windows Shell/User
>>>>>>>>
>>>>>>>> In news:E8DF3AE0-4FCB-47DB-8EEA-BAED4DBF1773@microsoft.com,
>>>>>>>> TxRose <TxRose@discussions.microsoft.com> hunted and pecked:
>>>>>>>>> I have very very stramge entries in my registry and event
>>>>>>>>> viewer that are adding up to no good.
>>>>>>>>>
>>>>>>>>> I have talked with Microsoft today, and what we tried did not
>>>>>>>>> solve the problem.
>>>>>>>>> I really don't want to wait until Monday to call them back.
>>>>>>>>>
>>>>>>>>> Does anyone know where I might find where remote access
>>>>>>>>> connection manager is in the registry?
!