All, Every 30 seconds we are receiving failed logins from a certain IP addresses on our network. The IP addresses are always the same. The events look like below: Jan 20 08:54:34 dcint2 AgentDevice=WindowsLog AgentLogFile=Security Source=Security Computer=DCINT2 User= Domain=NT AUTHORITY EventID=680 EventIDCode=680 EventType=16 EventCategory= RecordNumber=1120442225 TimeGenerated=20110120085434.000000-360 TimeWritten=20110120085434.000000-360 Message=Logon attempt by:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account:<<USER NAME>> Source Workstation:\\\\<<IP ADDRESS>> Error Code:0xC000006A We've run virus and malware scanners from two different vendors on these systems and they don't show as being infected. The source operating systems are various versions of Windows ranging from Windows XP to 2008 Server. Are these caused by cached login credentials? Mapped network drives? Services? Any help as to where to look would be greatly appreciated. Thanks! Jeremy

Message=Logon attempt by:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account:<<USER NAME>> Source Workstation:\\\\<<IP ADDRESS>> Error Code:0xC000006A Error Code: 0xC000006A. That means that an incorrect password was supplied. For more information, refer to this Microsoft article. Have a look to this Microsoft article. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

Hi, I am seeing exactly the same behaviour, with failed logins with the source IP address in the field and I have run 3 anti-virus applications and I do not see anything running as a virus. Thanks