Dear Microsoft, I have had an intruder in my computer system in various ways over 1 year of time. No person I have hired can help me Enclosed is information from my event viewer. Just wondering if this could be part of an intruder? I really need help in resolving this issue, both mentally and aaaurance of computer security . Thank you for any help you may offer. Also, is there a way or program to reveil who logs onto my computer and identifies the person and computer? I have tried sending my concerns (freak out) to Microsoft before. I never received any help of answers, both from phone calls and emails. Once again, thank you. Cheryle K. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 4/19/2011 11:11:28 AM Event ID: 4624 Task Category: Logon Level: Information Keywords: Audit Success User: N/A Computer: cherylefula Description: An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0xa2226a Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: CORPORATETAX Source Network Address: 192.168.1.117 Source Port: 49194 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4624</EventID> <Version>0</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2011-04-19T18:11:28.300626100Z" /> <EventRecordID>2714</EventRecordID> <Correlation /> <Execution ProcessID="552" ThreadID="2768" /> <Channel>Security</Channel> <Computer>cherylefula</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-0-0</Data> <Data Name="SubjectUserName">-</Data> <Data Name="SubjectDomainName">-</Data> <Data Name="SubjectLogonId">0x0</Data> <Data Name="TargetUserSid">S-1-5-7</Data> <Data Name="TargetUserName">ANONYMOUS LOGON</Data> <Data Name="TargetDomainName">NT AUTHORITY</Data> <Data Name="TargetLogonId">0xa2226a</Data> <Data Name="LogonType">3</Data> <Data Name="LogonProcessName">NtLmSsp </Data> <Data Name="AuthenticationPackageName">NTLM</Data> <Data Name="WorkstationName">CORPORATETAX</Data> <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">NTLM V1</Data> <Data Name="KeyLength">128</Data> <Data Name="ProcessId">0x0</Data> <Data Name="ProcessName">-</Data> <Data Name="IpAddress">192.168.1.117</Data> <Data Name="IpPort">49194</Data> </EventData> </Event> Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 4/19/2011 11:11:28 AM Event ID: 4624 Task Category: Logon Level: Information Keywords: Audit Success User: N/A Computer: cherylefula Description: An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0xa2226a Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: CORPORATETAX Source Network Address: 192.168.1.117 Source Port: 49194 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4624</EventID> <Version>0</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2011-04-19T18:11:28.300626100Z" /> <EventRecordID>2714</EventRecordID> <Correlation /> <Execution ProcessID="552" ThreadID="2768" /> <Channel>Security</Channel> <Computer>cherylefula</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-0-0</Data> <Data Name="SubjectUserName">-</Data> <Data Name="SubjectDomainName">-</Data> <Data Name="SubjectLogonId">0x0</Data> <Data Name="TargetUserSid">S-1-5-7</Data> <Data Name="TargetUserName">ANONYMOUS LOGON</Data> <Data Name="TargetDomainName">NT AUTHORITY</Data> <Data Name="TargetLogonId">0xa2226a</Data> <Data Name="LogonType">3</Data> <Data Name="LogonProcessName">NtLmSsp </Data> <Data Name="AuthenticationPackageName">NTLM</Data> <Data Name="WorkstationName">CORPORATETAX</Data> <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">NTLM V1</Data> <Data Name="KeyLength">128</Data> <Data Name="ProcessId">0x0</Data> <Data Name="ProcessName">-</Data> <Data Name="IpAddress">192.168.1.117</Data> <Data Name="IpPort">49194</Data> </EventData> </Event> Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 4/19/2011 11:11:38 AM Event ID: 4634 Task Category: Logoff Level: Information Keywords: Audit Success User: N/A Computer: cherylefula Description: An account was logged off. Subject: Security ID: ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0xa22292 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4634</EventID> <Version>0</Version> <Level>0</Level> <Task>12545</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2011-04-19T18:11:38.581044200Z" /> <EventRecordID>2717</EventRecordID> <Correlation /> <Execution ProcessID="552" ThreadID="672" /> <Channel>Security</Channel> <Computer>cherylefula</Computer> <Security /> </System> <EventData> <Data Name="TargetUserSid">S-1-5-7</Data> <Data Name="TargetUserName">ANONYMOUS LOGON</Data> <Data Name="TargetDomainName">NT AUTHORITY</Data> <Data Name="TargetLogonId">0xa22292</Data> <Data Name="LogonType">3</Data> </EventData> </Event> Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 4/19/2011 11:11:38 AM Event ID: 4634 Task Category: Logoff Level: Information Keywords: Audit Success User: N/A Computer: cherylefula Description: An account was logged off. Subject: Security ID: ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0xa22292 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4634</EventID> <Version>0</Version> <Level>0</Level> <Task>12545</Task> <Opcode>0</Opcode> <Keywords>0x8020000000000000</Keywords> <TimeCreated SystemTime="2011-04-19T18:11:38.581044200Z" /> <EventRecordID>2717</EventRecordID> <Correlation /> <Execution ProcessID="552" ThreadID="672" /> <Channel>Security</Channel> <Computer>cherylefula</Computer> <Security /> </System> <EventData> <Data Name="TargetUserSid">S-1-5-7</Data> <Data Name="TargetUserName">ANONYMOUS LOGON</Data> <Data Name="TargetDomainName">NT AUTHORITY</Data> <Data Name="TargetLogonId">0xa22292</Data> <Data Name="LogonType">3</Data> </EventData> </Event>

I'm no security expert but I do know something about the Logon events. Forgive me if I'm telling you stuff you already know. The errors have a "Logon Type: 3" which means it is someone accessing your PC from a network. This is common if you have shared files/printers or run a webserver (like IIS). The fact that the user name is "Anonymous Logon" also points to an IIS webserver. Their is also information about the PC that the request came from Workstation Name: CORPORATETAX Source Network Address: 192.168.1.117 This implies that the person's PC was called CORPORATETAX and their IP address came from a local computer on your network (192.168.x.x are from your local network) First I would make sure you have enabled a firewall on your computer to block anything external getting in. Can you tell us a bit more about your PC, e.g. what is your Operating System and Service Pack. Do you have IIS or another web server installed on your PC?Thom McKiernan (UK) @thommck | thommck.wordpress.com | MCSA | MCTS