Anonymous Logon???

[jsteph]

In my Event Viewer, there's always a logon event for Anonymous. What's up with that? Is that normal?
Below are details from Event Viewer:

Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0xFBBF)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

Can anyone tell me if this should be happening?
Thanks,
--jsteph

 

[bcastner]

It is your Guest account, with a previously mapped share.

If this is Windows XP and you are using the in-box defualt sharing, this indicates that someone accessed a share you created on your machine. By defualt a Windows XP computer that is not on a domain uses what is called Simple File Sharing, this model uses the local guest account on the computer with no password to allow others to access file shares that are located on that computer.

 

[jsteph]

bcastner,
I'm not using simple file sharing. This is XP Pro, but not on a domain. I have some drives mapped to other XP boxes and a Win 98 box, and a couple of those have drives mapped to this machine. But I rebooted a minute ago, and the Anonymous logged on right around bootup time according to the log. So I think I'm safe that it isn't some random hacker getting into my machine by just sniffing around, but I'm curious what would cause a logon like this.
--jsteph

 

[bcastner]

Is the Guest account enabled?

 

[jsteph]

No, the Guest account is disabled. The other enabled accounts that I did not create are:

VUSER_JIMOFFICE
IUSER_JIMOFFICE
IWAM_JIMOFFICE
ASPNET

I do have an FTP site but it is in Stopped state at bootup, I only start it when someone I know needs files from me and then I open port 21 on my router and start ftp. But now that I think of it I still don't allow anonymous for that, I have a separate user/pwd that I give to those who need files, and this account only has access to the ftproot. I have a vpn dialer but it does not connect at bootup, though the service is started.
Thanks for any insight, this is creeping me out a bit.
--jsteph

 

[bcastner]

Are you using cable broadband?
This might be the 'Broadjump Client Foundation' software used by many cable systems:

http://www.computercops.biz/postp63795.html

 

[jsteph]

Yes I am using cable broadband. But I can't find anything like the stuff shown in that link. No broadjump in add/remove programs, nothing in the registry. I found a Real player item, 'realsched' running, and took that out of the startup items, but Anonymous is still there after reboot.

Is there a way to view a list of users logged on to this machine, and then selectively log one out? I'd like to log out Anonymous and see what breaks.
--jsteph

 

[bcastner]

Unless you are using Fast User Switching, there can only be one active logon.

 

[jsteph]

I don't know what happened to my other reply, but this may be duplicate...

I'm not using fast-user switching. But I'm not sure what you mean by 'active logon'. There are several users logged on, ie "SYSTEM", "LOCAL SERVICE", and "NETWORK SERVICE". I know these users aren't malicious, so I'm fine with them. But Anonymous I'm not so sure of, I'd like to be able to find some MMC or list or whatever to select this logon and kill it to see what happens. I'm thinking it logs on as part of some service or something, but I can't easily find any services that look out of place.

Is anything like that possible?
--jsteph