New User created without my permission? Doesn't exist in registry.

lczaplicki · 25 Feb 2013

Hi All,

After a recent reboot last week I wound up at an unfamiliar "choose user" screen during the windows start-up process. I personally didn't create a user, and this user just appeared out of nowhere. So I thought nothing of it, logged on, deleted user from the management console and went on with my day. I rebooted within the next day or two and the user magically reappeared. I am now a little fed up, and a little worried.

I traced back to the first time the user was created in the windows security logs, and it turns out the user was created by the SYSTEM account after the SYSTEM account acquired new permissions. Maybe I am reading too far into this, but any help will be appreciated. Attached to this post is the error log. The Errors logged were in the middle of the night, and over a course of 30 minutes. As mentioned before, this user does not exist in the registry, or "control userpasswords2", but comes up in the management console and "users" menu in the control panel.

lczaplicki · 25 Feb 2013

Anyone? :)

Anak · 26 Feb 2013

Hi lczaplicki, welcome to 7F! :)

One item I could pick out was Primary Group ID: 513 , That means whatever is doing this is a Domain User.

Values for primaryGroupID :
513 Domain Users 514 Domain Guests
515 Domain Computers 516 Domain Controllers

Do you have the event ID and source?

lczaplicki · 26 Feb 2013

Event ID's range 4672, 4720, 4728, 4724, 4738, 4722, 4732, 4717, 4725, 4762. I pulled it from the security auditing log. Funny thing is I do not belong to any domain, just a standalone desktop at home, used for school and work. Ok, and a few games.

Keep trying to delete the account, and it keeps coming back. I have not done any recent installs or uninstalls. Not picked up by Eset Smart Security, Malware-Bytes AntiMalware, or even HiJack-this. Didn't try logging in as this user though.

UsernameIssues · 26 Feb 2013

ESET is probably creating the account - see this post:
TCP Flooding Attack

Anak · 26 Feb 2013

Can you post something similar to this?

Code:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID:  680
Date:  12/27/2003
Time:  7:49:48 AM
User:  NT AUTHORITY\SYSTEM
Computer: MYPENTIUM450
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account:  <Your user account>
Source Workstation: MYPENTIUM450
Error Code: 0xC000006E

With those ID's and this at the top of your .txt file:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

I'm thinking something to do with Microsoft phoning home because of a error reporting or updating feature they have for some of their programming.

You will need to see if there is a process associated with those event ID's.
See: What Is Logon ID 0x3e7 (Security Guidance)

That's possible UI, I just saw a similar posting on that the other day.

lczaplicki · 26 Feb 2013

Now that does seem to be very possible. I did recently update ESET and sign up for their tracking. Thanks, this thread might just be solved.

lczaplicki · 26 Feb 2013

I have attached a saved log in zip. But as UsernameIssues has already mentioned, I do suspect it may be the Anti-Theft feature by ESET. Will keep you posted.

Anak · 26 Feb 2013

You will need to see if ESET is the process associated with those event ID's.

lczaplicki · 26 Feb 2013

As only one ID was associated with System32\Services.exe, I decided to go into ESET and try and configure the "Anti-Theft" tool they have provided with the most recent ESET Smart Security 6 Update. After removing the user, and rebooting, the ghost user hasn't come back. I will give it a day or two as I am going to call it a night for now, and I will post back if anything changes.

Overall I would like to thank you for your help!

New User created without my permission? Doesn't exist in registry.

New User created without my permission by "SYSTEM"