Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: New user accounts being created daily by something, help please

17 Sep 2014   #1
Viper41086

Windows 7 Pro x64
 
 
New user accounts being created daily by something, help please

For the last 3 days I have gone to log on to my PC and there is a new user account created. Once every day for 3 days now. It appears to be Windows Mail but I do not use that, at all. Nor do I use Exchange.

Here are the 3 events in the event viewer:

Audit Success 9/17/2014 12:40:47 PM Microsoft Windows security auditing. 4720 User Account Management
Audit Success 9/16/2014 10:29:29 PM Microsoft Windows security auditing. 4720 User Account Management
Audit Success 9/15/2014 10:11:53 PM Microsoft Windows security auditing. 4720 User Account Management

Now one thing I noticed is the two of the user accounts had admin rights, one was a normal account. The two with admin rights had corresponding app activity in the application log. Here is a snippet of the application event log for the 9/17 occurrence where user "x1x2x3" was created:

Information 9/17/2014 12:41:49 PM ESENT 102 General
WinMail (15752) WindowsMail0: The database engine (6.01.7601.0000) started a new instance (0).

Information 9/17/2014 12:41:50 PM ESENT 210 Logging/Recovery
WinMail (15752) WindowsMail0: A full backup is starting.

Information 9/17/2014 12:41:50 PM ESENT 220 Logging/Recovery
WinMail (15752) WindowsMail0: Beginning the backup of the file C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (size 2 Mb).

Information 9/17/2014 12:41:50 PM ESENT 221 Logging/Recovery
WinMail (15752) WindowsMail0: Ending the backup of the file C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore.

Information 9/17/2014 12:41:51 PM ESENT 223 Logging/Recovery
WinMail (15752) WindowsMail0: Starting the backup of log files (range C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\edb00001.log - C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\edb00001.log).

Information 9/17/2014 12:41:51 PM ESENT 222 Logging/Recovery
WinMail (15752) WindowsMail0: Ending the backup of the file C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\edb00001.log. Not all data in the file has been read (read 0 bytes out of 2097152 bytes).

Error 9/17/2014 12:41:51 PM ESENT 215 Logging/Recovery
WinMail (15752) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Information 9/17/2014 12:41:51 PM ESENT 103 General
WinMail (15752) WindowsMail0: The database engine stopped the instance (0).


I believe it errored because I logged on to the machine at this time. The previous occurrence had no error. I couldnt find much help online. I did run Microsoft Security Essentials and the latest version of Malwarebytes which is found just 4 PUP instances and quarantined them. That was yesterday and as you can see it didnt stop the issue.

Please let me know what this could be, how to stop it, and what else I can provide for analysis.

Thanks


My System SpecsSystem Spec
.
17 Sep 2014   #2
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 

Hello and welcome Viper mate run hese scans as well

http://www.superantispyware.com/


http://www.bleepingcomputer.com/download/adwcleaner/

download from bleeping computer delete any rubbishthese find.

http://www.emsisoft.com.au/en/software/eek/ I only use the Emergency and Command line scans as a matter of course.
If the problem still persist then use this
http://support.kaspersky.com/4162 This will run from power up and not involves Windows

you can also use this if necessary Utilities < the top link TDSS Killer
Then I suggest these

http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html

http://www.sevenforums.com/tutorials/433-disk-check.html < use the /f option in Option 2 ifnecessary





My System SpecsSystem Spec
17 Sep 2014   #3
Viper41086

Windows 7 Pro x64
 
 

Thank you. I will need a couple of days to do all of this and see if it comes back. Stand by...
My System SpecsSystem Spec
.

17 Sep 2014   #4
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 

Not a problem mate I am not going anywhere
My System SpecsSystem Spec
18 Sep 2014   #5
Viper41086

Windows 7 Pro x64
 
 

Ok, so far I have done all of these except for the disk check and
Download Kaspersky Rescue Disk 10

I am running the sfc scan now.

It did happen again at 3:41 this morning making it now 4 days in a row. I am deleting the user account that is created each day and its user folder.

Would it be worth trying a a restore point before the 15th?

Thanks
My System SpecsSystem Spec
18 Sep 2014   #6
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 

Mate you can restore back to whenever you like you will not lose data - you only go back to older settings basically.
To look for older setting if you are not sure see my pic.


Attached Images
New user accounts being created daily by something, help please-restore-2.png 
My System SpecsSystem Spec
20 Sep 2014   #7
Viper41086

Windows 7 Pro x64
 
 

Ok, I have done all of these and barely anything was found and fixed. It is still happening. This morning an account was created with the name ASPNET... I am actually beginning to think someone is hacking my PC. After this account was created the event viewer shows a logon at 1:14 AM, one minute after the account was created. And in the network information details I see this:

Network Information:
Workstation Name: JOHN-PC
Source Network Address: -
Source Port: -

I have no idea what JOHN-PC is. My PC and laptop are named something very different. After finding this I did a search for JOHN_PC and sure enough the very first occurrence where account name APACHA was created there was a logon from JOHN-PC as well.

So how do I go about fixing this issue if I am being hacked?

Edit: Actually, I have continued doing research. I have HFS and leave it on regularly as I share files with friends and myself from other PC's. I do secure everything with passwords of course and I log every IP address. Strangely, there was a connection through HFS at the same time the account was created and the IP address was logged. I dont think that the time in the event viewer of the account being created and the time of an external connection being logged through HFS and the fact that the event viewer network information shows a workstation name that is unknown to me is all coincidence. I am nearly 100% sure I am being hacked.

That said, I have updated HFS to the newest version as there were apparently some security issues with older version (but not the one I had actually). I also set bans and basically banned everyone EXCEPT for a specific list of IP addresses. I tested this to make sure it worked. If it happens again, I will simply stop using HFS all together and see if that fixes it. Im not sure they were getting in through a vulnerability in HFS or if HFS just happened to log incoming IP addresses period. However my laptop is on the same network and I do not have HFS running on it and there have been no issue with that. Then again, its been in sleep mode and my PC is always on... :-/

Im really hoping its a vulnerability in HFS and that by updating and banning all IP's except a small list will fix the issue.

Any other thoughts?

Thanks
My System SpecsSystem Spec
20 Sep 2014   #8
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 

Ok mate I think first up you should run the Kaspersky rescue disk it will run from power up and doesn't need Windows at all it will scour through everything.

The other malware scans run them and then it may be an idea to run a rookit scan -
http://support.kaspersky.com/viruses/utility run the TDSSKiller it is the best one and most used of the rootkit scans that are available.

Another good scan to use is this http://www.emsisoft.com.au/en/software/eek/ I only usually use the Emergency and Command line scans

I would be very surprised if these do not pick something up and I am now thinking something is afoot as my machines are all John-PC

I would also check on your security settings too not just the machine but also the modem / router.
My System SpecsSystem Spec
20 Sep 2014   #9
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Please read HTTP File Server - Wikipedia, the free encyclopedia
Quote:
HFS has had multiple security issues in the past
Quote:
HFS lets you share your files. Most web servers are used to publish a website, but HFS is not designed to do that. You are, however, free to use it in any way you wish, - but at your own risk.
My System SpecsSystem Spec
20 Sep 2014   #10
Viper41086

Windows 7 Pro x64
 
 

Thanks Icit2lol. I have actually already run all of the programs you suggested. Literally every program came back clean except for the first one or two and they just found 2 PUPs each. Not too bad. Im really pretty diligent with my computers and keeping them clean. I build my own PC's and I am a programmer so I would say I am an intermediate PC user at a minimum. Would not say I am hacker level or anything though, cause if I were I would not need help from the forums. lol.

What do you mean your PC's all say John-PC? You are showing the same thing in your event viewer? Is anyone? Jacee???

Anyhow, right now its a waiting game I think. Just waiting to see if my changes will work, and if not I simply have to take more drastic measures and start turning my PC off when I leave it.
My System SpecsSystem Spec
Reply

 New user accounts being created daily by something, help please




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Running admin created tasks in standard user accounts
My company has recently purchased internet filtering and monitoring software which requires admin access to run. I am trying to create a scheduled task from the task scheduler which runs the software as an admin any time any non-admin user logs on. However, no matter how I configure the task, it...
General Discussion
Temp Profiles being created on Domain Users Accounts Win 7
Hello, We are currently in the process of updating the Windows machines at the university that I work up to Windows 7 from XP. Recently we have been noticing issues when students log into the machines where it might randomly login to a TEMP profile over the Domain Profile. Any ideas on why...
Network & Sharing
User accounts frozen and new one created - ESET issue
Hi Guys. My ESET was recently flagged up as not running. When I tried to restart it, it said I had the wrong version for my OS (7 Home Premium 64 bit). Re-downloaded and installed with no issues. An hour or so later the two user accounts on the machine came up as being time restricted and would...
System Security
User accounts created but not able to logon - No user profile
I am a lab technician for Microsoft classes at a community college. One of our students somehow messed up his hard drive. The computer is running Windows 7 Enterprise SP1 64-bit. The system has two administrator accounts and one standard user account. I am still able to logon with those accounts...
General Discussion
Newly created user accounts cant login to Windows 7
Hi, seen lots of threads about this error message but not in this context so I'm thinking I might get some joy from you oracle like marvels. :) A customer I saw today had a family Win7 PC with four user profiles on it. All worked apart from one called Hannah. When selected it started to load but...
General Discussion
User Accounts / Manage Accounts Blank
Hello I have been chasing up an answer to this problem for a couple of weeks now and have found a number of people with same symptoms but no answer which works. When I go to the User Accouns page the dialog box for the "Choose the Account you would like to change" is blank. I am an...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 09:23.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App