New user accounts being created daily by something, help please

Viper41086 · 17 Sep 2014

For the last 3 days I have gone to log on to my PC and there is a new user account created. Once every day for 3 days now. It appears to be Windows Mail but I do not use that, at all. Nor do I use Exchange.

Here are the 3 events in the event viewer:

Audit Success 9/17/2014 12:40:47 PM Microsoft Windows security auditing. 4720 User Account Management
Audit Success 9/16/2014 10:29:29 PM Microsoft Windows security auditing. 4720 User Account Management
Audit Success 9/15/2014 10:11:53 PM Microsoft Windows security auditing. 4720 User Account Management

Now one thing I noticed is the two of the user accounts had admin rights, one was a normal account. The two with admin rights had corresponding app activity in the application log. Here is a snippet of the application event log for the 9/17 occurrence where user "x1x2x3" was created:

Information 9/17/2014 12:41:49 PM ESENT 102 General
WinMail (15752) WindowsMail0: The database engine (6.01.7601.0000) started a new instance (0).

Information 9/17/2014 12:41:50 PM ESENT 210 Logging/Recovery
WinMail (15752) WindowsMail0: A full backup is starting.

Information 9/17/2014 12:41:50 PM ESENT 220 Logging/Recovery
WinMail (15752) WindowsMail0: Beginning the backup of the file C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (size 2 Mb).

Information 9/17/2014 12:41:50 PM ESENT 221 Logging/Recovery
WinMail (15752) WindowsMail0: Ending the backup of the file C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore.

Information 9/17/2014 12:41:51 PM ESENT 223 Logging/Recovery
WinMail (15752) WindowsMail0: Starting the backup of log files (range C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\edb00001.log - C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\edb00001.log).

Information 9/17/2014 12:41:51 PM ESENT 222 Logging/Recovery
WinMail (15752) WindowsMail0: Ending the backup of the file C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\edb00001.log. Not all data in the file has been read (read 0 bytes out of 2097152 bytes).

Error 9/17/2014 12:41:51 PM ESENT 215 Logging/Recovery
WinMail (15752) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Information 9/17/2014 12:41:51 PM ESENT 103 General
WinMail (15752) WindowsMail0: The database engine stopped the instance (0).

I believe it errored because I logged on to the machine at this time. The previous occurrence had no error. I couldnt find much help online. I did run Microsoft Security Essentials and the latest version of Malwarebytes which is found just 4 PUP instances and quarantined them. That was yesterday and as you can see it didnt stop the issue.

Please let me know what this could be, how to stop it, and what else I can provide for analysis.

Thanks

ICIT2LOL · 17 Sep 2014

Hello and welcome Viper mate run hese scans as well

http://www.superantispyware.com/

http://www.bleepingcomputer.com/download/adwcleaner/

download from bleeping computer – delete any rubbishthese find.

http://www.emsisoft.com.au/en/software/eek/ I only use the Emergency and Command line scans as a matter of course.
If the problem still persist then use this
http://support.kaspersky.com/4162 This will run from power up and not involves Windows

you can also use this if necessary Utilities < the top link TDSS Killer
Then I suggest these

https://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html

https://www.sevenforums.com/tutorials/433-disk-check.html < use the /f option in Option 2 ifnecessary

Viper41086 · 17 Sep 2014

Thank you. I will need a couple of days to do all of this and see if it comes back. Stand by...

ICIT2LOL · 17 Sep 2014

Not a problem mate I am not going anywhere :)

Viper41086 · 18 Sep 2014

Ok, so far I have done all of these except for the disk check and
Download Kaspersky Rescue Disk 10

I am running the sfc scan now.

It did happen again at 3:41 this morning making it now 4 days in a row. I am deleting the user account that is created each day and its user folder.

Would it be worth trying a a restore point before the 15th?

Thanks

ICIT2LOL · 18 Sep 2014

Mate you can restore back to whenever you like you will not lose data - you only go back to older settings basically.
To look for older setting if you are not sure see my pic.

Viper41086 · 20 Sep 2014

Ok, I have done all of these and barely anything was found and fixed. It is still happening. This morning an account was created with the name ASPNET... I am actually beginning to think someone is hacking my PC. After this account was created the event viewer shows a logon at 1:14 AM, one minute after the account was created. And in the network information details I see this:

Network Information:
Workstation Name: JOHN-PC
Source Network Address: -
Source Port: -

I have no idea what JOHN-PC is. My PC and laptop are named something very different. After finding this I did a search for JOHN_PC and sure enough the very first occurrence where account name APACHA was created there was a logon from JOHN-PC as well.

So how do I go about fixing this issue if I am being hacked?

Edit: Actually, I have continued doing research. I have HFS and leave it on regularly as I share files with friends and myself from other PC's. I do secure everything with passwords of course and I log every IP address. Strangely, there was a connection through HFS at the same time the account was created and the IP address was logged. I dont think that the time in the event viewer of the account being created and the time of an external connection being logged through HFS and the fact that the event viewer network information shows a workstation name that is unknown to me is all coincidence. I am nearly 100% sure I am being hacked.

That said, I have updated HFS to the newest version as there were apparently some security issues with older version (but not the one I had actually). I also set bans and basically banned everyone EXCEPT for a specific list of IP addresses. I tested this to make sure it worked. If it happens again, I will simply stop using HFS all together and see if that fixes it. Im not sure they were getting in through a vulnerability in HFS or if HFS just happened to log incoming IP addresses period. However my laptop is on the same network and I do not have HFS running on it and there have been no issue with that. Then again, its been in sleep mode and my PC is always on... :-/

Im really hoping its a vulnerability in HFS and that by updating and banning all IP's except a small list will fix the issue.

Any other thoughts?

Thanks

ICIT2LOL · 20 Sep 2014

Ok mate I think first up you should run the Kaspersky rescue disk it will run from power up and doesn't need Windows at all it will scour through everything.

The other malware scans run them and then it may be an idea to run a rookit scan -
http://support.kaspersky.com/viruses/utility run the TDSSKiller it is the best one and most used of the rootkit scans that are available.

Another good scan to use is this http://www.emsisoft.com.au/en/software/eek/ I only usually use the Emergency and Command line scans

I would be very surprised if these do not pick something up and I am now thinking something is afoot as my machines are all John-PC

I would also check on your security settings too not just the machine but also the modem / router.

Jacee · 20 Sep 2014

Please read HTTP File Server - Wikipedia, the free encyclopedia

HFS has had multiple security issues in the past

HFS lets you share your files. Most web servers are used to publish a website, but HFS is not designed to do that. You are, however, free to use it in any way you wish, - but at your own risk.

Viper41086 · 20 Sep 2014

Thanks Icit2lol. I have actually already run all of the programs you suggested. Literally every program came back clean except for the first one or two and they just found 2 PUPs each. Not too bad. Im really pretty diligent with my computers and keeping them clean. I build my own PC's and I am a programmer so I would say I am an intermediate PC user at a minimum. Would not say I am hacker level or anything though, cause if I were I would not need help from the forums. lol.

What do you mean your PC's all say John-PC? You are showing the same thing in your event viewer? Is anyone? Jacee???

Anyhow, right now its a waiting game I think. Just waiting to see if my changes will work, and if not I simply have to take more drastic measures and start turning my PC off when I leave it.