Solved New user accounts being created daily by something, help please

[Viper41086]

For the last 3 days I have gone to log on to my PC and there is a new user account created. Once every day for 3 days now. It appears to be Windows Mail but I do not use that, at all. Nor do I use Exchange.

Here are the 3 events in the event viewer:

Audit Success 9/17/2014 12:40:47 PM Microsoft Windows security auditing. 4720 User Account Management
Audit Success 9/16/2014 10:29:29 PM Microsoft Windows security auditing. 4720 User Account Management
Audit Success 9/15/2014 10:11:53 PM Microsoft Windows security auditing. 4720 User Account Management

Now one thing I noticed is the two of the user accounts had admin rights, one was a normal account. The two with admin rights had corresponding app activity in the application log. Here is a snippet of the application event log for the 9/17 occurrence where user "x1x2x3" was created:

Information 9/17/2014 12:41:49 PM ESENT 102 General
WinMail (15752) WindowsMail0: The database engine (6.01.7601.0000) started a new instance (0).

Information 9/17/2014 12:41:50 PM ESENT 210 Logging/Recovery
WinMail (15752) WindowsMail0: A full backup is starting.

Information 9/17/2014 12:41:50 PM ESENT 220 Logging/Recovery
WinMail (15752) WindowsMail0: Beginning the backup of the file C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (size 2 Mb).

Information 9/17/2014 12:41:50 PM ESENT 221 Logging/Recovery
WinMail (15752) WindowsMail0: Ending the backup of the file C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore.

Information 9/17/2014 12:41:51 PM ESENT 223 Logging/Recovery
WinMail (15752) WindowsMail0: Starting the backup of log files (range C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\edb00001.log - C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\edb00001.log).

Information 9/17/2014 12:41:51 PM ESENT 222 Logging/Recovery
WinMail (15752) WindowsMail0: Ending the backup of the file C:\Users\x1x2x3\AppData\Local\Microsoft\Windows Mail\edb00001.log. Not all data in the file has been read (read 0 bytes out of 2097152 bytes).

Error 9/17/2014 12:41:51 PM ESENT 215 Logging/Recovery
WinMail (15752) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Information 9/17/2014 12:41:51 PM ESENT 103 General
WinMail (15752) WindowsMail0: The database engine stopped the instance (0).


I believe it errored because I logged on to the machine at this time. The previous occurrence had no error. I couldnt find much help online. I did run Microsoft Security Essentials and the latest version of Malwarebytes which is found just 4 PUP instances and quarantined them. That was yesterday and as you can see it didnt stop the issue.

Please let me know what this could be, how to stop it, and what else I can provide for analysis.

Thanks

 

[ICIT2LOL]

Hello and welcome Viper mate run hese scans as well

http://www.superantispyware.com/


http://www.bleepingcomputer.com/download/adwcleaner/

download from bleeping computer – delete any rubbishthese find.

http://www.emsisoft.com.au/en/software/eek/ I only use the Emergency and Command line scans as a matter of course.
If the problem still persist then use this
http://support.kaspersky.com/4162 This will run from power up and not involves Windows

you can also use this if necessary Utilities < the top link TDSS Killer
Then I suggest these

http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html

http://www.sevenforums.com/tutorials/433-disk-check.html < use the /f option in Option 2 ifnecessary

 

[Viper41086]

Thank you. I will need a couple of days to do all of this and see if it comes back. Stand by...

 

[ICIT2LOL]

Not a problem mate I am not going anywhere

 

[Viper41086]

Ok, so far I have done all of these except for the disk check and
Download Kaspersky Rescue Disk 10

I am running the sfc scan now.

It did happen again at 3:41 this morning making it now 4 days in a row. I am deleting the user account that is created each day and its user folder.

Would it be worth trying a a restore point before the 15th?

Thanks

 

[ICIT2LOL]

Mate you can restore back to whenever you like you will not lose data - you only go back to older settings basically.
To look for older setting if you are not sure see my pic.

 

[Viper41086]

Ok, I have done all of these and barely anything was found and fixed. It is still happening. This morning an account was created with the name ASPNET... I am actually beginning to think someone is hacking my PC. After this account was created the event viewer shows a logon at 1:14 AM, one minute after the account was created. And in the network information details I see this:

Network Information:
Workstation Name: JOHN-PC
Source Network Address: -
Source Port: -

I have no idea what JOHN-PC is. My PC and laptop are named something very different. After finding this I did a search for JOHN_PC and sure enough the very first occurrence where account name APACHA was created there was a logon from JOHN-PC as well.

So how do I go about fixing this issue if I am being hacked?

Edit: Actually, I have continued doing research. I have HFS and leave it on regularly as I share files with friends and myself from other PC's. I do secure everything with passwords of course and I log every IP address. Strangely, there was a connection through HFS at the same time the account was created and the IP address was logged. I dont think that the time in the event viewer of the account being created and the time of an external connection being logged through HFS and the fact that the event viewer network information shows a workstation name that is unknown to me is all coincidence. I am nearly 100% sure I am being hacked.

That said, I have updated HFS to the newest version as there were apparently some security issues with older version (but not the one I had actually). I also set bans and basically banned everyone EXCEPT for a specific list of IP addresses. I tested this to make sure it worked. If it happens again, I will simply stop using HFS all together and see if that fixes it. Im not sure they were getting in through a vulnerability in HFS or if HFS just happened to log incoming IP addresses period. However my laptop is on the same network and I do not have HFS running on it and there have been no issue with that. Then again, its been in sleep mode and my PC is always on... :-/

Im really hoping its a vulnerability in HFS and that by updating and banning all IP's except a small list will fix the issue.

Any other thoughts?

Thanks

 

[ICIT2LOL]

Ok mate I think first up you should run the Kaspersky rescue disk it will run from power up and doesn't need Windows at all it will scour through everything.

The other malware scans run them and then it may be an idea to run a rookit scan -
http://support.kaspersky.com/viruses/utility run the TDSSKiller it is the best one and most used of the rootkit scans that are available.

Another good scan to use is this http://www.emsisoft.com.au/en/software/eek/ I only usually use the Emergency and Command line scans

I would be very surprised if these do not pick something up and I am now thinking something is afoot as my machines are all John-PC:huh:

I would also check on your security settings too not just the machine but also the modem / router.

 

[Jacee]

Please read HTTP File Server - Wikipedia, the free encyclopedia

HFS has had multiple security issues in the past

HFS lets you share your files. Most web servers are used to publish a website, but HFS is not designed to do that. You are, however, free to use it in any way you wish, - but at your own risk.

 

[Viper41086]

Thanks Icit2lol. I have actually already run all of the programs you suggested. Literally every program came back clean except for the first one or two and they just found 2 PUPs each. Not too bad. Im really pretty diligent with my computers and keeping them clean. I build my own PC's and I am a programmer so I would say I am an intermediate PC user at a minimum. Would not say I am hacker level or anything though, cause if I were I would not need help from the forums. lol.

What do you mean your PC's all say John-PC? You are showing the same thing in your event viewer? Is anyone? Jacee???

Anyhow, right now its a waiting game I think. Just waiting to see if my changes will work, and if not I simply have to take more drastic measures and start turning my PC off when I leave it.

 

[ICIT2LOL]

No mate my name is John and I set them all to John when setting them up or installing Me I am just an RN and do this for a hobby so I am not really as good at this as you are it is only what I have picked up from folks on this site.

I never had done a build until I came here and the rest is history

 

[GEWB]

Hmm, thinking out loud...

• Your system is open to a select group of users in order to share files.
• Your logs show a backup activity for a commonly used mail program/service but one you do not use (however, it is installed by default with Windows).
• This backup activity occured during a login connection with one of the remote group members.
• The backup activities occur around the same time of day.

Based on the above, maybe one of the remote members has their backup service configured to:

• Run at a specific time (or when first logged in after the scheduled time)
• Backup based on their network not just the local workstation - you are part of their network (as a share)
• Backup service scans the entire network (includes you) and backs up programs/files based on their configuration settings

Thus that system tries to backup your mail directory.

How have you configured your share rights?

Just thinking out loud...

Regards,
GEWB

 

[Viper41086]

Well, that is true that I have my laptop set up to run backups, however I never leave it on. So it only runs the backup when I manually run it. That is all of the PC's in my house and again none with the workstation named JOHN-PC.

I will just say that since updating HFS, adding rules to ban all IP addresses using an exception list, and adding rules to block the IP address in question, the issue has not occurred again. So, knock on wood, with any luck, I think the issue may be resolved. I am going to continue to monitor obviously.

Thanks guys.

 

[Jacee]

Good! keep us informed

 

[Viper41086]

It has been about two weeks now and no more occurrences. I am going to go ahead and say this is resolved with the steps I put in place.

Thanks for your support