Solved New User created without my permission? Doesn't exist in registry.

[lczaplicki]

New User created without my permission by "SYSTEM"

Hi All,

After a recent reboot last week I wound up at an unfamiliar "choose user" screen during the windows start-up process. I personally didn't create a user, and this user just appeared out of nowhere. So I thought nothing of it, logged on, deleted user from the management console and went on with my day. I rebooted within the next day or two and the user magically reappeared. I am now a little fed up, and a little worried.

I traced back to the first time the user was created in the windows security logs, and it turns out the user was created by the SYSTEM account after the SYSTEM account acquired new permissions. Maybe I am reading too far into this, but any help will be appreciated. Attached to this post is the error log. The Errors logged were in the middle of the night, and over a course of 30 minutes. As mentioned before, this user does not exist in the registry, or "control userpasswords2", but comes up in the management console and "users" menu in the control panel.

 

[lczaplicki]

Anyone?

 

[Anak]

Hi lczaplicki, welcome to 7F!

One item I could pick out was Primary Group ID: 513 , That means whatever is doing this is a Domain User.

Values for primaryGroupID :
513 Domain Users 514 Domain Guests
515 Domain Computers 516 Domain Controllers

Do you have the event ID and source?

 

[lczaplicki]

Event ID's range 4672, 4720, 4728, 4724, 4738, 4722, 4732, 4717, 4725, 4762. I pulled it from the security auditing log. Funny thing is I do not belong to any domain, just a standalone desktop at home, used for school and work. Ok, and a few games.

Keep trying to delete the account, and it keeps coming back. I have not done any recent installs or uninstalls. Not picked up by Eset Smart Security, Malware-Bytes AntiMalware, or even HiJack-this. Didn't try logging in as this user though.

 

[UsernameIssues]

ESET is probably creating the account - see this post:
http://www.sevenforums.com/system-security/279775-tcp-flooding-attack.html#post2303020

 

[Anak]

Can you post something similar to this?

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID:  680
Date:  12/27/2003
Time:  7:49:48 AM
User:  NT AUTHORITY\SYSTEM
Computer: MYPENTIUM450
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account:  <Your user account>
Source Workstation: MYPENTIUM450
Error Code: 0xC000006E

With those ID's and this at the top of your .txt file:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

I'm thinking something to do with Microsoft phoning home because of a error reporting or updating feature they have for some of their programming.

You will need to see if there is a process associated with those event ID's.
See: What Is Logon ID 0x3e7 (Security Guidance)

That's possible UI, I just saw a similar posting on that the other day.

 

[lczaplicki]

Now that does seem to be very possible. I did recently update ESET and sign up for their tracking. Thanks, this thread might just be solved.

 

[lczaplicki]

I have attached a saved log in zip. But as UsernameIssues has already mentioned, I do suspect it may be the Anti-Theft feature by ESET. Will keep you posted.

 

[Anak]

You will need to see if ESET is the process associated with those event ID's.

 

[lczaplicki]

As only one ID was associated with System32\Services.exe, I decided to go into ESET and try and configure the "Anti-Theft" tool they have provided with the most recent ESET Smart Security 6 Update. After removing the user, and rebooting, the ghost user hasn't come back. I will give it a day or two as I am going to call it a night for now, and I will post back if anything changes.

Overall I would like to thank you for your help!

 

[Anak]

Strange, when I opened the file it opened to my .etvx location in event viewer.

If you can't figure out any of those ID's, try going to friendly view and copy/paste that into notepad and post.

Just saw your post.

Okay, let us know how its going.

Your welcome.

 

[UsernameIssues]

Here are some log files from my VM - hope this will help.

 

[Anak]

I'm not sure whats happening, but when I opened either your (UI) or lcz's .evtx logs it comes up with my machine name.

 

[lczaplicki]

Surprisingly it has been ESET causing the phantom account. Re-Enabled the Anti-Theft feature, and wouldn't you know it, a random account came up again. Wouldn't have ever noticed it if I didnt reboot my computer and was asked to log in. In either case, Thanks for all the help!

 

[UsernameIssues]

I'm not sure that ESET has this anti-theft feature working just right. They ask you to pick a name for the account and they fill in the field with an example of "John". It does not matter what name I put in, the name created on the computer has a random name. ESET tells you to pick a name that won't look suspicious and yet the create a very suspicious looking name.

There are some other flaws in the way ESET has implemented this - but I don't have time to go into that now.

 

[lczaplicki]

I think there may be more than a single flaw with ESET security, but in the end, it was near free when I purchased it. Otherwise I was just using Microsoft's Security Essentials.