XP Pro is Creating User Accounts By Itself

[stevem326]

This has happened twice this week. I'll walk away from my PC for an hour or two and come back and I see the blue log-in screen with my current administrator account and a BRAND NEW account right next to it that I did not create! The first account that was created by itself was called "iisuser" and required a password to log in under. I tried various passwords and none of them worked, but I was able to delete the account.

Three days later, the same exact thing happened. I left for a few hours and when I came back another new account had been created called "SQL$" which also required a password. Nothing worked for the password so I deleted this account as well.

Does anyone know why XP is creating these accounts? Can XP do this on its own or does this mean someone has hacked into my system and is creating these accounts on their own? I use Zone Alarm firewall and also run up-to-date anti-spyware and anti-virus software. All scans come up clean.

Any advice would be greatly appreciated!!

 

[CalvinHobbes]

Sounds like someone or something is creating those. XP doesn't randomly create user accounts as far as I know.

What programs are you using to scan for malware? I would suggest getting a few others to try. Take a look at what's currently running in task manager, at start up, etc.

Run HiJackThis as well.

 

[Jiggz]

Originally posted by: stevem326
This has happened twice this week. I'll walk away from my PC for an hour or two and come back and I see the blue log-in screen with my current administrator account and a BRAND NEW account right next to it that I did not create! The first account that was created by itself was called "iisuser" and required a password to log in under. I tried various passwords and none of them worked, but I was able to delete the account.

Three days later, the same exact thing happened. I left for a few hours and when I came back another new account had been created called "SQL$" which also required a password. Nothing worked for the password so I deleted this account as well.

Does anyone know why XP is creating these accounts? Can XP do this on its own or does this mean someone has hacked into my system and is creating these accounts on their own? I use Zone Alarm firewall and also run up-to-date anti-spyware and anti-virus software. All scans come up clean.

Any advice would be greatly appreciated!!

That sounds really scary, especially if the new accounts are Admin Accounts! Read through this and maybe it will shed some light. Rootkits

You might want to download some rootkit detectors to see if you have infections. If the problem persists, back up your important data and do a clean install. Make sure you zero the hdd first using the hdd utilities, full format and then re-install.

 

[stevem326]

Originally posted by: CalvinHobbes
Sounds like someone or something is creating those. XP doesn't randomly create user accounts as far as I know.

What programs are you using to scan for malware? I would suggest getting a few others to try. Take a look at what's currently running in task manager, at start up, etc.

Run HiJackThis as well.

Uh-oh...that's not good. I'm using PC Tools Spyware Doctor to scan for spyware and it's set to scan for rootkits and everything else but I'll try some of the other free ones like Ad Aware and SpyBot. I've got the latest version with all the updates and it's one of the best-rated anti-spyware programs out there but I know that no single program catches all the bugs that are out there. I'll install and run HiJackThis as well. Thanks for the tips.

 

[stevem326]

Originally posted by: Jiggz

Originally posted by: stevem326
This has happened twice this week. I'll walk away from my PC for an hour or two and come back and I see the blue log-in screen with my current administrator account and a BRAND NEW account right next to it that I did not create! The first account that was created by itself was called "iisuser" and required a password to log in under. I tried various passwords and none of them worked, but I was able to delete the account.

Three days later, the same exact thing happened. I left for a few hours and when I came back another new account had been created called "SQL$" which also required a password. Nothing worked for the password so I deleted this account as well.

Does anyone know why XP is creating these accounts? Can XP do this on its own or does this mean someone has hacked into my system and is creating these accounts on their own? I use Zone Alarm firewall and also run up-to-date anti-spyware and anti-virus software. All scans come up clean.

Any advice would be greatly appreciated!!

That sounds really scary, especially if the new accounts are Admin Accounts! Read through this and maybe it will shed some light. Rootkits

You might want to download some rootkit detectors to see if you have infections. If the problem persists, back up your important data and do a clean install. Make sure you zero the hdd first using the hdd utilities, full format and then re-install.

Actually, the "iisuser" account had full Admin rights but the "SQL$" account was a limited account. I couldn't log in under either of those accounts because none of my passwords worked but I was still able to delete both of them. What's also weird is that for the last few days I've been getting these alerts from Zone Alarm saying that "File Transfer Protocol (FTP)" is trying to access the Internet. I've been using ZA for years and have never received that alert for FTP. This is really scary. Sounds like someone is trying to hack into my system and transfer files to a remote location? Are you sure that Windows isn't just trynig to communicate to Microsoft to do something related to Office updates or XP updates? If someone has hacked into my system, why would they create a user account that I can see when I boot up and that I can also delete? Why wouldn't they just create some hidden account that I wouldn't see on my boot-up screen?

I'll check out the rootkit article and download a few of the rootkit detectors to see if anything comes up. Thanks for the advice.

What's funny is that I just did a clean install two weeks ago. I wiped the entire HD clean with WipeDrive from White Canyon (it wipes every single cluster of your hard drive and takes several hours). Then I reinstalled the OS, updated everything with the latest patches and all that...and now I've got this issue all of a sudden. Anyway, thanks again for the tips.

If anyone else has ever seen this type of thing before I would greatly appreciate any info you'd be willing to share. The problem is if I wipe my HD again who's to say this won't happen all over a second time?

 

[Jiggz]

Originally posted by: stevem326

Originally posted by: Jiggz

Originally posted by: stevem326
This has happened twice this week. I'll walk away from my PC for an hour or two and come back and I see the blue log-in screen with my current administrator account and a BRAND NEW account right next to it that I did not create! The first account that was created by itself was called "iisuser" and required a password to log in under. I tried various passwords and none of them worked, but I was able to delete the account.

Three days later, the same exact thing happened. I left for a few hours and when I came back another new account had been created called "SQL$" which also required a password. Nothing worked for the password so I deleted this account as well.

Does anyone know why XP is creating these accounts? Can XP do this on its own or does this mean someone has hacked into my system and is creating these accounts on their own? I use Zone Alarm firewall and also run up-to-date anti-spyware and anti-virus software. All scans come up clean.

Any advice would be greatly appreciated!!

That sounds really scary, especially if the new accounts are Admin Accounts! Read through this and maybe it will shed some light. Rootkits

You might want to download some rootkit detectors to see if you have infections. If the problem persists, back up your important data and do a clean install. Make sure you zero the hdd first using the hdd utilities, full format and then re-install.

Actually, the "iisuser" account had full Admin rights but the "SQL$" account was a limited account. I couldn't log in under either of those accounts because none of my passwords worked but I was still able to delete both of them. What's also weird is that for the last few days I've been getting these alerts from Zone Alarm saying that "File Transfer Protocol (FTP)" is trying to access the Internet. I've been using ZA for years and have never received that alert for FTP. This is really scary. Sounds like someone is trying to hack into my system and transfer files to a remote location? Are you sure that Windows isn't just trynig to communicate to Microsoft to do something related to Office updates or XP updates? If someone has hacked into my system, why would they create a user account that I can see when I boot up and that I can also delete? Why wouldn't they just create some hidden account that I wouldn't see on my boot-up screen?

I'll check out the rootkit article and download a few of the rootkit detectors to see if anything comes up. Thanks for the advice.

What's funny is that I just did a clean install two weeks ago. I wiped the entire HD clean with WipeDrive from White Canyon (it wipes every single cluster of your hard drive and takes several hours). Then I reinstalled the OS, updated everything with the latest patches and all that...and now I've got this issue all of a sudden. Anyway, thanks again for the tips.

If anyone else has ever seen this type of thing before I would greatly appreciate any info you'd be willing to share. The problem is if I wipe my HD again who's to say this won't happen all over a second time?

Anybody who has Admin account can delete any users account regardless of type. So this should answer your question, "How come I can erase . . .". The question about not hiding the created account, I believe every account in XP is shown by default, or either the hacker just probably downloaded this hacking program and not really an expert. That's why it is showing. As for the FTP access, windows sometimes uses this mode of transfer but usually, ZA will tell you that Windows Update is the one trying to access.

At any rate, this is some serious stuff you have to correct. As for this stuff happening again, well you can reduce your risk by making sure you only use limited accounts on normal use of your system. With limited accounts, the likelihood of getting your system infected is greatly reduced.

 

[stevem326]

Originally posted by: Jiggz

Originally posted by: stevem326

Originally posted by: Jiggz

Originally posted by: stevem326
This has happened twice this week. I'll walk away from my PC for an hour or two and come back and I see the blue log-in screen with my current administrator account and a BRAND NEW account right next to it that I did not create! The first account that was created by itself was called "iisuser" and required a password to log in under. I tried various passwords and none of them worked, but I was able to delete the account.

Three days later, the same exact thing happened. I left for a few hours and when I came back another new account had been created called "SQL$" which also required a password. Nothing worked for the password so I deleted this account as well.

Does anyone know why XP is creating these accounts? Can XP do this on its own or does this mean someone has hacked into my system and is creating these accounts on their own? I use Zone Alarm firewall and also run up-to-date anti-spyware and anti-virus software. All scans come up clean.

Any advice would be greatly appreciated!!

That sounds really scary, especially if the new accounts are Admin Accounts! Read through this and maybe it will shed some light. Rootkits

You might want to download some rootkit detectors to see if you have infections. If the problem persists, back up your important data and do a clean install. Make sure you zero the hdd first using the hdd utilities, full format and then re-install.

Actually, the "iisuser" account had full Admin rights but the "SQL$" account was a limited account. I couldn't log in under either of those accounts because none of my passwords worked but I was still able to delete both of them. What's also weird is that for the last few days I've been getting these alerts from Zone Alarm saying that "File Transfer Protocol (FTP)" is trying to access the Internet. I've been using ZA for years and have never received that alert for FTP. This is really scary. Sounds like someone is trying to hack into my system and transfer files to a remote location? Are you sure that Windows isn't just trynig to communicate to Microsoft to do something related to Office updates or XP updates? If someone has hacked into my system, why would they create a user account that I can see when I boot up and that I can also delete? Why wouldn't they just create some hidden account that I wouldn't see on my boot-up screen?

I'll check out the rootkit article and download a few of the rootkit detectors to see if anything comes up. Thanks for the advice.

What's funny is that I just did a clean install two weeks ago. I wiped the entire HD clean with WipeDrive from White Canyon (it wipes every single cluster of your hard drive and takes several hours). Then I reinstalled the OS, updated everything with the latest patches and all that...and now I've got this issue all of a sudden. Anyway, thanks again for the tips.

If anyone else has ever seen this type of thing before I would greatly appreciate any info you'd be willing to share. The problem is if I wipe my HD again who's to say this won't happen all over a second time?

Anybody who has Admin account can delete any users account regardless of type. So this should answer your question, "How come I can erase . . .". The question about not hiding the created account, I believe every account in XP is shown by default, or either the hacker just probably downloaded this hacking program and not really an expert. That's why it is showing. As for the FTP access, windows sometimes uses this mode of transfer but usually, ZA will tell you that Windows Update is the one trying to access.

At any rate, this is some serious stuff you have to correct. As for this stuff happening again, well you can reduce your risk by making sure you only use limited accounts on normal use of your system. With limited accounts, the likelihood of getting your system infected is greatly reduced.

Thanks for the additional info. This is not good. I did everything you're supposed to do. Anti-spyware, anti-virus software (both with the latest definition files), XP Pro with all of the latest critical updates, MS Office with all of the updates, Zone Alarm firewall, and I wasn't going to any suspect websites or anything like that (I'm the most boring web surfer...CNN, MSNBC, etc)...I did all of this AND I STILL GOT HACKED (or at least it appears that way).

Anyway, I talked to some of my IT people at work today and they were very puzzled by this as well...user accounts just don't get created all by themselves. IIS and SQL are legitimate software programs, but I never installed them so I have no idea how an IIS and SQL account got created. So they gave me a few things to look at tonight but I'm leaning towards nuking the hard drive again and starting from scratch with a limited account from now on. This is scary stuff. I do all of my banking online, pay all my bills online, etc...if someone has a rootkit or keylogger installed they've got access to a great deal of info right now. :|

 

[Markbnj]

Very strange. The name "iisuser" is a common one for people to create when they install Microsoft's Internet Information Server (a web server) and need to create an account for the server to access system resources.

So first question is do you have IIS 6.0 installed on this system, and if so are you serving any apps from it?

I'm assuming not, but that name is so common I had to ask. The other account you mentioned also looks like an account that would be created for the purposes of supporting a server application.

Of course they could be anything, and an attacker might have chosen them specifically because they are likely to be ignored. Which is one reason to take this seriously if the answer to my questions above is no. Have you looked at the security event log to what it says about when they were created, and by whom?

 

[VirtualLarry]

Do you have any development tools installed on the machine? Even something like web development? Because sometimes the tools install a version of IIS and SQL server, in order to test/debug apps.

 

[stevem326]

Originally posted by: Markbnj
Very strange. The name "iisuser" is a common one for people to create when they install Microsoft's Internet Information Server (a web server) and need to create an account for the server to access system resources.

So first question is do you have IIS 6.0 installed on this system, and if so are you serving any apps from it?

I'm assuming not, but that name is so common I had to ask. The other account you mentioned also looks like an account that would be created for the purposes of supporting a server application.

Of course they could be anything, and an attacker might have chosen them specifically because they are likely to be ignored. Which is one reason to take this seriously if the answer to my questions above is no. Have you looked at the security event log to what it says about when they were created, and by whom?

Thanks a lot for your reply. I don't have IIS 6.0 installed on my system and my system is not being used as a server in any way. I do see that IIS is available to install as a Windows Component under the Windows Component Wizard located within the Add/Remove Programs window, but it doesn't give a version number. I don't see IIS 6.0 as a program that can be uninstalled anywhere under the Add/Remove options.

Also, I haven't installed (to my knowledge) any SQL software and I don't see anywhere under Add/Remove programs where I can uninstall it. Also, I can't find any IIS or SQL folders on my system anywhere (like under the Program Files, for example). My PC is basically just a home PC and that's it. I play a few games, have MS Office, anti-spyware, anti-virus, Zone Alarm, etc...and that's about it.

The only thing that it might be is something I use to download and install PC games directly from the Internet called Steam Basically, it downloads and installs entire games onto your PC instead of buying them at a store. I installed one game this way two weeks ago but when Steam trys to access the web Zone Alarm says "Steam is trying to access the web", not "FTP is trying to access the web".

I haven't looked at the security event log but I'm going to do that now once I figure out how to (and will also run another round of virus/spyware scans). I can wipe my HD and reinstall everything but I'm trying to avoid doing that if at all possible.

Thanks again for the additional info! :thumbsup:

 

[stevem326]

Originally posted by: VirtualLarry
Do you have any development tools installed on the machine? Even something like web development? Because sometimes the tools install a version of IIS and SQL server, in order to test/debug apps.

Nope, no development tools here...just the stuff I put in my reply to Markbnj above you. Thanks.

 

[blackangst1]

You have an open wireless connection somewhere?

 

[stevem326]

Originally posted by: blackangst1
You have an open wireless connection somewhere?

Nope...nothing wireless at all on my system. Thanks for the suggestion though!

Part of me wants to wipe out the HD and reinstall everything and the other wants to hold off and see what happens...

Nothing looks suspicious in any of my event logs and the latest virus and spyware scans turned up nothing. I'm going to try HijackThis next and a few other free spyware and rootkit scanners.

 

[Blazer]

have you run MBSA

http://www.microsoft.com.nsatc...C2E5AC9&displaylang=en

 

[stevem326]

Originally posted by: blazer
have you run MBSA

http://www.microsoft.com.nsatc...C2E5AC9&displaylang=en

Thanks for the link. No, I haven't run that but I'm installing it now to see if it finds anything. Thanks again!

 

[Markbnj]

I don't think it's Steam, but I don't use it so I can't say for sure. At this point I would definitely run MBSA and maybe Windows Defender as well. If you still can't say what's causing it then post a Hijack This log and we can take a look at your processes. It isn't a rootkit, or one of the other serious trojans, because no serious trojan would do something this stupid. Far more likely to be a process that's related to something you use, and we just haven't made the connection yet.

The security events are in Control Panel -> Administrative Tools -> Event Viewer -> Security.

 

[Blazer]

could it be possible you have some services turned on that are not needed.

 

[stevem326]

Originally posted by: stevem326

Originally posted by: blazer
have you run MBSA

http://www.microsoft.com.nsatc...C2E5AC9&displaylang=en

Thanks for the link. No, I haven't run that but I'm installing it now to see if it finds anything. Thanks again!

I just ran MBSA and it said that SQL and IIS are not even installed on my computer. It also said I have all of the required Windows updates and Office updates. Everything else came up clean. However, it did say I need to install one "SDK Component" security update for this: "CAPICOM is a Windows component that provides services to programs that enable security that is based on cryptography. This includes functionality for authentication that uses digital signatures, for enveloping messages, and for encrypting and decrypting data." However, when I visit the Windows Update site it says I don't need to install any critical updates so I think I might just ignore this CAPICOM thing.

I'm really starting to think now that I haven't been hacked. I think maybe some OS settings got messed up somehow and it's just doing some weird things. All of my event logs are normal, MBSA is clean, nothing is found on virus or spyware scans, there's no odd system behavior (BSOD's, slow downs, hang-ups, etc.). If you guys can read a HijackThis log I can post one here. Other than that and trying some of the free spyware scanners (I currently use Spyware Doctor from PC Tools) I think I'm okay.

 

[stevem326]

Well, I decided to install the CAPICOM update and now MBSA comes up completely clean. So, here is my HijackThis log. As you can see, there's not much installed on my system. I actually just wiped my HD 4 weeks ago and did a complete reinstall of everything so you would think that everything is good to go. Thanks a lot for everyone's replies. You guys have been very helpful. Yesterday I was thinking someone might have access to all of my banking and credit card info but I really think now that this is just some goofy OS thing that's going on rather than a rootkit, trojan or keylogger.
=========================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:23 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\ATKKBService.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aquatics.gmu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [vdrdpup] C:\WINDOWS\system32\rundll32 C:\WINDOWS\system32\vdrdpup.dll,RegisterVirtualChannel
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://apps.universalservice.org/include/wficat.cab
O16 - DPF: {240EEE8D-91DB-4D74-A87E-671026601333} (EOLUP.Version) - https://apps.universalservice.org/include/eolupcli.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia....cabs/flash/swflash.cab
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Themes. (netservice) - Unknown owner - C:\Documents and Settings\All Users\Favorites\netservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 7678 bytes

 

[mechBgon]

What's this here?

C:\Documents and Settings\All Users\Favorites\netservice.exe

Upload it to VirusTotal.com if you're not sure it's legit. Stuff should not be running from your All Users\Favorites folder.

 

[AnotherGuy]

Originally posted by: mechBgon
What's this here?

C:\Documents and Settings\All Users\Favorites\netservice.exe

Upload it to VirusTotal.com if you're not sure it's legit. Stuff should not be running from your All Users\Favorites folder.

I noticed that too... id delete right away.

 

[stevem326]

Eeesh!! Whatever netservice.exe is, it doesn't look good. Ten of the products below alerted on it. The one I use (Symantec), of course, did not! I Googled netservice.exe and it does, in fact, appear to be a virus of some sort.

Man, this is hard to believe. I just rebuilt my system 4 weeks ago and I haven't been to any suspect sites or downloaded anything or clicked on any links in email...all the stuff you're not supposed to do...and I still got infected!! Symantec, Spyware Doctor, Zone Alarm, all the latest Windows and Office patches...and look at what happens.

Anyway, thanks a lot for this info and the website. I'm going to do some research and figure out how to remove this one. I read a little bit so far and this thing seems to drop itself in several different folders as well as in the registry so I may be looking at another rebuild...argh!!

Anyway, here's the results of the upload. A dash "-" at the end of the line means it's not a virus, but a name at the end means it is. 31.25% of the scanners say it's a virus.

Thanks again for this very useful information!!
================

Result: 10/32 (31.25%)

AhnLab-V3 2008.1.12.10 2008.01.11 -
AntiVir 7.6.0.46 2008.01.11 BDS/Hupigon.Gen
Authentium 4.93.8 2008.01.12 -
Avast 4.7.1098.0 2008.01.12 Win32:Ceckno
AVG 7.5.0.516 2008.01.12 -
BitDefender 7.2 2008.01.12 BehavesLike:Win32.ExplorerHijack
CAT-QuickHeal 9.00 2008.01.12 (Suspicious) - DNAScan
ClamAV 0.91.2 2008.01.11 -
DrWeb 4.44.0.09170 2008.01.12 -
eSafe 7.0.15.0 2008.01.10 -
eTrust-Vet 31.3.5451 2008.01.11 -
Ewido 4.0 2008.01.12 -
FileAdvisor 1 2008.01.12 -
Fortinet 3.14.0.0 2008.01.12 -
F-Prot 4.4.2.54 2008.01.11 W32/Hupigon.G.gen!Eldorado
F-Secure 6.70.13030.0 2008.01.12 -
Ikarus T3.1.1.20 2008.01.12 DroppedBackdoor.Hupigon.YRZ
Kaspersky 7.0.0.125 2008.01.12 -
McAfee 5205 2008.01.11 -
Microsoft 1.3109 2008.01.12 -
NOD32v2 2786 2008.01.12 probably a variant of Win32/Genetik
Norman 5.80.02 2008.01.11 -
Panda 9.0.0.4 2008.01.12 Suspicious file
Prevx1 V2 2008.01.12 -
Rising 20.26.52.00 2008.01.12 -
Sophos 4.24.0 2008.01.12 -
Sunbelt 2.2.907.0 2008.01.12 VIPRE.Suspicious
Symantec 10 2008.01.12 -
TheHacker 6.2.9.186 2008.01.11 -
VBA32 3.12.2.5 2008.01.12 -
VirusBuster 4.3.26:9 2008.01.12 -
Webwasher-Gateway 6.6.2 2008.01.12 Trojan.Backdoor.Hupigon.Gen
===================

 

[mechBgon]

Originally posted by: stevem326
all the stuff you're not supposed to do

Did you use a non-Admin account, fully enable Data Execution Prevention, and (if possible) set up a Software Restriction Policy? Those are some proactive layers of defense that augment the "conventional wisdom" items like antivirus, antispyware, blah blah. As the VirusTotal results clearly show, you cannot consider signature-based or heuristic detection to be an impenetrable layer of defense by itself.

At this point, if it were me, I would nuke that system to the ground with DBAN and rebuild, but if you don't want to do that, start with some rootkit scanners, remove any rootkits that are discovered, then proceed on with multiple antivirus and antispyware scanners and another round of HijackThis after removing rootkits (if any).


Rootkit removers:

Panda antirootkit
McAfee rootkit remover
GMER

Over in the Security forum, Schadenfroh has a scripted malware-removal thingie set up which would fulfill the "multiple antivirus" role. This might be a good overnight project since I hear it can run quite a while.

The free version of Superantispyware is pretty good in the antispyware role: http://www.superantispyware.com


Tangentially, remember that web sites and downloads aren't the only attack vector in the world. CDs, DVDs and USB devices (flash drives, external HDDs, cameras, digital picture frames, etc) can carry malware which is designed to use WinXP's AutoPlay to auto-infect the system.

 

[nerp]

Once you're done rebuilding from scratch, I suggest switching to the built-in firewall over Zone Alarm.

It's better.

 

[stevem326]

Thanks a lot for all of the info, mechBgon. Unfortunately, I did not use a non-Admin account. Also, DEP was not fully enabled (it was only turned on for essential Windows programs and services). And, surprise, surprise, I didn't set up a Software Restriction Policy. I've just always thought that anti-virus and anti-spyware software was all you needed to do and you were pretty safe. Think again!!

Anyway, what I'm going to do now is use all of those rootkit scanners you provided and see if they turn up anything. Having to rebuild the whole system is easy, but it's just time consuming. I use something called WipeDrive from White Canyon Software that nukes every cluster of the hard drive (up to 12 overwrites). I'd like to avoid having to go through all of that again since I just rebuilt 4 weeks ago, but if this thing is installed all over my system there's no way I'll be able to get it out I bet.

Anyway, I'll post back in a bit and let you know what the rootkit scanners found (if anything). Thanks again for all of this very helpful info. If I end up rebuilding, for sure I'm going to take all of the extra precautions you suggested above (non-Admin account, full DEP, software restriction policy, etc.)