More users than I asked for

ddudeit · #1 02-02-2004, 02:12 PM

I am the only one using my Presario computer. But once in a while I have to log on to my machine and that is caused by someone or something adding a user or administrator account to my system. Could anyone tell me what level of fire wall will keep this from happening. The one on XP's OS doesn't work. I'm running Nortons 2002 antivirus. I know its old, but it stays up to date on the viruses.

njovin · #2 02-02-2004, 03:05 PM

To clarify, are you saying that once you login, you can go to the users sections of the control panel and there are actually users there that you have to delete? Or are you just saying that you have to logon, but there aren't any new users listed.

ddudeit · #3 02-02-2004, 06:17 PM

I actually have to go to user accounts and delete new users. And one time they setup an adminitrative account. I had to restore my OS to get them out. This incident has happened 4 times now. I recently installed a free copy of Bullgaurd to hold me over until my Nortons products come in. But that will be in 5 to 7 business days

njovin · #4 02-02-2004, 08:18 PM

Is there a password on your admiistrator account? Also, hit ctl+shift+esc to bring up the task manager, go to the processes tab, and (I know this may be a pain) list everything that's running. There may be a service there acting as a backdoor. I'm sure we can narrow this down.

And I have to ask the dumb question: are you 100% sure somebody isn't PHYSICALLY logging on to your computer (locally, like at your desk) and making these changes?

ddudeit · #5 02-03-2004, 09:13 AM

I really apreciate the help. I hope this prints the way I typed it if not its going to be a jumbled mess. Sorry if it does.
so I'm going to list every thing in order from top to bottom with
image name username mem usage base pri here goes

taskmgr.exe mycompname 1752k high
ybrowser.exe 25,880 norm
pfppop70 664 norm
Bttnserv 740
EAUSBKBD 224
CPQEADM 1,016
ycommon 3,656
Directcd 988
bdmcon 8,528
tgcmd 212 this one changes #
CFD 1,324
ybrwicon 1,792
NAVAPW32 1,824
STARTEAK 556
avxnews 2,060
hpsysdrv 288
bdss sys 7,132
CCD 3,192
spoolsv sys 1,144
explorer 11,780
ati2evxx 696
xcommsvr sys 932
svhost local service 808
svhost network service 1,380
svhost sys 944
tcpsvcs sys 708
svchost sys 7,676
svchost sys 1,380
ati2evxx sys 420
compaq-rba sys 1,368
lsass sys 1,048
services sys 1,716
winlogon sys 1,900 high
csrss sys 1,708 high
smss sys 88
vsserv sys 1,404
CManager 5,988
system sys 52
system Idle process sys 92 N/A

unless other wise noted all the entries under username is my computers name also unless otherwise noted all entries under Base pri is normal

also in

my computer / manage / system tools / event viewer / security

there is a list of Success Audits & Failure Audits
the usual Success Audit consists of
user name (ANONYMOUS LOGON)
Domain ( nt authority)

the usual Failure Audit consists of
Reason (unknown user name or password )
User Name (Andree Naylor )
this is just one of many different names
Domain ( ANDREE2 )
Logon Type ( 3 )
Logon Process ( NtLmSsp )
Authentication Package:
( MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 )
Workstation Name: (ANDREE2)

there are thousands of entrees in the last 5 days
( thats when I formatted and restored my computer tring to rid myself of the administator that showed his self in users)

the scariest one appears 1/31/04 8:19am it reads

A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

Logon Process Name: REMOTE_ACCESS

For more information, see Help and Suport Center at
http://go.microsoft.com/fwlink/events.asp.

when I tried loging on to this link it wouldn't let me on I've tried 5 or 6 times and nothing

Note: I first looked in this security log because I was curious to see what kind of activity was going on behind closed windows and for the record its amazing what you'll find.

again I'm thankful for the help and i hope this is enough info if not I'll be happy to provide more

njovin · #6 02-03-2004, 08:38 PM

As I suspected, some of thos processes are malicious. After a quick google search on a couple that looked funny I think it's safe to say you have a virus. The following three links should contain enough info to get you back on track. I know they're long threads, but read them through and they should solve your problem.

http://www.linkbyte.com/ubb/Forum6/HTML/000008.html

http://www.experts-exchange.com/Oper..._20837946.html

http://www.experts-exchange.com/Oper..._20786740.html

ddudeit · #7 02-17-2004, 02:23 PM

thanks for your help njovin it was most helpful; and i'd like to add one of my intruders came from windows update through a download called MICROSOFT . NET FRAME WORK I still dont under stand why i'm just glad to be alone again thank you for all you did