Vista Creates Internet Access Accounts?

[Theydon Bois]

I am getting this on startup, 4 copies of an account called Internet Access, along with my normal administrative account.

I googled and got this, and I also can confirm that I have not visited dodgy sites.

Just running a full McAfee at the mo, and I am pretty upto date with Vista updates (at least SP1) and looks like I only need 3 updates (grabbing them now).

Its been happening for 2 days now, and I keep deleting the accounts, and I have UAC turned on.

Any thoughts?

 

[Theydon Bois]

...well seemed to have fixed it.

Found something on the intermahnet that lead me to a file called wserving.exe which is naughty.

Deleted all the accounts.

Used control passwords2 to turn on the three fingered salute logon.

End process on wserving.exe

Ran regedit and deleted the two instances of the folder wserving and all its contents.

Deleted the wserving.exe file in the system32 folder.

Rebooted, and no accounts showing (they previously re-added themselves on reboot). Double checked the user accounts folder and nothing there.

Hopefully this is tied into an audio advert file that plays a 2 second clip of an american advert that frightens the life out of me everytime it randomly plays....

Oh, and can I thank myself for a job well done?

 

[stu.artd]

...well seemed to have fixed it.

Found something on the intermahnet that lead me to a file called wserving.exe which is naughty.

Deleted all the accounts.

Used control passwords2 to turn on the three fingered salute logon.

End process on wserving.exe

Ran regedit and deleted the two instances of the folder wserving and all its contents.

Deleted the wserving.exe file in the system32 folder.

Rebooted, and no accounts showing (they previously re-added themselves on reboot). Double checked the user accounts folder and nothing there.

Hopefully this is tied into an audio advert file that plays a 2 second clip of an american advert that frightens the life out of me everytime it randomly plays....

Oh, and can I thank myself for a job well done?

You can give yourself a big pat on the back for fixing it and then a slap on the head for letting the dodgy get on there in the first place

 

[Theydon Bois]

And now, after my daughter has been using my laptop, I have them all back again.

Apparently its a rootkit of some form, and I am just running a scan as recommended here. I was on the right track with the file I tracked down yesterday, but it appears that there are more than the 1 file I originally found.

McAfee gets yet another point deducted for being bloody useless in nearly everything from server management to picking up files even with spyware/trojan installed (or will they bring out a rootkit addition? )

I'd like to know its origins though......

 

[dazza1011]

try using AVG they have a free trial for internet security i had loads and it got rid of all mine

then ban your daughter from using the internet bloody kids and their myface bebo crap

 

[Theydon Bois]

Yep, McAfee had failed once to often in my eyes, and depsite having the enterprise edition, it found nothing when I did a full scan on the first night I found the problem.

I ran the panda scan, and it found something, but I had not registered first, so wasted all that time as the registration failed.

I downloaded the AVG8 full version trial, and run and installed it and it picked up a trojan straight away after install, and a scan revealed all of the files and deleted them.

Looks like AVG will be getting my cash.......

 

[dazza1011]

yes i dont usually like paying for software but this got my money straight away

 

[Theydon Bois]

And they are back again.

I have deleted the accounts and am now running another AVG scan now - it looks like it may have also disabled the rootkit search as well - this was unticked before I ran the next scan.

I am using the database that ends in .1454

I have deleted my daughters account (she will be pleased...) and will monitor this. Still no diffinative answer on where the little bugger has actually come from!

 

[albertz]

McAfee gets yet another point deducted for being bloody useless in nearly everything......

Here here! i have never found a more hopeless antivirus package. There is a peice of software called webroot spysweeper which i had on my old laptop, it was genuinely impressive, found everything before it got in, you have to pay for it though.

 

[KBDXx]

I believe this trojan/rootkit has an association with Afinding.exe and mtmc.exe, which are new malware that was released just recently. I have this process on my computer as well, and I am running vista, but I have not yet had any accounts created. However, mtmc.exe was running from a foreign user account such as (IUser_2134) or (unknown) and I had to boot without an internet connection to be able to remove this process and program, otherwise I wouldn't have "Permissions" to do so (Even though I am the administrator account). Your daughter seems to be running a certain kind of malware on your computer, and I don't know exactly what either.

(Still fighting wserving.exe and possible other trojans.)

All while I went camping for a week too.


Edit: Routing.exe/perfs.exe is a virus as well. =_= Gawd dangit.

 

[CP-PC]

does this only happen on vista? or has it been reported on xp aswell? i remember seeing something like this on my system (running xp pro) i had basic xp pro installed while i was messing about overclocking and stability testing. and i noticed this kinda of think too. it told me i didnt have access to it (i was also the admin and that was the only account on the pc) and when i did manage to end the processes they came back on reboot. i finished stability testing and wiped my hard drives and reinstalled xp pro with all the updates and im running norton internet security 2004 with all the updates. ive also got ad-aware too and ive never since had the problem. this thread caught my eye but from what i can see no one is reporting this activity on windows xp just vista. how does it get on the system in the first place?

 

[UKCamaroSS]

Hi,

I previously used McAfee, then AVG (Free edition) but recently switched to Avast (V4.8) after having problems with the others. Avast has so far been excellent.
If your looking to switch from your current software, it's worth a look - it includes Anti spyware and Anti rootkit detection.

Another online scanner you could try is F Secure.com's - it really good.

Regarding the actual infection, have you tried running a program called HijackThis and or combofix and reporting their results on an anti malware site, such as geekstogo or bleepingcomputer?

From a quick look on the net, it looks like your issue might be connected to the Trojan-Downloader.Win32.Delf virus.


Good luck,
UKCamaroSS

 

[Theydon Bois]

I deleted all the accounts again the other night, and my daughters, and ran another full AVG scan, and it picked up a hidden .sys driver, which I removed. AVG did not find any other referecnes to Wserving, perfs, or the other 2 or 3 exe files.

My Laptop has been rebooted a few times now, and nothing has come back yet.

 

[WildeKarde]

I've got spysweeper running on my desktop and it seems pretty good at picking most things up - you can download a free scanner only version then pay if you want to actually use it to remove anything.

I seem to have mine on US pricing so they give me it for $20/year which I can't really complain about (although it sometimes take a while to get itself started on boot )

 

[Theydon Bois]

...and it came back again.

I tried Webroot Spyware, the latest demo version, and that found nothing but cookies for places/companies that I dont recognise.

I found this thread a couple of days ago, and so tried the things on the list, but the first few items did not work.

Combofix however, found them all, removed them and other items, and rebooted. The accounts where still there, and so I removed them, ran combo fix again, and rebooted - no Internet Access Accounts have been created.

......fingers crossed its gone now....

 

[dingdong1234567]

Hi there, dont post to often but here goes. I have the same prob. Ran Avast antivirus last night before the land of nod and it had found a virus this morn. Will Post details later of what it found as i was late for work.

Ran Spybot as well, it didn't find anything major. This hasn't effected the main PC in the house just the laptop so far.

 

[Theydon Bois]

Yep, mine is only on the laptop also. I have another 3 PCs in the house, 2 on XP SP3, and my HTPC on Vista SP1, and none of them has it. MY HTPC runs AVG free edtion, but only ever browses the HTPC related sites (here, Media Portal, AnyDVD etc).

As I mentioned, I want to know what actually causes it - My daughter is not stupid, and knows the only reason she has the internet in her room is becasue I VNC and watch her every now and then, and knows that I know enough about IT that I could make up any thing about monitoring methods and she would believe me. Hence her (self imposed) browsing is limited to the social networking of bebo, myspace etc and youtube as I will bag her at viewing anyting undesirable....

 

[Dragy2k]

have a gander at kaspersky and nod32 apps seem to be on the top progs for gettin rid of dodgy crap

 

[Daveybryce]

Got my fingers X'd for you too Theydon.

And i got them x'd for me now that i don't get this bloody virus/malware/spyware goddamit ware.

Hope it's all sorted now.

 

[dingdong1234567]

Update: Slaptop seems to be ok now (well for now anyway, fingers crossed!) See the snap shot below from the Avast chest. Hope this info helps you guys out in some way.

 

[DudicalDuuude]

Hey guys,
I am new here and was experiencing the same problem with my XP machine. I have tried scanning with all sorts of Anti-virus programs and root-kit removal tools. All of them have failed to correct the issue. Here are the steps that I have used to successfully remove this nuisance.


1> Open "System Properties"
2> Click on the "System Restore" tab and disable your system restore
3> Next open your Task Manager and click on the "Processes" tab
4>Stop the following processes?
MTMC.EXE
PERFS.EXE
ANDT.SYS (or exe)
INDT2.SYS
ROUTING.EXE
(Also, you should make sure to check off the show processes from all users and stop all processes that aren't being used by your account, SYSTEM, LOCAL SERVICE, and NETWORK SERVICE)
5>Next open C:\WINDOWS\system32 and remove the following files:
MTMC.EXE
PERFS.EXE
ANDT.SYS (or exe)
INDT2.SYS
ROUTING.EXE

******NOTE: The following steps are modify your registry. Make sure to backup your registry in case of error******

6> Open Regedit through Control Panel and navigate to:
HKLM/SOFTWARE/Microsoft/ESENT/Process/
In the sub keys your will see entries for MTMC, INDT2, ANDT, ROUTING, and PERFS. Delete them.

7>Close REGEDIT and restart your computer. Dont forget to re-enable your System Restore

******NOTE: these registry keys cannot be found by doing a search through the recistry. you must navigate to the location to find them. I spent a long time searching through the entire registry and was unable to find any other keys... I have been problem free since yesterday morning******


I hope this helps.

Duuude

 

[Theydon Bois]

Hello everyone, :shuffles nervously to the podium: my name is Theydon Bois. I am standing here at Spy and Malaware Annoynomous to tell you I have been clean now for 4 days, and with your help, I hope to make it safely to the next day and then the next.

Thanks for your support.

 

[AlexChan8310]

Thanks for ur support....im on the last step.....I cant find HKLM/SOFTWARE/Microsoft/ESENT/Process in the windows vista regedit....i dont know why.....so how am i going it...and these internet access accounts are bugging me for few weeks and plays random clips....which makes me wanna smash my windows vista labtop on the wall and smash it on the ground and throw it in garbage......

 

[Theydon Bois]

Thanks for ur support....im on the last step.....I cant find HKLM/SOFTWARE/Microsoft/ESENT/Process in the windows vista regedit....i dont know why.....so how am i going it...and these internet access accounts are bugging me for few weeks and plays random clips....which makes me wanna smash my windows vista labtop on the wall and smash it on the ground and throw it in garbage......

Alex, go back to one of my posts on the 1st page of this thread and check the link for the combofix app. Thats what got rid of mine.

 

[AlexChan8310]

Thank you so much Theydon Bois...Well I disabled the system restore, shut down all the programs, unplug the internet and then I run the combofix app...I think it got rid of the spywares that causing the problems....After reboot, the combofix runs again for few mins....and then everything are back to normal....I enabled the system restore again and created new restore points....Apparently, those internet access accounts are not there anymore and those random clips playing in the background are not playing anymore...Once again, thank you so much helping me out and im crossing my fingers that they are not appear again in future....thanks you so much....