Active Directory Users Regenerate

I have a Windows 2003 server. It is a domain controller and Exchange 2003 host. I believe the security of this box has been compromised but I cannot find the root cause. Virus scans are clean. The problem relates to two user accounts that I cannot keep disabled or removed. The accounts are “Guest” and “Support_#######” (where ###### is a hex string). If I rename the Guest account, a new and clean “Guest” account is automatically recreated if I reboot the server or log in via RDP. The same is true of the “Support_########” account. What is more disturbing is that both of these accounts are automatically added to the Administrators group and Remote Desktop Users group. If I disable these accounts, they re-enable themselves. I know that typically the “Support_######” account is related to Remote Assistance, but that option is not enabled on this server. I do not want Guest or Support_####### to have any admin rights and would ideally like them to just go away. Any help would be appreciated.
smcottonAsked:
Who is Participating?
 
snusgubbenCommented:
Open "msconfig" and look for suspicious entries in the Start Up (tab).

Try Malware Bytes and see if that finds any malware on the host.

http://www.malwarebytes.org/
0
 
ArneLoviusCommented:
Could these accounts be set through a GPO ?
0
 
smcottonAuthor Commented:
Nothing unusual in msconfig, or registry Run, or Startup folder, or scheduled events. Malwarebytes found three objects and removed them:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
c:\program files\getdislike\uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mmso.dll (Trojan.FakeMS.Gen) -> Quarantined and deleted successfully.

Problem still remains. New scan come up clean.

Not sure where in the GPO I would look for setting to set up accounts like this. But it’s important to note that the renamed Guest account is still considered a system account while the guest account that gets recreated each time is easily deleted.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
snusgubbenCommented:
It sounds like you're dealing with a rootkit (http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html).

You should ask a moderator to add your question to the anti-virus zone.
0
 
MidnightOneCommented:
I would HIGHLY recommend you use an independent (read: Never connected to that network) system to grab Kaspersky Rescue Disk.

Once the ISO is burned to a CD:
Boot from this CD
Let is auto-configure the network card
Update its definitions
Scan server

Its going to take a couple of hours to do this, so patience is a requirement. Once done, scan it again to make sure.
0
 
smcottonAuthor Commented:
I have isolated the server in question to prevent communication (except smtp and imap). I need to take the steps mentioned above but this is a valued production server so I need to do this off hours. Will post again here shortly.
0
 
snusgubbenCommented:
If you do a clean up on a compromised server, I would never "trust" it again. I would create a new server and move the roles (ie. a dedicated DC and a dedicated Exchange). Then re-install the old one.

Also an important step would be to find out why the server was compromised in the first place.
0
 
smcottonAuthor Commented:
After a thorough review of the registry, I found entries which clearly activated the background processes which extended the compromise. I removed the entries along with several exe's, residual directories and questionable profiles. Several reboots later and I have no unwanted activity. Will monitor the server for a period to verify the threat is dead.
0
 
PberSolutions ArchitectCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.