HelpAssistant Account hacked?
Hello all,
I have a problem, just noticed today, not sure how long it's been there.
My machine is an XP SP3 (tablet edition if that matters), on a home network with 2 computers with cable internet.
I'm running Avast 4.8.
This morning, Avast alerted me to a virus in the HelpAssistant account folder for temporary internet files (C:\Documents and Settings\HelpAssistant\Local Settings\Temporary Internet Files\Content.IE5). I had never heard of this account, but I've learned it's the RDP account. Anyway, I noticed that the TemporaryInternetFiles folder was growing at an alarming rate, about 3MB per minute. Looking in there were the standard files, some html, .js, etc, nothing unusual...but rapidly growing.
Alarmed, I went to disable the account, and turned up the logging in event viewer. Someone with NTAUTHORITY/SYSTEM keeps re-enabling the account. I tried changing password, same thing, NTAUTHORITY/SYSTEM changes the password again, and then I start getting thousands of internet files.
Is this normal?
I tried deleting old accounts, changing the Administrator logon, but nothing helps...is a trojan doing this? What steps can I do to identify and remove it? Or is it sombody logging in from the outside?
thanks in advance, any thoughts would be appreciated.
-Jim
|