"stuarab" <> wrote in message
news:...
>
> hello,
>
> a strange account has appeared on my DC
>
> IWAM_NET74f9d0d2a9f9 - it is a member of the domain users group but i
> cannot find where it came from. It has a folder under documents &
> settings. My virus software detected viruses within this folder which
> initially alerted me to it. i have disabled the account. Another symptom
> my virus software was shutting down. i am scanning with malwarebytes,
> stinger and my onboard virus software,
>
> Anyone recognise this account? The server appears clean now but i am
> worried I have been hacked. In my event logs i can see multiple events
> related to my remote access software and what looks to me like access
> attempts from external ip addresses.
>
> any ideas or tips gratefully accepted
>
> cheers stu
>
>
> --
> stuarab
Stu,
It appears that the name, "NET74f9d0d2a9f9," was the original machine's name
when it was created, and IIS was installed while it had that name. You may
have received it that way and when you ran the mini-setup when you first
plugged it in and turned it on, you changed the name. The manufacturer could
have pre-imaged (sysprep) their machines and that was the name of it in
their image. The IWAM and IUSR accounts are used in IIS. IWAM is used to run
web applications (like .Net apps) under its name context, and IUSR is used
as the 'anonymous' account to access a web site on your machine.
More info on what they are used for. Do not disable or delete them.
The IUSR_ computer and IWAM_ computer accounts
http://exchangeserverinfo.com/2009/0...-accounts.aspx
After you clean up the viruses and other malware, you can use the
SYNCIWAM.vbs script to reset the passwords on the two accounts just in case
they were compromised. I just can't see why either of these accounts would
be used to access a machine, since they have limited access to any machine.
If you see a profile for the IWAM, they were probably used for an installed
web application.
Read the following for more info.
PRB: Configured Identity Is Incorrect for IWAM AccountIIS 5.0 provides the
Synciwam.vbs file to update the starting identity of all IIS COM+
application packages that run out-of-process. The Synciwam.vbs script ...
http://support.microsoft.com/kb/297989
Synciwam Utility Does Not Function and Generates Error 80110414When you run
the Synciwam utility (Synciwam.vbs) to synchronize Internet Information
Services (IIS) out-of-process applications, it may not function, ...
http://support.microsoft.com/kb/269367
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Similar Threads
Linear Mode
