I keep checking in active directory and a user name chift keeps being added. I delete the guy and his name is back soon after. I have also deleted a couple other names before that I found. I have the windows firewall on and instlaled norton endpoint protection but after the issue started. The norton says warning - file system auto protect is malfunctioning. Norton also says antivirus and anti spyware warning It also says a trogon.dropper c:\winnt\y.exe was found. I noticed these new entries in my hi jack this when running it: O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a O4 - HKCU\..\Run: [Windows Update] "C:\WINNT\system32\Updater.exe" O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') Is there a tool or something to remove these idiots from my server?

Hi, I suggest you try a free online virus scan on the following site: http://safety.live.com/ Meanwhile, if you need more help with virus-related issues, please contact Microsoft Product Support Services. For support within the United States and Canada, call toll-free (866) PCSAFETY (727-2338). For support outside the United States and Canada, visit the Product Support Services Web page (<http://support.microsoft.com/?pr=SecurityHome> ).Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Belcherman, I have a user by the same username that's created an account on my server. If you see this would you get in touch with me via memennis @ hotmail dot com