[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 365
  • Last Modified:

Mystery Account Created on Laptops ()

On a couple of our laptops a mystery account has shown up as being created. The format of the account is always the same, 12 characters long, the first 6 is always lower case and the last 6 is upper case as shown in images. I cannot find anything in the Event Viewer relating to the account being created or it doing anything. Our main concern is that the account is part of the Administrator group. Any ideas to find out what it is and when it was created. Now all of our computer, laptops and servers are all IBM and I came across the article below, which sounds like our issue. With there being a hidden installer account but what we are seeing is the account comiong and going randomly within a week. And ontop of it, we install Windows XP SP2 from scartch.

http://seclists.org/vulnwatch/2004/q3/0052.html
regsitry.JPG
CompMan.JPG
0
cziggy
Asked:
cziggy
1 Solution
 
peakpeakCommented:
You should definitely do a virus/malware scan on the affected computers. Are the accounts members of the admin group it's even more critical.
0
 
cziggyAuthor Commented:
All of our computers are running McAfee VirusScan 8.5i and all our laptops are running HIPS 6.1 and everything is updated via ePO Console and all laptops are checked daily to make sure there definitions are up to date. Also we run reports on our daily scans on machines and we can't see anything for these accounts. also the account is part of the local admin account and not on the domain.
0
 
SlymCommented:
Just curious - where do these laptops go?  Home with people? or are they always in your network?  There's some scripts out there that could be installed as a startup script to create these users, specifically in XP, and hide their profiles too, it seems.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
Netman66Commented:
This is definitely Malware.

Where are you loading XP from?  Is this a legit disk?  Are you imaging - the image may be compromised.

Check the servers - something may be lurking on the server that is attaching to the workstation when you join the domain.

Also, check for a Rootkit on the servers.

I would be scanning the servers intensely if it was me - you may also want to monitor traffic at the router to see what's going on.  Perhaps, pull the WAN link one evening and monitor what's going out to the router from the internal network - this may help you pinpoint where the malware is.

0
 
cziggyAuthor Commented:
Slym: These Laptops, are only on the network and go home occasionaly but we have seen the accounts pop up on laptops that do not even go home at all. We run our own scripts on login and we have scanned one of these laptops with ever kind of virusscanner and malware and spyware scanner that is out there and come up empty handed.

Netman66:XP is loaded from a base image we have which is used from an original MS XP SP2 disk. This is all 100% legit software. I don't think it could be something lurking on our domain/servers since it has only effected 4-5 computers, all of which at different times and all of which are laptops.

Also further to the article, since these are all recent breaches, and our DNS server hasn't rebooted in over a monthly, I checked our cached history and there are no hits to the sites it mentions that the trojan tries to contact. Also I checked on the laptops that are effected, and there are no encrypted folders or files on our effected laptop.s
0

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now