Mystery Account Created on Laptops ()

On a couple of our laptops a mystery account has shown up as being created. The format of the account is always the same, 12 characters long, the first 6 is always lower case and the last 6 is upper case as shown in images. I cannot find anything in the Event Viewer relating to the account being created or it doing anything. Our main concern is that the account is part of the Administrator group. Any ideas to find out what it is and when it was created. Now all of our computer, laptops and servers are all IBM and I came across the article below, which sounds like our issue. With there being a hidden installer account but what we are seeing is the account comiong and going randomly within a week. And ontop of it, we install Windows XP SP2 from scartch.

http://seclists.org/vulnwatch/2004/q3/0052.html
regsitry.JPG
CompMan.JPG
cziggyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

peakpeakCommented:
You should definitely do a virus/malware scan on the affected computers. Are the accounts members of the admin group it's even more critical.
0
cziggyAuthor Commented:
All of our computers are running McAfee VirusScan 8.5i and all our laptops are running HIPS 6.1 and everything is updated via ePO Console and all laptops are checked daily to make sure there definitions are up to date. Also we run reports on our daily scans on machines and we can't see anything for these accounts. also the account is part of the local admin account and not on the domain.
0
SlymCommented:
Just curious - where do these laptops go?  Home with people? or are they always in your network?  There's some scripts out there that could be installed as a startup script to create these users, specifically in XP, and hide their profiles too, it seems.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Netman66Commented:
This is definitely Malware.

Where are you loading XP from?  Is this a legit disk?  Are you imaging - the image may be compromised.

Check the servers - something may be lurking on the server that is attaching to the workstation when you join the domain.

Also, check for a Rootkit on the servers.

I would be scanning the servers intensely if it was me - you may also want to monitor traffic at the router to see what's going on.  Perhaps, pull the WAN link one evening and monitor what's going out to the router from the internal network - this may help you pinpoint where the malware is.

0
cziggyAuthor Commented:
Slym: These Laptops, are only on the network and go home occasionaly but we have seen the accounts pop up on laptops that do not even go home at all. We run our own scripts on login and we have scanned one of these laptops with ever kind of virusscanner and malware and spyware scanner that is out there and come up empty handed.

Netman66:XP is loaded from a base image we have which is used from an original MS XP SP2 disk. This is all 100% legit software. I don't think it could be something lurking on our domain/servers since it has only effected 4-5 computers, all of which at different times and all of which are laptops.

Also further to the article, since these are all recent breaches, and our DNS server hasn't rebooted in over a monthly, I checked our cached history and there are no hits to the sites it mentions that the trojan tries to contact. Also I checked on the laptops that are effected, and there are no encrypted folders or files on our effected laptop.s
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.