Windows Server 2003 keeps creating random users

I have a Dell PowerEdge 2900 running Windows Server 2003, every two weeks or so, I see a new user in my user list which I did not create, it is usually a word I don't recognize and it shows up as the user in the login screen when my monitor rests.  When I log in I change it to the user that the server is assigned to, I put the password in, I go to Server Management and see the user listed under users as the first one.  It does not show me a date as to when the user was created but I know it was not there 2 weeks ago.  This keeps happening every other week or so.  So far I have had 4 instances of this.
Who is Participating?
Steven HarrisConnect With a Mentor PresidentCommented:
Have you tried checking your event logs when this happened?  There will be information buried in there...

What type of server is this?  Application, File, RDP, etc.

Have you installed any applications lately?  Symantec's Enterprise Backup (for example) has issues with the Command Center that created temp accounts that were not able to delete themselves due to the netapi32.dll.

What are the names of the accounts?  Do they have any symbols? (#, @, $)

What type of protection do you have on the server?  If I had to make an educated guess or bet on the outcome, I would say your server is compromised.
foxhelpAuthor Commented:
Yes, the event log shows the user's login and logoff activity but that is all.
Application Server
No applications have been installed lately.
No symbols in the accounts.  One of them is berkeley
I have Symantec protection
Compromised as in a virus?
If you think you might have a root kit you can try

RootKit Revealer Its old but may still find something.

Stinger this is a free tools from Mcafee that detects certain worms and viruses.

Wireshark Wireshark is a packet sniffer that may help to find any malicious traffic going in and/or out of your server.

As ThinkSpaceSolutions mentiones, your server may be compromised. If you are noticing strange usernames someone may be logged in as an admin using ADUC or logged on to the server directly.

Also, Security Log Event ID 624 will be Event Id to look for if a user is created.
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Steven HarrisPresidentCommented:
Beat me to it msidnam.

The overall consensus is going to be a virus of some sort.

If you want to setup a little monitoring solution for your events (such as ID 624 as msidnam mentioned), check out my Article here on EE.
foxhelpAuthor Commented:
Thanks, I will try those things and let you know.
Try this ,

Change default RDP port, change the domain.
foxhelpAuthor Commented:
It was probably a virus because after I ran the scan, the user's stopped appearing.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.