Mystery accounts appearing in XP

By hondafrank ·
I'm totally baffled on this. I work for a large organization and we have a very large number of computers. We recently noticed that some mystery accounts have begun appearing on these machines with administrative rights. We're having some trouble figuring out where these accounts are coming from, so far this is what we know:

1) Appears to be only on laptops
2) consists of 6 lower case followed by 6 upper case
3) removing account from administrative group doesn't seem to break anything
4) deleting account from machine doesn't seem to break anything
5) no evidence of account in any log file

Anyone have any suggestions?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Sounds like...

by cmiller5400 In reply to Mystery accounts appearin ...

Sounds like you have some sort of virus/malware/worm on your network. I'd be running some virus/malware scans and sniffing the network to pin point what is going on. Another place to start watching is your firewall and see if there is any traffic to a specific destination...

Collapse -

that's what I thought

by hondafrank In reply to Sounds like...

That's what I thought too, have scanned several of the machines with several different apps and nothing comes up. Haven't watched their network traffic yet. The part that baffles me is it's only laptops, no desktops!!!

Collapse -

Since its only laptops

by BillMlod In reply to that's what I thought

I would be checking my wireless routers, laptops have wireless, desktops don't.

Collapse -

looked at wireless and

by hondafrank In reply to Since its only laptops

I checked into the wireless and other than installing the drivers for the wireless NIC there's nothing else to them. They just use windows networking for configuration and policy is no third party software installed (and I've confirmed that there is none)

Collapse -

I think the idea is

by seanferd In reply to looked at wireless and

to scan your wireless network traffic.

Collapse -

Change Passwords!

by oldbaritone In reply to Mystery accounts appearin ...

Until you figure out what's up, I'd suggest blocking all access to administration from the wireless side. If those machines are trusted for delegation, un-trust them immediately!

Change administration passwords, and do not try to log in to any administrative accounts from the wireless machines.

"6+6" nonesense user ID's certainly sounds like malware. Figure out what it is and get rid of it before it infects your entire corporate network. There are many "time bomb" malware infections that sit dormant before they strike. I'd be concerned that this might be one of those.

Related Discussions

Related Forums