unknown user with admin rights, Found this on my laptop Options

[Luser]

From no where this strang looking user account have been added to my machine and its in the administrator group.


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 2008-12-01
Time: 11:00:05
User: S-1-5-21-2898539343-3049360061-3330163166-1018
Computer:local computer
Description:
Successful Logon:
User Name: azovguRCUFNQ
Domain: local computer
Logon ID: (0x0,0xADA5C73)
Logon Type: 2
Logon Process: seclogon
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: local computer
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


im atm going through the computer with every darn antispyware program there is but so far i found nothing.

Anyone see something like this before?

machine = Lenovo T61
OS = Windows Xp SP2
computer is on a domain.


Regards

This post has been edited by boopme: Dec 2 2008, 11:13 AM

Reason for edit: Mod Edit: Moving from Xp to Networking~~boopme

[hamluis]

Did you check with your IT point-of-contact or network admin?

Are you the admin?

FWIW: http://www.eventid.net/display.asp?eventid...ity&phase=1

Louis

[imatechie]

Hi,

According to the information , the login type is 2 which means that it runs from the local console, the Logon process was seclogon which stands for 'Secondary Logon', the secondary logon in usually invoked by using the Run As command to perform administrative tasks without logging in as an admin.

Also sometimes when you install a program, it may ask for an admin password, also tasks that can be scheduled in the Task Scheduler can be set to run with admin rights.

From the record, here is what we do know:

On the first of December at 11 AM, somebody at the keyboard or an application used the Run As command to run a program or to perform an administrative action. However, we can not determine from this record what application was ran or what service was performed. Depending on the event recording (Auditing) settings, the information may or may not show up in other sections of the event viewer.

Jeff

[Luser]

Hi,

According to the information , the login type is 2 which means that it runs from the local console, the Logon process was seclogon which stands for 'Secondary Logon', the secondary logon in usually invoked by using the Run As command to perform administrative tasks without logging in as an admin.

Also sometimes when you install a program, it may ask for an admin password, also tasks that can be scheduled in the Task Scheduler can be set to run with admin rights.

From the record, here is what we do know:

On the first of December at 11 AM, somebody at the keyboard or an application used the Run As command to run a program or to perform an administrative action. However, we can not determine from this record what application was ran or what service was performed. Depending on the event recording (Auditing) settings, the information may or may not show up in other sections of the event viewer.

Jeff

Im the admin :D or IT-Support working with this case atm.

My first though was that there was an application making random usernamed accounts and then adding em to the administrator group.

Programs like .Net and vmware have an tendany to do this..

But the user that have been using the computer lately dont have admin rights.
So is it possible to do a login type : 2 when someone is already logged on, and then create an account without the logged on user even noticing this.

So far iw run hijackthis and dident find anything that made me look twice, then runned malwarebytes and just found some cookies.
Also done a sweep with rootkitreveler but dident find anything there ither..

Doing a last try with spybot search&destory now.

[Aki Mäntylä]

We have had the same curious thing on some of our ThinkPads. Users (not administrators) using their computers have seen a random administrative users created and then removed. The random names have all had the same composition with 6 lower case characters and 6 upper case characters.

After trying to find any virus, trojan, rootkit and other kind of hostile code on the computers we started to look closer at the other programs installed on the laptops. As no other computers but Thinkpads were having this kind of random user plauge we looked more in to the ThinkVantange programs that are installed.

At last we found out that the users are created by System Update 3! There are several ThinkVantage services running on a standard ThinkPad and if System Update is installed it will check for new updates on a regular basis and creates a random user name with administrator priviliges to do that. When the program is done the user is removed.

I have so far not found any documentation about the behaviour from Lenovo and only seen a few posts about this "problem".

This post has been edited by Aki Mäntylä: Dec 5 2008, 04:23 AM