Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown user with admin rights


  • Please log in to reply
4 replies to this topic

#1 Luser

Luser

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 02 December 2008 - 09:25 AM

From no where this strang looking user account have been added to my machine and its in the administrator group.


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 2008-12-01
Time: 11:00:05
User: S-1-5-21-2898539343-3049360061-3330163166-1018
Computer:local computer
Description:
Successful Logon:
User Name: azovguRCUFNQ
Domain: local computer
Logon ID: (0x0,0xADA5C73)
Logon Type: 2
Logon Process: seclogon
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: local computer
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


im atm going through the computer with every darn antispyware program there is but so far i found nothing.

Anyone see something like this before?

machine = Lenovo T61
OS = Windows Xp SP2
computer is on a domain.


Regards

Edited by boopme, 02 December 2008 - 11:13 AM.
Mod Edit: Moving from Xp to Networking~~boopme

Dont want to have problems with your computer?
Solution : install a good free anti virus, anti spyware & and stay away from misleading applications. Update your OS and vital programs as often as you can, to shut down those open security holes.
Stay away from shareware and trailware applications, avoid installing browser addins and toolbars. Read up on things before trying new applications.

Learn more about : Viruses, malmware & trojans | Need a bootdisk? | Want to know what that EventID mean? | Cybercrimes what is that?

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,554 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:45 AM

Posted 02 December 2008 - 09:57 AM

Did you check with your IT point-of-contact or network admin?

Are you the admin?

FWIW: http://www.eventid.net/display.asp?eventid...ity&phase=1

Louis

#3 imatechie

imatechie

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:Horizontial or leaning.
  • Local time:04:45 AM

Posted 02 December 2008 - 09:58 AM

Hi,

According to the information , the login type is 2 which means that it runs from the local console, the Logon process was seclogon which stands for 'Secondary Logon', the secondary logon in usually invoked by using the Run As command to perform administrative tasks without logging in as an admin.

Also sometimes when you install a program, it may ask for an admin password, also tasks that can be scheduled in the Task Scheduler can be set to run with admin rights.

From the record, here is what we do know:

On the first of December at 11 AM, somebody at the keyboard or an application used the Run As command to run a program or to perform an administrative action. However, we can not determine from this record what application was ran or what service was performed. Depending on the event recording (Auditing) settings, the information may or may not show up in other sections of the event viewer.

Jeff
The only real problem that I have with being an I.T. Tech is that I can't use the excuse:
"Sorry, I don't do windows."

#4 Luser

Luser
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 02 December 2008 - 10:28 AM

Hi,

According to the information , the login type is 2 which means that it runs from the local console, the Logon process was seclogon which stands for 'Secondary Logon', the secondary logon in usually invoked by using the Run As command to perform administrative tasks without logging in as an admin.

Also sometimes when you install a program, it may ask for an admin password, also tasks that can be scheduled in the Task Scheduler can be set to run with admin rights.

From the record, here is what we do know:

On the first of December at 11 AM, somebody at the keyboard or an application used the Run As command to run a program or to perform an administrative action. However, we can not determine from this record what application was ran or what service was performed. Depending on the event recording (Auditing) settings, the information may or may not show up in other sections of the event viewer.

Jeff


Im the admin :D or IT-Support working with this case atm.

My first though was that there was an application making random usernamed accounts and then adding em to the administrator group.

Programs like .Net and vmware have an tendany to do this..

But the user that have been using the computer lately dont have admin rights.
So is it possible to do a login type : 2 when someone is already logged on, and then create an account without the logged on user even noticing this.

So far iw run hijackthis and dident find anything that made me look twice, then runned malwarebytes and just found some cookies.
Also done a sweep with rootkitreveler but dident find anything there ither..

Doing a last try with spybot search&destory now.
Dont want to have problems with your computer?
Solution : install a good free anti virus, anti spyware & and stay away from misleading applications. Update your OS and vital programs as often as you can, to shut down those open security holes.
Stay away from shareware and trailware applications, avoid installing browser addins and toolbars. Read up on things before trying new applications.

Learn more about : Viruses, malmware & trojans | Need a bootdisk? | Want to know what that EventID mean? | Cybercrimes what is that?

#5 Aki Mäntylä

Aki Mäntylä

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 05 December 2008 - 04:22 AM

We have had the same curious thing on some of our ThinkPads. Users (not administrators) using their computers have seen a random administrative users created and then removed. The random names have all had the same composition with 6 lower case characters and 6 upper case characters.

After trying to find any virus, trojan, rootkit and other kind of hostile code on the computers we started to look closer at the other programs installed on the laptops. As no other computers but Thinkpads were having this kind of random user plauge we looked more in to the ThinkVantange programs that are installed.

At last we found out that the users are created by System Update 3! There are several ThinkVantage services running on a standard ThinkPad and if System Update is installed it will check for new updates on a regular basis and creates a random user name with administrator priviliges to do that. When the program is done the user is removed.

I have so far not found any documentation about the behaviour from Lenovo and only seen a few posts about this "problem".

Edited by Aki Mäntylä, 05 December 2008 - 04:23 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users