Jump to content

Recommended Posts

Hello guys,

i have an few xp machines in our network. On that machine i see some strange local administrator accounts. Can someone tell me if this is some spyware or mallware?

How can i remove them? Can someone tell what program made those local administrator accounts.

User accounts :

agegldwlynJMZAXGXYA

aimsozcwbzCZEBELMXX

cfssmmasspUTCPZRDSG

cjhjdhjopbBEFJBNIMC

dlafzmxxdqMPPNJQLCG

dubyqbsqssXQVGTUDAY

epjjkjjgpyWYWJDLSFR

epkurptkfdOYDTNDJRW

fiqyfbxbfbBOUWKCXIO

foqjmwznswNTBAMAYNA

ftahgoomjoXRPTUKWGS

fvoifqzymoJITVRAXAU

grdpwkbcfvFIZYAJDDG

hotqkxaqytHRPNOWQSC

ipuiefapwcQUTRZZBSA

jaqubchkruGJVMJYMXP

jaqubchkruGJVMJYMXP

jaqubchkruGJVMJYMXP

jienjfkiepGJNZBMHMQ

jienjfkiepGJNZBMHMQ

jiusiprbrbFKNNCBTEU

jiusiprbrbFKNNCBTEU

jrcbtzfnezGJDZSKRJN

jzaqvlbznpQHEYJPLGR

jzgzampdefGJWAKNYPT

jzgzampdefGJWAKNYPT

mhwsqlxabmAFUKVKJQJ

osckezmqkpSAPFBDJBC

oymcelnfpjVVFABYGHV

paquqsfcnaEVPUEILDO

qegqzaourpTIRIDYLQC

riaugayatrQCFDPOFUV

rxjtsxncppBAWYUXIHS

sfrblitbilMUQGMAQJQ

shsblfewhhCPABQJPYQ

smmfqeklwdLUJUGSJHA

tdeljtwncgKKJNZGEQZ

tfogkgaonrBFSUCZSOV

tkwpsgqewyCMIJBUHOY

uekqwqxeomXOTCNPDWM

vinuyqqlqiMHNTEEEDI

vtncvxunubHIGYZLEWT

wjvtzepficCRPTTOUQJ

wquhfkxicqTUPQXHUYQ

wxzwdhbwkfZSEWJHBGU

xmrsoghwyrFGAVVSWRS

zeeoraiuirHKMDTEECN

Link to post
Share on other sites

Hello guys,

i have an few xp machines in our network. On that machine i see some strange local administrator accounts. Can someone tell me if this is some spyware or mallware?

How can i remove them? Can someone tell what program made those local administrator accounts.

< list snipped >

If you have administrative accounts on a PC with names like that then the initial response is that computer or computers have been compromised !

Probably the FIRST thing to do is to disconnect it/them ASAP from the network and isolate it/them.

{ Since you wrote "...few xp machines in our network. On that machine..." it can't be determined if this is one computer or multiple computers. }

Answering your questions is very complex. We can't know how the computers have been compromised, by what vector or by what software, if any. It could be malware or it could be an external compromise. At this point it is too early to make such a determination.

Are you an Administrator of the network in question with admin rights on all platforms ?

Is this a simplistic Local Are Network (LAN) or is this a more complex Active Directory Domain ?

Link to post
Share on other sites

If you have administrative accounts on a PC with names like that then the initial response is that computer or computers have been compromised !

Probably the FIRST thing to do is to disconnect it/them ASAP from the network and isolate it/them.

{ Since you wrote "...few xp machines in our network. On that machine..." it can't be determined if this is one computer or multiple computers. }

Answering your questions is very complex. We can't know how the computers have been compromised, by what vector or by what software, if any. It could be malware or it could be an external compromise. At this point it is too early to make such a determination.

Are you an Administrator of the network in question with admin rights on all platforms ?

Is this a simplistic Local Are Network (LAN) or is this a more complex Active Directory Domain ?

Hello David,

I am an administrator and i have all adminstrator right on every domain and machine. This is a simple Acitve directory domain.

Link to post
Share on other sites

  • Root Admin

It would be best to disconnect them from the network by simply unplugging the network cable and if you have time and resources start a forensic analysis of where/what happened if possible. If time or resources do not permit then simply remove them from the Domain and wipe them including deletion of partitions and scan all other systems for any similar signs and for virus/malware threats.

It's possible that it could be an internal or external threat or simply code from an infection. System monitoring to ensure other systems are not attacked would be in order.

Link to post
Share on other sites

I agree w/Ron.

The affected computer(s) must be isolated.

Peer computers on the same subnet need to be examined thoroughly (system logs, anti malware logs, etc.) and need to have On Demand scanning performed. This should be done by both the fully installed anti virus application of the PC in question as well as alternative On Demand anti malware scanning software.

FireWall and Gateway appliance logs must be examined thoroughly.

Look for abnormal LAN and data activity.

Depending upon your needs and capabilities, hiring an outside security firm may be warranted.

Link to post
Share on other sites

Going out on a limb here, but in Active Directory if you delete a user who has access to a particular machine, then instead of listing the username in the user accounts section, it will show a some random characters. I believe it displays the GUID of the user instead of the name. Not sure if that's the case here or not.

Link to post
Share on other sites

Going out on a limb here, but in Active Directory if you delete a user who has access to a particular machine, then instead of listing the username in the user accounts section, it will show a some random characters. I believe it displays the GUID of the user instead of the name. Not sure if that's the case here or not.

That's good. It shows you are thinking but, you are not quite there.

Associated with Organizational Unit Objects are Security Identifiers, SID. The Domain Controller converts the SID to a "User Name". If the Domain Controller is not present you will see the SID. If the the Object is deleted from the AD then you will see the orphaned SID. It is the SID that is used for permissions and Access Control Lists (ACLs).

The following is an example of a SID --> S-1-5-21-3623811015-3361044348-30300820-1013

"aimsozcwbzCZEBELMXX" not does it fit the pattern of a SID.

SID Wiki

Link to post
Share on other sites

  • 7 months later...

Hi,

we had the same thing on some of our machines. Always a random username consisting of 10 lowercase characters and 9 uppercase characters. After some analysis, we found the source of these users: Lenovo System Update. It seems to create the user when you run it. Hope that helps some other people.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.