Unknown accounts created on Mom's machine

[grouchysmurf]

Ok security gurus, I need some thoughts on this one.....

OS: winxp

A little background,

Mom is a very simple user. Email and Facebook are about as complicated as she gets.

My brother monitors her system from time to time, (computer science major, grad), just to do

simple cleaning and so forth. She does run a real time av scanner, and my brother uses a popular

spyware scanner when doing cleaning.

He discovered 2 unknown accounts created on her machine, (he is the only one that sets up accounts for her), and one of them was logged in. The only way he was able to quit that account and get on as admin was to hardboot the machine.

Now, as far as I know, the only way to create an account is thru admin. The only one that can log on as admin is my brother, (yes it is password protected). Remote desktop is off, so there should be no way to do this remotely.

So, how were the accounts created?

No spyware detected

No virus detected.

I have asked him to email to me all the info he can get regarding the two accounts, including any web activity possible. The problem is, he may have cleaned all that info out.

So, bottom line,

Admin account locked out, forced reboot to reclaim it.

Two unknown user accounts created, one of which was logged in.

Remote desktop off

Only one person able to log on as admin, and he has no idea where these accounts came from.

No spyware detected, No virus detected.

Any ideas as to how the accounts were created? :wtf:

[ck_kent]

:think: That's interesting.

Is your mom's user account a member of the Administrator's group? If it is, it has the rights to create another user account. Maybe your mom's computer got hacked? :dunno: Maybe she was tricked in opening a link in an e-mail or Facebook which in turn compromised her computer? Are the security patches of the OS updated?

[0veR]

Install Windows 7 and use some quality security suits like KIS, NIS and ESET 5.

[grouchysmurf]

:think: That's interesting.

Is your mom's user account a member of the Administrator's group? If it is, it has the rights to create another user account. Maybe your mom's computer got hacked? :dunno: Maybe she was tricked in opening a link in an e-mail or Facebook which in turn compromised her computer? Are the security patches of the OS updated?

No, Mom is NOT set with admin rights...lol...this is done to keep the system umm..err..idiot proof.

Yes, all patches are current.

The system has been cleaned out, and locked down. I had my brother put on a software firewall,

and I will be installing a router to make use of the hardware firewall.

I am just trying to figure out how the hell those accounts were created. I mean, you would have to lift the passkey, then remotely do the log in, but remote is off.

[ck_kent]

So the computer was directly connected to the internet? No router/firewall? That's the only hole in the security I can think of.

[johndoe]

remote registry service on or off? imho that is really the lamest thing ms left enabled on PCs that r NOT connected to a corporate network.

[Win7nerd]

what are the names of these accounts ive got similar issues

[HX1]

If the accounts have .NET tags or even something other and are hidden, they have been created by instaling and or updating from Microsoft and are normal t be there. However the scenario is unlikley BUT the possibility still remains.. These accounts may be necessary for various aspects of the system to run services... These usually will not appear within normal LUA.. but will show up in Admin accounts.. or accounts who have selected options to show them.. if the system is a Home Edition and not professional, you may have to make registry modifications to show these accounts or may have to use alternative softwares to view them.. All systems have multiple accounts.. and users.. as can be seen in the security tab of the explorer in Xp on professional versions and modded systems...

There have been many areas in which systems including XP, could have been circumvented to allow an attacker to control the system. Secuirty has gotten better but if the system has been installed and been running over the past few years.. without a fresh install.. then it is likely that it may have been exposed. .. As well as the other MANY dfferent ways in which a system may be dissected.. as if there was only one possibility.. Viewing creation date of files and folders within these accounts woudl be nice and doing some forensic type snoping within them may reveal a little more..

My bet is that this is not malicious but an aspect of system updates and service installations. One system I had installed .. even in 7 had three.. and depending on what I activated within the OS .. more.. these areas however shoudl not be messed with unless you know what your doing.. IMO and are not necessary for the basic user..or any service they will use within the system or as a client.. it should be streamlined, scanned for vulnerabiltiies , and properly protected.. Ths is hoping and keeping in mind that all necessary measures have been taken to properly use said system safely including card information and other data. which leads to dead ends and brickwalls..

[Ambrocious]

This sounds like it could be a root kit issue.

[circaal]

Programs that are legit can make users as well. For example I have an account I didn't create for Nvidia updates to run. What are the other usernames?

-BTY

[Sonar]

Find out the dates the accounts was made.

you might be able to get some linux coding to pull that info.

its tricky... but gl

[majithia23]

a Botnet ?

a back door trojan horse ! ?

a rootkit ! ?

i would recommend scanning with RUBotted , TDSSKiller , Hitman PRO , Malware Bytes, and Hijack This scan .

and also run a network analyzer like the Wireshark , to see for any unknown and unauthorized net connections from your machine .