'localadm' mysterious account appeared on computers
Strange things happened to two of our computers recently.An administrator account named 'LocalAdm' was created somehow on a desktop and a laptop. Both connected to Ethernet, both had only one login at the welcome screen, and the desktop was only used by me and nobody else should know the password. The localadm account was password protected and no one knows it.When I noticed the issue, the account on the desktop had 1 program running, which was IE and xbox.com was opened. On the laptop it's not doing anything. I used my administrator account to delete the localadm account, but nothing could be traced in the event log.Contacted organization's IT service department and confirmed they had nothing to do with it. Googled but didn't find anything special. It doesn't look like a virus or a malware. My guess is that it's something caused by other software updates.Did anyone happen to run into the same problem before? 1 person needs an answerI do too
February 17th, 2011 9:07pm
XP Pro? XP Home? There are two local built-in, normally hidden, accounts on all XP machines: "Administrator" and "Guest". These don't show at the login screen -- only if you boot to Safe Mode, but they are there none-the-less. The default password for Administrator is blank. Most IT people know enough to change the password on this account, but if the password were still to be blank, then anyone on the network could leverage this account to do just about anything on the machine remotely including creating other logins. Obviously, any program you run as a member of the administrator group (esp. malware) can also create such logins.If you have XP Pro, you can use Local Security Policy to enable auditing in the Security Log of these kind of changes:Start -> Programs -> Administrative Tools -> Local Security Policythen Security Settings -> Local Policies -> Audit Policy ...HTH, JW
Free Windows Admin Tool Kit Click here and download it now
February 17th, 2011 10:22pm
Thanks Wunders. They are XP Pro. We did left the default admin account untouched so I think it's highly possible that malware or somebody else from the network hacked in and did some weird stuff. I'll go ahead and disable unused accounts in the admin group. Thanks again for the advise.
February 17th, 2011 11:09pm
Be careful here. There is "enabled and disabled" and there is "active and inactive". An account that is "active" but "disabled" can still be accessed from the network (but not from the keyboard). To prevent using the "administrator" account from being accessed from the network, you must either make it inactive or use the policy editor to deny network privilege from that user. To make it inactive, bring up a command prompt and enter the command: net user administrator /active:noKeep in mind, though, that the local Administrator account can come in handy to rescue the computer should your usual administrative account becomes damaged. I would recommend simply applying a password to the administrator account instead of inactivating it. Write it down or underline it in your family Bible and you will have it when you need it.HTH, JW
Free Windows Admin Tool Kit Click here and download it now
February 18th, 2011 1:24am