Thinkpads Forum

I have had my new Z61t with Vista for a few days now and I just observed that there is a user directory with a cryptic name on it. Properties show access permissions for a user "Account unknown". File creation date is 2006/11/02. My theory is that either one of these must be the cause of this:

1) There is a rootkit on my machine. I find that hard to believe since Vista is relatively new, the machine hasn't been online much and one of the first things I did was installing Firefox and Thunderbird.

2) This is the remnant of some remote service run by Lenovo. I somehow remember having agreed to remote servicing when I powered up the machine the first time.

3) I got a refurbished machine and they forgot to clean up the account they were using for doing some clean-up work. This may add cause to me returning the laptop because of the bent LCD frame issue (see my recent posting in Z series forum).

Can anyone shed some light on this?

Another theory... it may also be that this folder was created automatically when I experimented with hooking up my old XP machine to the Thinkpad via Ethernet. Geez, those are the days when I wish myself back onto Linux.

ikarus wrote:Another theory... it may also be that this folder was created automatically when I experimented with hooking up my old XP machine to the Thinkpad via Ethernet. Geez, those are the days when I wish myself back onto Linux.

Not likely. Networking two machines does not create user folders on its own. No different than Linux in this respect. ... JDH

It's odd. A few reboots later, the user folder is back. This time, its name is kdbhpmBNIWEL. Total tree size is 22MB, 15.5 being in C:\Users\kdbhpmBNIWEL\AppData\Local\Microsoft\Windows Mail alone. It is owned by "Account Unknown (S1-5-21-<long number>). If noone else has this, I'm starting to think I really got a refurbished laptop and that some start-up process is restoring some old data.

Actually, I believe I did a BIOS update around the time of the user folder creation timestamp. Could this be a clue?

At no time have I seen an NT-based computer create a user on its own that cannot be identified. I have Local Service and Network Service user folders but they are identifiable. Additionally there are Microsoft and VMware users on my system but no user folders for them.

So yes, you apparently did not get a new TP out of the box.
... JDH

They may have given you a 'demonstrator', which would explain the odd account.
They may also have loaded a Sony music CD on that laptop, which could explain the rootkit.
All in all, that's definitely NOT a new machine. I'd get it exchanged if I were you.

:::

Have you or you friends ever put an Audio or Movie
CD/DVD into your system. This will automatically
inplant the rootkit to you system by these stupid
copyright org....!

:::

I ran a rootkit tool on the machine and that didn't find anything. I still need to figure out when these folders are created, but it's definitely not after every regular shutdown. My current prime suspect is the Thinkpad tool responsible for installing the BIOS update.

Let this online-scanner check your laptop. TrendMicro's Housecall does a very thorough job
http://housecall.trendmicro.com/

Apparently, these user folders are created on Vista when you start the Thinkvantage System Update as a user without admin rights. I don't have the "true" Administrator account enabled, so this might not happen if it is. It's strange I should be the only one who has run across this issue. Could someone else try and let me know? Thanks!

Happened to me too. I thought it was my cisco VPN connection that created it. I couldn't figure it out what it was. I'll test it later now that you came up with a cause and see if I can reproduce your results.

hoplite wrote:I'll test it later now that you came up with a cause and see if I can reproduce your results.

Thanks, please let me know what you find. My next question would be how to let Lenovo know about it so that they can provide a fix.