Back in February I was notified that one of the computers that we're responsible for had been compromised by Torpig. The way I understand it is the user launches a website that might be a part of a phishing scam, and the software gets dropped on their computer. Once installed it searches through the computer and transmits usernames, passwords, social security numbers, account numbers and the like up to a group of servers on the internet.

The campus security group ITSO informed me that compromised XP machines had their HelpAssistant accounts enabled. This was not the default, so I needed a script that would walk AD and let me know what computers had that account enabled. Using that bit of information I created the following script, EnabledAccounts.vbs, which is basically an AD searcher script.

It works through Active Directory looking for computers to connect to. Once it finds one, it gets a list of user accounts, from that list it looks for a specific account, HelpAssistant, in this instance, once found it checks to see if it's enabled.

If the account is found and the account is enabled it outputs a simple line:

HelpAssistant account enabled on: Desktop-PC1

By no means would I consider this the answer to tracking down Torpig on your network, but it worked for us. Additionally you can use this script to determine if any account is enabled that should be disabled.

Originally when I posted this article on my site, it was for the purpose of tracking a specific account down. I have since used it to find all sorts of accounts on computers that I manage. I hope you find this script as useful as I have.