Unknown user account now showing up in managment console - trojan?

Posted on 2004-04-03
Medium Priority
Last Modified: 2013-12-03
Here is a picture http://www.jermageinc.net/images/wtf.jpg

I just noticed this today.  I go to the computer managment console but there is no such user listed under users or groups.  Whatever it is, it doesn't look good and I want it gone.  Any ideas?  I'm running windows 2k btw.
Question by:S0ulEdge
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
LVL 16

Accepted Solution

mdiglio earned 200 total points
ID: 10750263
This is the guest user account.
To remove this entry you must click the check box in your picture that says
"allow inheritable permissions..." >> click copy >>then you can remove it.

To verify that this user was from your domain or local workstation (whichever may be the case)
you can run this script. Copy and paste into nnotepad and save it with a .vbs extension

'!!!Begin Copy
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_UserAccount where name = 'administrator'", , 48)
For Each objItem In colItems

    wscript.echo  objItem.SID
'!!!End copy

This will give you a message box with the sid of your administrator.
Compare this output to the one in your picture.
They should be exactly the same except for the last 3 digits

good luck


Author Comment

ID: 10750422
Thanks for the script.  I ran it but I found but only the first 5 digits matched.  The rest are all different.  What does this mean?  The guest account is still disabled on the local machine under computer managment.
LVL 16

Expert Comment

ID: 10750561
When a sid ends in 501 that means it is a guest account.
If the 1st set of numbers do not match that means that user is not from your
domain or your local workstation. So this guest suer is not your current guest user

I cannot say why in your case this has happened.
I would recommend doing a virus scan just in case.

If you do not have anti-virus software you can perform an online scane here:

You can also check for spyware. I don't know of any spyware that can
do anything like this, but its always a good idea to do so.
You can download adware here
Be sure to click the update option before you run it

The most likely cause for this problem is from a formatting/upgrading/reloading W2K issue...
not from your computer being compromised. I just gave you the links above
to follow best practice guidelines

Were you able to get rid of the user on your albums folder?
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 10750682
This may be *a* guest account, and not necessarily *the* guest account.

Whatever the case, this is likely to be an account which was deleted from your system before you removed its rights in NTFS.  I see this all the time.  

For example: If you modify the permissions of the Albums folder (or its parent) so that Heywood Jablomi specifically has Read permissions, then delete his account, the folder Albums still has an ACL in NTFS referring to his account.  Since it uses his SID as reference, and it can't match that up to a valid account, it's showing you the SID with a question mark next to the user symbol because it has no idea who owns that SID.  

Remove the SID from the ACL at the top-level folder where it appears.

Author Comment

ID: 10752714
I have 2 partitions C & D, windows 2k is installed on the D partition.  That sid was only showing up on folders on the C drive.  I selected all the top level folders on the C drive (about a dozen) and went to the security tab.  It said that permissions were different from folder to folder and asked me if I wanted to reset them all.  I said yes and removed all the users except the admin (me).  I have Norton antivirus with the latest updates and use ad-aware on a regular basis.  I did have some of my folders such as the "albums" folder mapped as network drives on other computers on my home network.  Is it possible that this is where that sid came from?  Either way, it is gone now.  Thanks for the responses.

Expert Comment

ID: 10752979
Well, it's not a virus or a trojan.  It's just an orphaned SID for an object that no longer exists.

Expert Comment

ID: 11717683
I have experienced the same situation with a removable USB hard drive after reinstalling windows xp on my laptop.  I'm not sure if you had a similar problem; in my case the orphaned SID did not show up for the drive root -- only for all of it's subfolders.  I recursively took ownership of all the files on the drive (using the drive root), removed the 'CREATOR OWNER' entry on the ACL on the drive root, then re-added 'CREATOR OWNER' with permissions set to full control.  Not sure if this will work for you however it worked for me.  Hope this helps.


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question