Solved

Unknown user account now showing up in managment console - trojan?

Posted on 2004-04-03
7
1,073 Views
Last Modified: 2013-12-03
Here is a picture http://www.jermageinc.net/images/wtf.jpg

I just noticed this today.  I go to the computer managment console but there is no such user listed under users or groups.  Whatever it is, it doesn't look good and I want it gone.  Any ideas?  I'm running windows 2k btw.
0
Comment
Question by:S0ulEdge
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 16

Accepted Solution

by:
mdiglio earned 50 total points
ID: 10750263
Hello,
This is the guest user account.
To remove this entry you must click the check box in your picture that says
"allow inheritable permissions..." >> click copy >>then you can remove it.


To verify that this user was from your domain or local workstation (whichever may be the case)
you can run this script. Copy and paste into nnotepad and save it with a .vbs extension

'!!!Begin Copy
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_UserAccount where name = 'administrator'", , 48)
For Each objItem In colItems

    wscript.echo  objItem.SID
 
Next
'!!!End copy

This will give you a message box with the sid of your administrator.
Compare this output to the one in your picture.
They should be exactly the same except for the last 3 digits

good luck

0
 

Author Comment

by:S0ulEdge
ID: 10750422
Thanks for the script.  I ran it but I found but only the first 5 digits matched.  The rest are all different.  What does this mean?  The guest account is still disabled on the local machine under computer managment.
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 10750561
When a sid ends in 501 that means it is a guest account.
If the 1st set of numbers do not match that means that user is not from your
domain or your local workstation. So this guest suer is not your current guest user

I cannot say why in your case this has happened.
I would recommend doing a virus scan just in case.

If you do not have anti-virus software you can perform an online scane here:
www.symantec.com/securitycheck

You can also check for spyware. I don't know of any spyware that can
do anything like this, but its always a good idea to do so.
You can download adware here
Be sure to click the update option before you run it
http://www.lavasoftusa.com/support/download/

The most likely cause for this problem is from a formatting/upgrading/reloading W2K issue...
not from your computer being compromised. I just gave you the links above
to follow best practice guidelines

Were you able to get rid of the user on your albums folder?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 5

Expert Comment

by:visioneer
ID: 10750682
This may be *a* guest account, and not necessarily *the* guest account.

Whatever the case, this is likely to be an account which was deleted from your system before you removed its rights in NTFS.  I see this all the time.  

For example: If you modify the permissions of the Albums folder (or its parent) so that Heywood Jablomi specifically has Read permissions, then delete his account, the folder Albums still has an ACL in NTFS referring to his account.  Since it uses his SID as reference, and it can't match that up to a valid account, it's showing you the SID with a question mark next to the user symbol because it has no idea who owns that SID.  

Remove the SID from the ACL at the top-level folder where it appears.
0
 

Author Comment

by:S0ulEdge
ID: 10752714
I have 2 partitions C & D, windows 2k is installed on the D partition.  That sid was only showing up on folders on the C drive.  I selected all the top level folders on the C drive (about a dozen) and went to the security tab.  It said that permissions were different from folder to folder and asked me if I wanted to reset them all.  I said yes and removed all the users except the admin (me).  I have Norton antivirus with the latest updates and use ad-aware on a regular basis.  I did have some of my folders such as the "albums" folder mapped as network drives on other computers on my home network.  Is it possible that this is where that sid came from?  Either way, it is gone now.  Thanks for the responses.
0
 
LVL 5

Expert Comment

by:visioneer
ID: 10752979
Well, it's not a virus or a trojan.  It's just an orphaned SID for an object that no longer exists.
0
 

Expert Comment

by:henroc
ID: 11717683
I have experienced the same situation with a removable USB hard drive after reinstalling windows xp on my laptop.  I'm not sure if you had a similar problem; in my case the orphaned SID did not show up for the drive root -- only for all of it's subfolders.  I recursively took ownership of all the files on the drive (using the drive root), removed the 'CREATOR OWNER' entry on the ACL on the drive root, then re-added 'CREATOR OWNER' with permissions set to full control.  Not sure if this will work for you however it worked for me.  Hope this helps.

  </henroc>
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
What is Backup? Backup software creates one or more copies of the data on your digital devices in case your original data is lost or damaged. Different backup solutions protect different kinds of data and different combinations of devices. For e…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now