• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1094
  • Last Modified:

Unknown user account now showing up in managment console - trojan?

Here is a picture http://www.jermageinc.net/images/wtf.jpg

I just noticed this today.  I go to the computer managment console but there is no such user listed under users or groups.  Whatever it is, it doesn't look good and I want it gone.  Any ideas?  I'm running windows 2k btw.
0
S0ulEdge
Asked:
S0ulEdge
  • 2
  • 2
  • 2
  • +1
1 Solution
 
mdiglioCommented:
Hello,
This is the guest user account.
To remove this entry you must click the check box in your picture that says
"allow inheritable permissions..." >> click copy >>then you can remove it.


To verify that this user was from your domain or local workstation (whichever may be the case)
you can run this script. Copy and paste into nnotepad and save it with a .vbs extension

'!!!Begin Copy
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_UserAccount where name = 'administrator'", , 48)
For Each objItem In colItems

    wscript.echo  objItem.SID
 
Next
'!!!End copy

This will give you a message box with the sid of your administrator.
Compare this output to the one in your picture.
They should be exactly the same except for the last 3 digits

good luck

0
 
S0ulEdgeAuthor Commented:
Thanks for the script.  I ran it but I found but only the first 5 digits matched.  The rest are all different.  What does this mean?  The guest account is still disabled on the local machine under computer managment.
0
 
mdiglioCommented:
When a sid ends in 501 that means it is a guest account.
If the 1st set of numbers do not match that means that user is not from your
domain or your local workstation. So this guest suer is not your current guest user

I cannot say why in your case this has happened.
I would recommend doing a virus scan just in case.

If you do not have anti-virus software you can perform an online scane here:
www.symantec.com/securitycheck

You can also check for spyware. I don't know of any spyware that can
do anything like this, but its always a good idea to do so.
You can download adware here
Be sure to click the update option before you run it
http://www.lavasoftusa.com/support/download/

The most likely cause for this problem is from a formatting/upgrading/reloading W2K issue...
not from your computer being compromised. I just gave you the links above
to follow best practice guidelines

Were you able to get rid of the user on your albums folder?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
visioneerCommented:
This may be *a* guest account, and not necessarily *the* guest account.

Whatever the case, this is likely to be an account which was deleted from your system before you removed its rights in NTFS.  I see this all the time.  

For example: If you modify the permissions of the Albums folder (or its parent) so that Heywood Jablomi specifically has Read permissions, then delete his account, the folder Albums still has an ACL in NTFS referring to his account.  Since it uses his SID as reference, and it can't match that up to a valid account, it's showing you the SID with a question mark next to the user symbol because it has no idea who owns that SID.  

Remove the SID from the ACL at the top-level folder where it appears.
0
 
S0ulEdgeAuthor Commented:
I have 2 partitions C & D, windows 2k is installed on the D partition.  That sid was only showing up on folders on the C drive.  I selected all the top level folders on the C drive (about a dozen) and went to the security tab.  It said that permissions were different from folder to folder and asked me if I wanted to reset them all.  I said yes and removed all the users except the admin (me).  I have Norton antivirus with the latest updates and use ad-aware on a regular basis.  I did have some of my folders such as the "albums" folder mapped as network drives on other computers on my home network.  Is it possible that this is where that sid came from?  Either way, it is gone now.  Thanks for the responses.
0
 
visioneerCommented:
Well, it's not a virus or a trojan.  It's just an orphaned SID for an object that no longer exists.
0
 
henrocCommented:
I have experienced the same situation with a removable USB hard drive after reinstalling windows xp on my laptop.  I'm not sure if you had a similar problem; in my case the orphaned SID did not show up for the drive root -- only for all of it's subfolders.  I recursively took ownership of all the files on the drive (using the drive root), removed the 'CREATOR OWNER' entry on the ACL on the drive root, then re-added 'CREATOR OWNER' with permissions set to full control.  Not sure if this will work for you however it worked for me.  Hope this helps.

  </henroc>
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now