We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Unknown user account now showing up in managment console - trojan?

S0ulEdge
S0ulEdge asked
on
Medium Priority
1,118 Views
Last Modified: 2013-12-03
Here is a picture http://www.jermageinc.net/images/wtf.jpg

I just noticed this today.  I go to the computer managment console but there is no such user listed under users or groups.  Whatever it is, it doesn't look good and I want it gone.  Any ideas?  I'm running windows 2k btw.
Comment
Watch Question

Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
Thanks for the script.  I ran it but I found but only the first 5 digits matched.  The rest are all different.  What does this mean?  The guest account is still disabled on the local machine under computer managment.

Commented:
When a sid ends in 501 that means it is a guest account.
If the 1st set of numbers do not match that means that user is not from your
domain or your local workstation. So this guest suer is not your current guest user

I cannot say why in your case this has happened.
I would recommend doing a virus scan just in case.

If you do not have anti-virus software you can perform an online scane here:
www.symantec.com/securitycheck

You can also check for spyware. I don't know of any spyware that can
do anything like this, but its always a good idea to do so.
You can download adware here
Be sure to click the update option before you run it
http://www.lavasoftusa.com/support/download/

The most likely cause for this problem is from a formatting/upgrading/reloading W2K issue...
not from your computer being compromised. I just gave you the links above
to follow best practice guidelines

Were you able to get rid of the user on your albums folder?
This may be *a* guest account, and not necessarily *the* guest account.

Whatever the case, this is likely to be an account which was deleted from your system before you removed its rights in NTFS.  I see this all the time.  

For example: If you modify the permissions of the Albums folder (or its parent) so that Heywood Jablomi specifically has Read permissions, then delete his account, the folder Albums still has an ACL in NTFS referring to his account.  Since it uses his SID as reference, and it can't match that up to a valid account, it's showing you the SID with a question mark next to the user symbol because it has no idea who owns that SID.  

Remove the SID from the ACL at the top-level folder where it appears.

Author

Commented:
I have 2 partitions C & D, windows 2k is installed on the D partition.  That sid was only showing up on folders on the C drive.  I selected all the top level folders on the C drive (about a dozen) and went to the security tab.  It said that permissions were different from folder to folder and asked me if I wanted to reset them all.  I said yes and removed all the users except the admin (me).  I have Norton antivirus with the latest updates and use ad-aware on a regular basis.  I did have some of my folders such as the "albums" folder mapped as network drives on other computers on my home network.  Is it possible that this is where that sid came from?  Either way, it is gone now.  Thanks for the responses.
Well, it's not a virus or a trojan.  It's just an orphaned SID for an object that no longer exists.

Commented:
I have experienced the same situation with a removable USB hard drive after reinstalling windows xp on my laptop.  I'm not sure if you had a similar problem; in my case the orphaned SID did not show up for the drive root -- only for all of it's subfolders.  I recursively took ownership of all the files on the drive (using the drive root), removed the 'CREATOR OWNER' entry on the ACL on the drive root, then re-added 'CREATOR OWNER' with permissions set to full control.  Not sure if this will work for you however it worked for me.  Hope this helps.

  </henroc>
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.