WIN XP security "unusual" USER created on my system

I have been monitoring my WIN XP security closely over the last week as it appeared we had a breach of security where we had a weird user appear in our MY Network/Security/ tab. I deleted the user name a week ago but it came back again. We have installed some failry tough security programs and measures as well changed user names IP addresses and passwords etetc.

As this user name came back it was a surprize???

Is there a way that we can prevent any more users being created in the MY NetworkSecurity section and is there a way we can trace back when it was created and if there is any related files doig this on the system?
gregnvtAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mcsa_2003Commented:
Hi,

look like trojans but still in your network area any way run Ewido to check if there somthing and to remove it
http://www.ewido.net/en/
and
Spy Sweeper to remove any spyware
http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html

and tell us the result

Regards

0
NacMacFeegleCommented:
What is the username? It may be a system or application generated user (TSinternetuser for example)
~
0
davidis99Commented:
You should enable auditing in the system and security logs so you'll have the option of seeing when changes were made to your system.   By default, the logs themselves may alread give you some of that information.  - Start, settings, control panel, administrative tools, event viewer.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

gregnvtAuthor Commented:
Thank you for the ideas....

Tried the ewido, spy sweeper and Trojan Hunter and did not discover any trogans.

Just the usual adware items....

Also checked with Symantec tools and they proclaim we are clean...

The user that was created on both occaisions was the same name where it was something like the letter S with numbers and dashes thru it, Sorry I did not note it down exactly...

Looked something like S543-233445-4467. This user also appeared after I changed the internal IP and upgraded security... So I have discovered it twice in the last 7 days...

EVENT VIEWER *****

I checked the event viewer and could see anything where a user had been created??? Does Win XP create one for any reason???

Any other ideas??
0
NacMacFeegleCommented:
Are you sure its a new user being created and not the SID of an unknown user? You may have delegated or added permissions to a user on this resource and the user account is then removed from AD in this case the permissions tab cannot show the user name but will show the SID.
~
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mcsa_2003Commented:
Hi,
yeah this right >>> Comment from NacMacFeegle
please check !!!

Regards
0
davidis99Commented:
Event viewer will only track items for which auditing has been enabled, for either the success of failure of that option, e.g. user creation.
0
xsoundCommented:
If I have a user name JohnM on my network and give JohnM file permissions to some files and shares but then delete is account later.  The next time I look at the permissions of the files and shares it will so JohnM as S-1-3-4-2343-234234-2342-234234 because it does not recognize that account any more!
You could seach the registry for that SID and it my give you an indication of who the account use to belong to.
-Jason
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.