WIN XP security "unusual" USER created on my system

I have been monitoring my WIN XP security closely over the last week as it appeared we had a breach of security where we had a weird user appear in our MY Network/Security/ tab. I deleted the user name a week ago but it came back again. We have installed some failry tough security programs and measures as well changed user names IP addresses and passwords etetc.

As this user name came back it was a surprize???

Is there a way that we can prevent any more users being created in the MY NetworkSecurity section and is there a way we can trace back when it was created and if there is any related files doig this on the system?
gregnvtAsked:
Who is Participating?
 
NacMacFeegleConnect With a Mentor Commented:
Are you sure its a new user being created and not the SID of an unknown user? You may have delegated or added permissions to a user on this resource and the user account is then removed from AD in this case the permissions tab cannot show the user name but will show the SID.
~
0
 
mcsa_2003Connect With a Mentor Commented:
Hi,

look like trojans but still in your network area any way run Ewido to check if there somthing and to remove it
http://www.ewido.net/en/
and
Spy Sweeper to remove any spyware
http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html

and tell us the result

Regards

0
 
NacMacFeegleConnect With a Mentor Commented:
What is the username? It may be a system or application generated user (TSinternetuser for example)
~
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
davidis99Commented:
You should enable auditing in the system and security logs so you'll have the option of seeing when changes were made to your system.   By default, the logs themselves may alread give you some of that information.  - Start, settings, control panel, administrative tools, event viewer.
0
 
gregnvtAuthor Commented:
Thank you for the ideas....

Tried the ewido, spy sweeper and Trojan Hunter and did not discover any trogans.

Just the usual adware items....

Also checked with Symantec tools and they proclaim we are clean...

The user that was created on both occaisions was the same name where it was something like the letter S with numbers and dashes thru it, Sorry I did not note it down exactly...

Looked something like S543-233445-4467. This user also appeared after I changed the internal IP and upgraded security... So I have discovered it twice in the last 7 days...

EVENT VIEWER *****

I checked the event viewer and could see anything where a user had been created??? Does Win XP create one for any reason???

Any other ideas??
0
 
mcsa_2003Connect With a Mentor Commented:
Hi,
yeah this right >>> Comment from NacMacFeegle
please check !!!

Regards
0
 
davidis99Commented:
Event viewer will only track items for which auditing has been enabled, for either the success of failure of that option, e.g. user creation.
0
 
xsoundConnect With a Mentor Commented:
If I have a user name JohnM on my network and give JohnM file permissions to some files and shares but then delete is account later.  The next time I look at the permissions of the files and shares it will so JohnM as S-1-3-4-2343-234234-2342-234234 because it does not recognize that account any more!
You could seach the registry for that SID and it my give you an indication of who the account use to belong to.
-Jason
0
All Courses

From novice to tech pro — start learning today.