Hidden User Accounts
Results 1 to 8 of 8

Thread: Hidden User Accounts

  1. #1
    Junior Member
    Join Date
    Jun 2006
    Posts
    3

    Hidden User Accounts

    I was hoping someone might be able to provide me some leads. I've tried Google, but so far nothing has turned up.

    I've been cleaning up my little brother's computer(Windows XP SP1) recently and came across an account that shouldn't be on there. The account name seems to be a random string of letters. The account is hidden when the computer starts up, so I had no idea it existed until I was running IE History View and it listed this bizarre account.

    When I can get back out there I can get the name and search for that, but until then I thought I would see if it rings a bell with anyone. I also need to check through Control Panel and see if it appears there too. I had the same "Hmmm...that's weird." response I had when I found the ASPNET account on some of the computers here at the school. That one I figured out though.

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    How long was the random string?

    I could have been a SID of a legit account. (the prog just couldn't resolve the user account)

    Have you looked at the user accounts in control panel? Are the accounts in there legit.

    There are utilities that will give you the SID of the user accounts.
    Look for sid2user or user2sid.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    Did the name look something similar to S-X-X-XX-XXXXX-XXXXXX-XXXXXX-XXX, where the X's are the random characters? If so, it's probably a SID like phish said.

    If it's a SID, you can figure what type of account or group by using this page of well known Windows SIDs Also, if it's a SID, and the last 3 characters are 500, you're pretty much screwed, because it's an admin account.

    Also, is it XP Home or Pro?
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  4. #4
    Junior Member
    Join Date
    Jun 2006
    Posts
    3
    No, it didn't appear to be a SID. I vaguely recall it starting with 'X' but I'll check for sure.

    XP Home Edition I'm fairly certain.


    Nothing like coming to post a problem with none of the details right?

  5. #5
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    Erm...that doesn't sound good. I could be way off base, but I'm thinking that it may be compromised. Can you check the event log and look and see if it has audited any logon or authentication events? If it is compromised, and the perp is worth a crap, you won't see crap, but if not, then there may be a trail to follow there.

    I could be way off, like I said, but I'd look anyhow, just to be sure.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  6. #6
    IT Specialist Ghost_25inf's Avatar
    Join Date
    Sep 2001
    Location
    Michigan
    Posts
    648
    Does he have dotnet installed on the computer? I know Microsoft adds account for the system to run different things. What type of privilages does that account have? Admin, User, Guest?
    S25vd2xlZGdlIGlzIHBvd2VyIQ

  7. #7
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    The .NET account would be \computername\ASPNET. The Account is hidden and has logon as service, access from network, and impersonate client rights, but is denied logon locally rights.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  8. #8
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Try booting to ophcrack and see what that turns up. Ophcrack should give you the password for that acc't and you can take it from there.

    Might start thinkin' about an FNR (flatten and reload, aka format and reinstall).
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •