Hidden User Accounts

Printable View

July 10th, 2006, 11:00 PM
Java_junkie

Hidden User Accounts

I was hoping someone might be able to provide me some leads. I've tried Google, but so far nothing has turned up.

I've been cleaning up my little brother's computer(Windows XP SP1) recently and came across an account that shouldn't be on there. The account name seems to be a random string of letters. The account is hidden when the computer starts up, so I had no idea it existed until I was running IE History View and it listed this bizarre account.

When I can get back out there I can get the name and search for that, but until then I thought I would see if it rings a bell with anyone. I also need to check through Control Panel and see if it appears there too. I had the same "Hmmm...that's weird." response I had when I found the ASPNET account on some of the computers here at the school. That one I figured out though.
July 10th, 2006, 11:41 PM
phishphreek

How long was the random string?

I could have been a SID of a legit account. (the prog just couldn't resolve the user account)

Have you looked at the user accounts in control panel? Are the accounts in there legit.

There are utilities that will give you the SID of the user accounts.
Look for sid2user or user2sid.
July 10th, 2006, 11:55 PM
576869746568617

Did the name look something similar to S-X-X-XX-XXXXX-XXXXXX-XXXXXX-XXX, where the X's are the random characters? If so, it's probably a SID like phish said.

If it's a SID, you can figure what type of account or group by using this page of well known Windows SIDs Also, if it's a SID, and the last 3 characters are 500, you're pretty much screwed, because it's an admin account.

Also, is it XP Home or Pro?
July 11th, 2006, 12:10 AM
Java_junkie

No, it didn't appear to be a SID. I vaguely recall it starting with 'X' but I'll check for sure.

XP Home Edition I'm fairly certain.

Nothing like coming to post a problem with none of the details right? ;)
July 11th, 2006, 12:21 AM
576869746568617

Erm...that doesn't sound good. I could be way off base, but I'm thinking that it may be compromised. Can you check the event log and look and see if it has audited any logon or authentication events? If it is compromised, and the perp is worth a crap, you won't see crap, but if not, then there may be a trail to follow there.

I could be way off, like I said, but I'd look anyhow, just to be sure.
July 11th, 2006, 04:42 AM
Ghost_25inf

Does he have dotnet installed on the computer? I know Microsoft adds account for the system to run different things. What type of privilages does that account have? Admin, User, Guest?
July 11th, 2006, 05:04 AM
576869746568617

The .NET account would be \computername\ASPNET. The Account is hidden and has logon as service, access from network, and impersonate client rights, but is denied logon locally rights.
July 11th, 2006, 11:52 AM
brokencrow

Try booting to ophcrack and see what that turns up. Ophcrack should give you the password for that acc't and you can take it from there.

Might start thinkin' about an FNR (flatten and reload, aka format and reinstall).