Re: Virus detected in deleted user account
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 3 Feb 2006 15:15:12 -0600
Hmm. If the file were under documents and settings subfolder that usually
mean that the user in question one time logged onto the computer unless it
is a profile generated by the operating system. If you can not see the
folder/file then you may need to configure Explorer to show hidden and
system files in Explorer/tools/folder options/view. The user Sid would most
likely only be able to bee seen if explicit permissions had been assigned to
that user account somewhere. If your malware/spyware detection and removal
tools seem to clean up things and the computer performs well I would not
worry too much about it otherwise consider doing another pristine
stall. --- Steve
"corred" <corred@xxxxxxxxxxxx> wrote in message
news:1138943671.335808.219550@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Steven :
Re: Where are the files located as in the path - under documents and
settings??
Yes in the Live Scan report they were, but no such thing is vissible
under explorer.exe
re: If an account had been deleted the operating system would have no
record of
it though there may be remnants of it's existence in the registry,
Nothing was found in Regedit's Find Function that I could read. However
the encrypted files appeared as irrelevant or referenced the Machine
Owner name. No relevant results were found under unkwown either.
Re: access control lists showing the deleted users sid,
Interesting can you provide a heads up on accessing ACL or Deleted User
SID?
Re: or the user's profile folder under documents and settings if the
user had ever logged onto the computer.
That user is just another alias for me but no such profile exists
anymore, or at least none that I can access.
Re: Regardless as an administrator you should be able to delete any
file on the
computer though you may need to take ownership of the file first and then
give yourself or administrators full control permissions to it.
Yes isn't that fun. I have done that before and it has a few little
caveats like 'effective permissions'. With some tweaking around I
dsicovered that by using auditing that too can be obtained although XP
does occassionally buck and balk.
Re: If you get an error that balks that the file is in use try booting
into Safe Mode and
it is always a good idea to do malware/spyware scans in Safe Mode also.
That is an interesting and novel approach that is new to me.
Re: You also may want to review the security log via Event Viewer to
see if any
events reference the mystery user account.
Another interesting and novel approach that I will try.
Re: If the operating system was not installed to a formatted system
partition [not fast format] then it is not unusual to find user
profiles from the old installation depending on how the installation
was done.
I have been monkeying with this machine mostly unsuccessfully since I
tried to uninstall SP2 an d although I had turned off auto update, it
autoupdated anyway and got a long series of very serious problems
summed up as Shlwalapi.dll (pardon my mispelling) and oh btw MS was
most mysteriously totally out to sea on this beyond a few preliminary
hints about the Recovery Console. I struggled with that and did a
reformat, switched HD and lived well until a series of serious errors
in Media Player brought the system down. It once was a top of the line
machine but has also had some hardware troubles. I am now attempting to
make sure that it is rock solid stable before bequeething it to my son
for Gaming.
Once again thanx. I cannot access it just yet as I am running
Onlinescan from Panda as well as NTune Utilities but will get back to
it directly. My chief concern was to sterilize /cleanse and the Libe
Beta was rough. Odd previous ussage on clients machines were quite
productive. It is my opinion that MS was trying to shake me down for
some money. :-) But the profile was once real (mine) and I am always
very curious of things invisible to the OS like Alternate Data
Channels.
Hopefully more later
Corred
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421 --- how
to
take ownership of files/folder
"corred" <corred@xxxxxxxxxxxx> wrote in message
news:1138934513.353056.89540@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
O'K My bad I should have offered more info. The system is running a
recently reinstalled copy of XP Pro and has been updated to SP2. The
machine has had a history of instability and I am trying to fix or
repair. After uninstalling the 'buggy' Live Beta I installed PC Tools
Anti vir and scanned twice. It found one quarrantined Java /Trojan and
deleted it but this was I believe an unrelated event. What puzzles me
is the scan of a 'deleted user account'. Windows does not seem to know
that it exists and I am at a loss how to access and test this issue.
BTW the system after a bit of hardware jugglery and very minute
dissection of the BIOS Settings appears now to be stable but I am still
troubled by the deleted user account.
Thanx
Corred
.
- References:
- Virus detected in deleted user account
- From: corred
- Re: Virus detected in deleted user account
- From: corred
- Re: Virus detected in deleted user account
- From: Steven L Umbach
- Re: Virus detected in deleted user account
- From: corred
- Virus detected in deleted user account
- Prev by Date: Re: Critical Errors after a pristine install of OS
- Next by Date: Re: Downloading updates in advance
- Previous by thread: Re: Virus detected in deleted user account
- Next by thread: Re: Virus detected in deleted user account
- Index(es):
Relevant Pages
|
