Re: unknown user on home computer--how to delete accounts?

[maut36835 () mypacks net]

Thanks for the feedback.  I'm having a hard time implementing the suggestion to delete accounts, however, since 1) the 
unknown accounts do not show up on the regular User Accounts screen (where the delete function is), only through the 
net users prompt or by right clicking on a document > Share and listing user accounts, and 2) I'm running Vista so the 
lusrmgr.msc approach you mention doesn't work either, it just says to go to the User Accounts screen.  3) Also, I tried 
net user <username> /delete and it just says Access Denied, though I am using my Administrator account to do it.  

Are there any more sophisticated methods for deleting User Accounts that anybody knows of?   


-----Original Message-----
> From: "mgk.mailing" <mgk.mailing () googlemail com>
> Sent: Mar 4, 2008 5:50 AM
> To: Murda Mcloud <murdamcloud () bigpond com>
> Cc: 'Margaret Wolfe-Roberts', security-basics () securityfocus com
> Subject: Re: unknown user on home computer
>
> Hi
>
> The only mention of those files or users seem to be a lenovo forum 
> post.  To be honest, i wouldn't have any user accounts on their that i 
> didn't know about.
>
> > > It's
> > > possible I have utilized some online program to gather information on my
> > > system which created those files
> > >     
>
> Does this mean you're not sure if you ever did this?
> Is this a lenovo laptop?
>
>
>
> There is no reason for a helper app or any guide to create new users on 
> the machine for the purposes of sharing files and printers.
>
> I would assume the worse here and rebuild the machine, is this an 
> option?  if someone has got admin on that machine and knew how to put 
> rootkits and such on, then you would have a very hard time getting rid 
> of it.  Assuming you cant rebuild the machine consider removing the 
> accounts, no important service will use them (they have their own user) 
> and run antivirus / rootkit from a boot cd. 
>
> At the very least i would disable that user, and the others you didn't 
> create.  if you click on start, run then type lusrmgr.msc to open the 
> management console for users, from here you can disable accounts.  In 
> addition if you type services.msc this will bring up the services 
> console.  if you right click on each services and choose properties and 
> then select the logon tab.  Most will use the local system account.  it 
> maybe an idea to check if any are using these new users.
>
> Anyhow hope that helps for now and I'm sure ill be corrected if I went 
> the wrong way with any of this.  The thing i would ask myself though is 
> that with all these changes, would you be comfortable putting your 
> credit card details into a webpage at the moment?
>
> Cheers
>
> /Mgk
>
>
>
> Murda Mcloud wrote:
> > Does anyone else have access to the machine(physical access?).
> > I can see a user called david.
> > Before you bought the router, was there any kind of firewall and/or
> > anti-virus installed?
> >
> > Are there any strange users on the laptop?
> >
> > Have you since run any anti virus/spyware/rootkit scans?
> >
> > Do you have any kind of peer to peer software that you use(eg LimeWire
> > bearShare etc)
> >
> >   
> > > > It's
> > > > possible I have utilized some online program to gather information on my
> > > > system which created those files
> > > >       
> >
> > Does this mean you're not sure if you ever did this?
> > Is this a lenovo laptop?
> >
> >
> >
> >   
> > > > -----Original Message-----
> > > > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> > > > On Behalf Of Margaret Wolfe-Roberts
> > > > Sent: Sunday, March 02, 2008 1:18 AM
> > > > To: security-basics () securityfocus com
> > > > Subject: unknown user on home computer
> > > >
> > > > Hello,
> > > >
> > > > I am a home user with one laptop and one desktop and I'm hoping you can
> > > > help me with a security concern.   Recently I installed a router in order
> > > > to share the Internet connection.   In the process of learning to enable
> > > > File Sharing I clicked on some stuff and the desktop generated a list of
> > > > users that includes a username I have never seen before, a strange one
> > > > called "ratnkwCNHERF".   When I did a whole-computer search to find out
> > > > more, the search generated a list of three files where the same term is
> > > > used, all in the C://SWSHARE folder.
> > > >
> > > > I checked the three files: egathcmp.xml, egath.xml and eGathComp.html
> > > > (Firefox doc).   They seem to be reviews of the overall system.   It's
> > > > possible I have utilized some online program to gather information on my
> > > > system which created those files.
> > > > The html file is entitled Gathered Information for [computer name] and
> > > > includes this information about users:
> > > >
> > > > Workstation Security
> > > > .  User Accounts
> > > >
> > > > User ID/Name/Password Set/Password age in days/Privilege
> > > > Level/Disabled/Password Not Required/Cannot Change Password/Locked Out/
> > > >    Password Never Expires/Password Expired
> > > >
> > > > 2700                       true    97      Administrator   false   true
> > > >       
> > false
> >   
> > > >    false   true    false
> > > > Administrator              true    480     Administrator   true
> > > >       
> > false        false
> >   
> > > >    false   true    false
> > > > David      David           true    0       User            false
> > > >       
> > false        false
> >   
> > > >    false   true    false
> > > > Guest                      true    0       Guest           false   true
> > > >       
> > true
> >   
> > > >    false   true    false
> > > > od2700     Margaret        true    97      User            false   true
> > > >       
> > false
> >   
> > > >    false   true    false
> > > > ratnkwCNHERF       ratnkwCNHERF   true  55 Administrator   false   false
> > > >    false   false   false   true
> > > >
> > > > Here I find out that the "rat" user has Administrator privileges and
> > > > appears to have had a password created AFTER I set passwords for myself
> > > > and the administrator account as I know it -the "2700" account (password
> > > > age 55 days vs 97 days).  I purchased the computer last October from
> > > > Office Depot.   However, the table also indicates the "rat" user's
> > > > password is expired, though the account is not disabled.
> > > >
> > > > I also notice that there is an extra Administrator account (now disabled)
> > > > listed separately from the account I know as administrator (2700) which
> > > > appears to long predate my purchase of the computer (password age 480
> > > > days).
> > > >
> > > > Is there some benign explanation for this mysterious user (who still
> > > > shows up as an option for sharing my files with) or have I uncovered
> > > > evidence of some kind of security breach of my computer?  How and for
> > > > what purpose would this extra user account have been created, and without
> > > > my knowledge?
> > > >
> > > > I will be truly grateful for any insight you can share with me.
> > > >
> > > > Margaret Wolfe-Roberts
> > > >       
> >
> >
> >