Unknown numbered users in folder permissions

[AnnieMS]

Edit: Per reading this and that I'm come to the conclusion that the two numbered accounts are using SIDs. Since these are the same numbers that are in the Recycler it would seem that they are the SIDs for two of the three user accounts I've set up on the computer. Maybe it's the recycler acounts for the two user accounts that I've actually used. I don't know why the accounts are only on the D partition and why only one account is on both the D partition and the Documents folder/subfolders on the D partition and why the 2nd acct on the doc foldersubfolders has restricted permissions. All user accounts have the same full access rights to the partition and the folder.

Original question

I booted up my Sony VAIO GXR600 w/ win2k sp4 for the first time yesterday since april of 2007. [it would only boot into safe mode and I didn't have time to troubleshoot]. For some mysterious windows' reason it booted w/out problem yesterday & today. I've been using a thinkpad w/ tab ed winxp since 07 [squinting at the little screen], so I'm rusty on win2k.

I was checking the share & ntfs permissions on the 3 folders I have set permissions so I can access them via windows file sharing or a different local user account. The hd has two partitions. C has the windows OS & program files & My Docs for the administrator account. D has the folder where I put my personal files. I also have a folder on C shared for downloaded program updates.

On the document folder for D there are two "users" in the security tab for local permissions that consist of a long number sequence beginning w/ S. The number sequence is the same for both except for the last set of 3/4 numbers. The first account is also listed on the security tab for the D volume and has full permission both places. The 2nd "user" is only listed for the document folder and has limited permissions. There is an icon next to both w/ a face and a red question mark - like windows doesn't know who they are either.

These "users" are not on the security tab for the my docs, shared c:\program updates folder, or the C volume.

Any ideas where they come from or how I can find out?

Edited March 2, 2010 by AnnieMS

[AnnieMS]

Per WinXP Inside/Out, if an SID on a security tab doesn't change to a name it's from a deleted account. However, I didn't think I'd deleted any accounts so I went looking in %userprofile%\application data\microsoft\protect and both SIDS are for active accounts. Maybe it's different for Win2k. The user as well as the SID are listed on the security tab, so apparently for some reason when I added UserA and UserB on the D partition's and the Doc Folder's security tabs, win2k put the SID of UserA on the D partition and the SIDs of UserA and UserB on Doc Folder.

Weird.

[MrJinje]

Yeah I get those on my USB drives when I jump them from machine to machine. In all cases, the SID's turned out to be my user accounts from the other machine. So you are right they are not always deleted accounts, but can also be accounts from other computers. It makes perfect sense that in a dual booting situation things will be even messier.

I do not think it is anything to get worried over.

Edited March 5, 2010 by MrJinje

[AnnieMS]

Thanks MrJinje

I do move ext hd's from computer to computer. It's nice to have an explanation for where these users w/ the question marks by their icons came from.

[Tripredacus]

Yeah I get those on my USB drives when I jump them from machine to machine. In all cases, the SID's turned out to be my user accounts from the other machine. So you are right they are not always deleted accounts, but can also be accounts from other computers. It makes perfect sense that in a dual booting situation things will be even messier.

I do not think it is anything to get worried over.

Be warned! This isn't supposed to happen with USB keys! This is a known behaviour of at least two of the Conficker variants, among other things, so make sure you check for that.

[AnnieMS]

Thanks Tripredacus,

This computer was unused - as in sitting in its satchel and never turned on - between april 2007 and march 2010. The first thing I did when I got it networked to the new router and an internet connection was update Symantec End Point Protection and run a full scan. The google articles in the first search page go from 2008 to 2009, so I'm guessing that's when conficker [they also seem to call it/them downadup] was first noted and prevalent. I'd think Symantec would catch it if it was present.

I've downloaded ms malicious software tool and I'm running it. I guess I should post in an Am I Infected forum even if it is also negative.

Edit: It was negative

I double checked the SIDs and they are different from the current accounts on this computer, unlike what I first thought. Also, there is now a 2nd SID in the administrator's %userprofile%\application data\microsoft\protect folder that doesn't match the SID pattern of the user account's on the Sony or the previous unknowns listed in the security tab's permissions, but it has the same last three numbers as the administrator's SID.

I had a computer tech help me back in 2007 reformat & reinstall the desktop & Sony. It's possible he set up an account and then deleted it, but if it was a user account the unknown SIDs should have the same pattern of numbers as the other user accounts and they don't.

Another thing I don't get is that all my user accounts on all three computer begin w/ S-1-5-21-x. Yet on the MS article on well-known SIDs the S-1-5-21-x combo appears to only be associated w/ domain accounts.

Edit: On the above web page S-1-5-11 is for Authenticated Users. The msdn article on well know SIDs associates S-1-5-2 w/ SECURITY_NT_AUTHORITY & S-1-5-2 w/ "Users who log on across a network." There's obviously something I'm missing about these SIDs because all my local user accounts start w/ S-1-5-21 going by the SIDS found in their %user profile%'s & in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.

The unknown SIDs also all start w/ S-1-5-21, so I'm assuming they are user accounts and not some system or device account.

Edit:

I ran malwarebytes and it only found 2 registry entries to repair - hijack.home for ie's home page & disabled security center. Checking Internet Options in CP I did note that the options to change the home page were grayed out & that was fixed by malwarebytes. Conficker did take the browser to other domains. - I forgot that I configured via Spywareblaster to prevent the homepage from being hijacked. So that was a false +.

win2k doesn't have a security center, but cking the registry area listed in the report it appeared to refer to symantec firewall. SEP firewall appears to be working OK because I get dialog boxes about whether to allow this or that program to "call out" So that was also a false +.

I've run Windows Malicious Tool v3.4 & 3.5, which both list conficker as something they check for and both were negative.

There was a conficker test page where if you saw all six images in a box, you probably didn't have conficker and I saw all the images. I checked and I have the security update KB958644 installed that was to plug the security hole conficker used.

So I don't think I have conficker. I posted in Am I Infected, but there must be a lot of real infections going round, 'cause no one answered.

None of my googling on unknown SIDs has yielded anything x deleted accounts. Unknown SIDS and conficker has gotten me lots of conficker hits but no mention of SIDs. I'm going to try again w/ "extra SIDs" * "account SIDs"

No success googling.\

Just an Update:

I had a failure to boot into windows on my dell desktop, which previously did not have any unknown SIDs. After troubleshooting in recovery console, including copying over the restore point registry hives to %system%\system32\config, I got back into windows and found I'd lost a user account [the sam hive?] and gained an SID w/ the question mark/face icon on the security permissions tab on shared folders. Unlike the SIDs on the Sony's permissions tab, this one has the identical number sequence as the other user accounts x for the last 4.

Still no explanation for the SIDs w/ the non-matching number sequence.

Edited March 26, 2010 by AnnieMS