Virus detected in deleted user account

  • Thread starter Thread starter corred
  • Start date Start date
C

corred

Recently I tried MS Live Beta for Security and it detected a java
script, actually several of them in a deleted user account. Is this
possible and if so how can I access and delete the files?
corred
 
What it means is that they were found in the user profile of a user account.
When you delete a user the user's profile remains until you delete it. You
can do that by logging on as an administrator and going to Control
Panel/system/advanced - user profiles settings where you should see the user
profile that will probably show as unknown user and then highlight it and
delete it. --- Steve
 
O'K My bad I should have offered more info. The system is running a
recently reinstalled copy of XP Pro and has been updated to SP2. The
machine has had a history of instability and I am trying to fix or
repair. After uninstalling the 'buggy' Live Beta I installed PC Tools
Anti vir and scanned twice. It found one quarrantined Java /Trojan and
deleted it but this was I believe an unrelated event. What puzzles me
is the scan of a 'deleted user account'. Windows does not seem to know
that it exists and I am at a loss how to access and test this issue.
BTW the system after a bit of hardware jugglery and very minute
dissection of the BIOS Settings appears now to be stable but I am still
troubled by the deleted user account.
Thanx
Corred
 
Thankyou Steve, but that did not prove usefull. All I can say is that
the deleted account was real, at one time, several reinstals ago. I
even searched the registry drilling all the way down and found numerous
unknowns and several Donald Correll (me) but no user Donald. And that
has been quite awhile since that was deleted. I guess so much for
trusting a buggy beta. Still very evocative of thought.
Corred
 
Where are the files located as in the path - under documents and settings??
If an account had been deleted the operating system would have no record of
it though there may be remnants of it's existence in the registry, access
control lists showing the deleted users sid, or the user's profile folder
under documents and settings if the user had ever logged onto the computer.
Regardless as an administrator you should be able to delete any file on the
computer though you may need to take ownership of the file first and then
give yourself or administrators full control permissions to it. If you get
an error that balks that the file is in use try booting into Safe Mode and
it is always a good idea to do malware/spyware scans in Safe Mode also. You
also may want to review the security log via Event Viewer to see if any
events reference the mystery user account. If the operating system was not
installed to a formatted system partition [not fast format] then it is not
unusual to find user profiles from the old installation depending on how the
installation was done.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308421 --- how to
take ownership of files/folder
 
Steven :
Re: Where are the files located as in the path - under documents and
settings??

Yes in the Live Scan report they were, but no such thing is vissible
under explorer.exe


re: If an account had been deleted the operating system would have no
record of
it though there may be remnants of it's existence in the registry,
Click to expand...

Nothing was found in Regedit's Find Function that I could read. However
the encrypted files appeared as irrelevant or referenced the Machine
Owner name. No relevant results were found under unkwown either.

Re: access control lists showing the deleted users sid,

Interesting can you provide a heads up on accessing ACL or Deleted User
SID?

Re: or the user's profile folder under documents and settings if the
user had ever logged onto the computer.

That user is just another alias for me but no such profile exists
anymore, or at least none that I can access.

Re: Regardless as an administrator you should be able to delete any
file on the
computer though you may need to take ownership of the file first and then
give yourself or administrators full control permissions to it.
Click to expand...

Yes isn't that fun. I have done that before and it has a few little
caveats like 'effective permissions'. With some tweaking around I
dsicovered that by using auditing that too can be obtained although XP
does occassionally buck and balk.

Re: If you get an error that balks that the file is in use try booting
into Safe Mode and
it is always a good idea to do malware/spyware scans in Safe Mode also.

That is an interesting and novel approach that is new to me.

Re: You also may want to review the security log via Event Viewer to
see if any
events reference the mystery user account.
Click to expand...

Another interesting and novel approach that I will try.

Re: If the operating system was not installed to a formatted system
partition [not fast format] then it is not unusual to find user
profiles from the old installation depending on how the installation
was done.

I have been monkeying with this machine mostly unsuccessfully since I
tried to uninstall SP2 an d although I had turned off auto update, it
autoupdated anyway and got a long series of very serious problems
summed up as Shlwalapi.dll (pardon my mispelling) and oh btw MS was
most mysteriously totally out to sea on this beyond a few preliminary
hints about the Recovery Console. I struggled with that and did a
reformat, switched HD and lived well until a series of serious errors
in Media Player brought the system down. It once was a top of the line
machine but has also had some hardware troubles. I am now attempting to
make sure that it is rock solid stable before bequeething it to my son
for Gaming.
Once again thanx. I cannot access it just yet as I am running
Onlinescan from Panda as well as NTune Utilities but will get back to
it directly. My chief concern was to sterilize /cleanse and the Libe
Beta was rough. Odd previous ussage on clients machines were quite
productive. It is my opinion that MS was trying to shake me down for
some money. :-) But the profile was once real (mine) and I am always
very curious of things invisible to the OS like Alternate Data
Channels.
Hopefully more later
Corred
 
corred said:
Recently I tried MS Live Beta for Security and it detected a java
script, actually several of them in a deleted user account. Is this
possible and if so how can I access and delete the files?
Click to expand...

1) Reboot.
2) Log in as a user with administrative level rights.
3) Turn off System Restore (Links on this later - review them now if
needed.)
4) Make sure you can see all hidden and system files (Instructions for this
later - review them now if needed.)
5) Go to C:\Documents and Settings and "Take Ownership" of the account
folder/files (Links on this later - review them now if needed.)
6) After taking Ownership of all the files (which may pop up warnings while
you do this), highglight the offending directory and press "SHIFT+DELETE"
and answer in the most affirmative way to all questions.
7) Reboot.
8) Log in as a user with administrative level rights.
9) Turn on System Restore (Links on this later - review them now if needed.)
10) Rescan.

(3) and (9) talk about Turning Off/On System Restore
---------------
Turn off System Restore.
http://support.microsoft.com/kb/310405


(4) points out that the account in question must be able to see all system
and hidden files in explorer.
---------------
- Open "My Computer".
- From the menu at the top, select "Tools" --> "Folder Options".
- Make sure these items are CHECKED under the "View" tab:
- Display the contents of System Folders
- Show Hidden Files and Folders (actually a radio button selection)
- Make sure this item is UNCHECKED under the "View" tab:
- Hide Protected Operating System Files
- OK your way out.


(5) Talks about taking ownership.
---------------
How to Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/kb/308421

How to disable simplified sharing & set permissions
on a shared folder in Windows XP
http://support.microsoft.com/kb/30787


If everything is 'normal' with your system - that should get rid of the
files. You may also want to download/install/user an application called
CCleaner before you rescan (like 8.5):

Ccleaner (Free!)
http://www.ccleaner.com/

Good luck - let us know how it goes!
 
From: "corred" <[email protected]>

| Recently I tried MS Live Beta for Security and it detected a java
| script, actually several of them in a deleted user account. Is this
| possible and if so how can I access and delete the files?
| corred


If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp




Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
Hmm. If the file were under documents and settings subfolder that usually
mean that the user in question one time logged onto the computer unless it
is a profile generated by the operating system. If you can not see the
folder/file then you may need to configure Explorer to show hidden and
system files in Explorer/tools/folder options/view. The user Sid would most
likely only be able to bee seen if explicit permissions had been assigned to
that user account somewhere. If your malware/spyware detection and removal
tools seem to clean up things and the computer performs well I would not
worry too much about it otherwise consider doing another pristine
stall. --- Steve


corred said:
Steven :
Re: Where are the files located as in the path - under documents and
settings??

Yes in the Live Scan report they were, but no such thing is vissible
under explorer.exe


re: If an account had been deleted the operating system would have no
record of
it though there may be remnants of it's existence in the registry,
Click to expand...

Nothing was found in Regedit's Find Function that I could read. However
the encrypted files appeared as irrelevant or referenced the Machine
Owner name. No relevant results were found under unkwown either.

Re: access control lists showing the deleted users sid,

Interesting can you provide a heads up on accessing ACL or Deleted User
SID?

Re: or the user's profile folder under documents and settings if the
user had ever logged onto the computer.

That user is just another alias for me but no such profile exists
anymore, or at least none that I can access.

Re: Regardless as an administrator you should be able to delete any
file on the
computer though you may need to take ownership of the file first and then
give yourself or administrators full control permissions to it.
Click to expand...

Yes isn't that fun. I have done that before and it has a few little
caveats like 'effective permissions'. With some tweaking around I
dsicovered that by using auditing that too can be obtained although XP
does occassionally buck and balk.

Re: If you get an error that balks that the file is in use try booting
into Safe Mode and
it is always a good idea to do malware/spyware scans in Safe Mode also.

That is an interesting and novel approach that is new to me.

Re: You also may want to review the security log via Event Viewer to
see if any
events reference the mystery user account.
Click to expand...

Another interesting and novel approach that I will try.

Re: If the operating system was not installed to a formatted system
partition [not fast format] then it is not unusual to find user
profiles from the old installation depending on how the installation
was done.

I have been monkeying with this machine mostly unsuccessfully since I
tried to uninstall SP2 an d although I had turned off auto update, it
autoupdated anyway and got a long series of very serious problems
summed up as Shlwalapi.dll (pardon my mispelling) and oh btw MS was
most mysteriously totally out to sea on this beyond a few preliminary
hints about the Recovery Console. I struggled with that and did a
reformat, switched HD and lived well until a series of serious errors
in Media Player brought the system down. It once was a top of the line
machine but has also had some hardware troubles. I am now attempting to
make sure that it is rock solid stable before bequeething it to my son
for Gaming.
Once again thanx. I cannot access it just yet as I am running
Onlinescan from Panda as well as NTune Utilities but will get back to
it directly. My chief concern was to sterilize /cleanse and the Libe
Beta was rough. Odd previous ussage on clients machines were quite
productive. It is my opinion that MS was trying to shake me down for
some money. :-) But the profile was once real (mine) and I am always
very curious of things invisible to the OS like Alternate Data
Channels.
Hopefully more later
Corred
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421 --- how
to
take ownership of files/folder
Click to expand...
Click to expand...
 
Back
Top