[Unknown account shown in file security tab]

Hello,

Today while checking some files on my computer I noticed that when I check each file´s properties and looking at the "Security" tab I have an "unknown account" (S-1-5-21-837178728-278909169-1129209296-1000) with "Read" and "Read & Execute" rights.
I only have one active account on my computer with administrator rights. Even the guest account is off.
Am I on to something or am I paranoid?

Here´s my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 17:57:46, on 21-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avsim.com/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\program files\microsoft office\office11\excel.exe/3000
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: PbaUpdateCab - http://www.priberam.pt/update/patches/PbaUpdate.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1180662143109
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1180662124671
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

Thanks in advance.
Hugo

 

Hi Hugo,

See if you have a key named S-1-5-21-837178728-278909169-1129209296-1000 under the following registry path.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

If so, what is the data for the ProfileImagePath value for that key?

 

Hello Dave,

No, I don´t have that key but I have 4 others:
S-1-5-18
S-1-5-19
S-1-5-20
S-1-5-21-1482476501-1454471165-839522115-1003

I forgot to mention I have two OS (XP SP2 and Vista Ultimate) on the same computer each on it´s own HD. Don´t know if it´s important or not.

Thank you for your help.
I appreciate it.

Hugo

 

Have a few errands to run, but I'll think on this a bit. Maybe someone else will offer some input in the meantime.

Oh, are any of the above mentioned files accessed from both operating systems? Can you check the other OS for that key? (Vista requires you to run regedit as an administrator if UAC is enabled)

 

Hi Hugo,

Just wondering about this

 

Hi Dave,

Sorry I took so long to answer... I´ve been away from my computer.
I´ve checked under Vista (used regedit and find) and that specific key didn´t show.
It´s got to be something else...

@PeteC
Thank you for your help. I should have done that already.

Hugo

 

Please search the XP registry for that SID and let me know if you find it. In the meantime, I'm working on a script that will search places that the basic registry editor doesn't allow

 

This specific SID is not present in the XP registry either. I used the regedit/find method but got no hits.
Looking forward to that script.

Best
Hugo

 

I've sent you a PM.

 

Thanks Dave.
I´ll look into it.

Best regards,
Hugo

 

Hi Dave,

You´ve got mail.

 

Because of the methods used to do so, we have privately determined that the SID in question does not exist in the registry, at least not via any of our search methods.

Last correspondence is as follows

I have attached the picture to this post (scanned and edited a bit first).

I also began checking some files on my own computer, and have found that many of the files on my desktop have a like SID entry (different number but still a question mark next to it) though it lacks the description of Unknown Account. I cannot find any reference to the SID in my registry either. I then did a file search for that SID. Lo and behold, I got a hit. An exact match is in the recycler directory. Not to be confused with a file or folder in the recycle bin, visible when opening the recycle bin, but a folder displaying the recycle bin icon visible when browsing to the C:\recycler folder. Oddly enough, it's modified date is the same as the NPROTECT folder that resides in the recycler folder as well ..... 4-17-07
Just for kicks, I deleted the SID folder and met no resistance. It now appears in my recycle bin. Will see if it returns. The SID is still present on the file(s) Security tab.

I also attempted to remove the SID from the Security tab of some files. Was denied due to inheritance. After removing the inheritance, the SID was gone, though I then had to add my own account back into the permissions.

I hope someone comes along that can explain this to me (us), so that I don't beat bushes and bang my head trying to understand it

 

Hmmm ......... further pondering and studying of the SID folders in Recycler, crossing with SIDs in the registry, shows there is an SID folder in Recycler for each user account on my machine. So why isn't there an SID in my registry for the folder in question?? A while back I had my machine joined to a domain, which means a new user account for that domain. It might have been about the time that the SID folder showed a modified date too. I have since removed it from the domain, and joined it back again, but with a different username. While the SIDs for all non-domain accounts are very similar, with only the last block of numbers being different, the domain account still on my machine is completely different starting with the fourth block of numbers.

Hugo, have you joined a domain then left it? Delete a user account?

 

Very interesting finds, Dave.
After choosing "show hidden and sytem files" I noticed I have a C:\RECYCLER folder that contains a SID (not the one in question) and a C:\$RECYCLE.BIN folder with two recycle bins. One of those has the SID we´ve been looking for.

[img=http://img46.imageshack.us/img46/7956/recyclebinda6.th.jpg]

Don´t know why there is no SID in my registry for the folder in question.
Can´t remember ever joining a domain and the only account I created when I installed XP (January this year) was the one I use.
Don´t know what to make of it.
Any other thoughts?

Hugo

 

That C:\$RECYCLE.BIN folder is for Vista. One of those SID folders will be your Vista user profile, the other (likely the one in question) is possibly/probably the Vista Administrator account. Looking in the Vista registry at the ProfileList key right now, and the Administrator account is not shown, which would explain why you didn't find it in a registry search.

I feel about 99% sure that the Unknown Account SID with Read and Write permissions is not a problem, and that you can rest easy.

BTW, I figured out what my unknown SID is as well .......... belongs to the user account on my XP install on hard drive #2.

 

That´s good news, Dave.

Is it possible that C:\$RECYCLE.BIN folder is for Vista even if Vista is installed in the G:\ drive?

I feel a lot better now knowing there´s 99% certain there´s no "third party" involved.
I´m glad you figured your "unknown SID" problem too.

Thank you very much for your help.
I really appreciate it.

Best regards
Hugo

 

Not only possible, I can guarantee it. It's XP's nature to assign every attached drive or partition a recycle bin, and I have no doubt that Vista does the same.

Glad I was able to help. Thanks for your co-operation and for sticking with me. Was a learning experience for us both.