I have a small network at home connected to a Domain running SBS 2003. The
other day I got a Trojan virus and my system was compromised. I am in the
process of restoring and cleaning it out. After checking the User Profiles
window in the properties of System Properties, I discovered 3 profiles listed
there called "account unknown" I am trying to find out where they came from
and if it is a possibility they are a result from Trajon horse that was on my
computer. Can someone please claify this for me? I don't just want to delete
them and cause more problems.

Thanks

Those are local user accounts that at one time physically logged onto the
computer but either do not exist anymore or could be domain users that have
logged onto the computer but the computer was removed from the domain or the
user names can not be resolved. Either way I don't think that they have
anything to do with the Trojan since these are accounts that would have had
to physically logon to the computer or via Remote Desktop at which time a
user profile would be created. If you look at the folders under documents
and settings you may see the user name that used the profile but the user
name no longer exists on the local computer or in the domain. You could
check the folder named after the user to see the creation date which may be
helpful information. I would not be too worried about deleting them unless
you want to examine them for their contents. The Microsoft Anti Virus in
Depth guide at the link below would be a good read for you to help determine
what happened and how to prevent further attacks including not using the
internet with an administrator account [unless needed to install critical
security updates and then that should be the only use of that account while
on the internet] and being sure to give user accounts hard to guess
passwords..

Steve

http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx


"wlaur" > wrote in message
...
>I have a small network at home connected to a Domain running SBS 2003. The
> other day I got a Trojan virus and my system was compromised. I am in the
> process of restoring and cleaning it out. After checking the User Profiles
> window in the properties of System Properties, I discovered 3 profiles
> listed
> there called "account unknown" I am trying to find out where they came
> from
> and if it is a possibility they are a result from Trajon horse that was on
> my
> computer. Can someone please claify this for me? I don't just want to
> delete
> them and cause more problems.
>
> Thanks

In addition to what Steve said, if you performed an upgrade from a previous
version of Windows there will also be accounts listed as "unknown". This is
due to previous versions having different account designations such as power
user. The accounts stay when you perform an upgrade to XP, but as these
accounts are not one of the three in XP, Administrator, User, Guest, then
they come up as "unknown". This also occurres when you use the Local Users
and Groups console or the Net Localgroup command to manage group
membershhip.There is no harm in this at all. You can go in and change them to
one of the three versions XP has which you do via the Local Users and Groups
or the Net Localgroup command. Hope this helps explain this situation. Good
luck and have a nice day.
--
seree


"Steven L Umbach" wrote:

> Those are local user accounts that at one time physically logged onto the
> computer but either do not exist anymore or could be domain users that have
> logged onto the computer but the computer was removed from the domain or the
> user names can not be resolved. Either way I don't think that they have
> anything to do with the Trojan since these are accounts that would have had
> to physically logon to the computer or via Remote Desktop at which time a
> user profile would be created. If you look at the folders under documents
> and settings you may see the user name that used the profile but the user
> name no longer exists on the local computer or in the domain. You could
> check the folder named after the user to see the creation date which may be
> helpful information. I would not be too worried about deleting them unless
> you want to examine them for their contents. The Microsoft Anti Virus in
> Depth guide at the link below would be a good read for you to help determine
> what happened and how to prevent further attacks including not using the
> internet with an administrator account [unless needed to install critical
> security updates and then that should be the only use of that account while
> on the internet] and being sure to give user accounts hard to guess
> passwords..
>
> Steve
>
> http://www.microsoft.com/technet/security/topics/serversecurity/avdind_0.mspx
>
>
> "wlaur" > wrote in message
> ...
> >I have a small network at home connected to a Domain running SBS 2003. The
> > other day I got a Trojan virus and my system was compromised. I am in the
> > process of restoring and cleaning it out. After checking the User Profiles
> > window in the properties of System Properties, I discovered 3 profiles
> > listed
> > there called "account unknown" I am trying to find out where they came
> > from
> > and if it is a possibility they are a result from Trajon horse that was on
> > my
> > computer. Can someone please claify this for me? I don't just want to
> > delete
> > them and cause more problems.
> >
> > Thanks
>
>
>