Posted 08 March 2010 - 01:29 AM
Sony GXR600 running win2k sp4 & SEP
Until last week I hadn't booted up this computer since april 2007. When I started reusing it I had to configure it for a new workgroup & router. The first thing I did when I successfully connected to the router and internet was update Symantec and run a full scan, which was negative. I then configured it for file sharing for the two other computers [winxp] in my lan.
The computer has two partitions - c:\ for the os and programs and d:\ for my personal files. I noticed on the security tab for both the d:\ partition and the Documents folder on d:\ two accounts id'ed by SIDs whose icons have little question marks. The number patterns for the two unknowns start w/ S-1-5-21 and are identical except for the last group of numbers that id a user. The pattern does not match the number string of the user accounts on the computer, altho the last group of numbers matches the administrator acct and another user acct. I also found another unknown SID in the administrator's %user profile%\application data\microsoft\protect whose last group of numbers match those of the administrator.
The unknown SIDs aren't present on the c partition or the my docs folder. On the MS article on well known SIDs the "S-1-5-21" string is only associated w/ domain accounts, but all the user accounts on all three computers start w/ it.
I posted a question in a win2k forum on how to track down what these unknown SID accounts refer to.One response suggested that they occur when a usb drive is used among computers. Another response said that shouldn't happen and this was seen w/ the conficker worm. I ran the ms malicious software tool today and it was also negative.
I googled conficker and it appears that it was first noted in 2008 and a problem in 2008-2009. I would think that symantec and the ms tool would have id'ed if it was present, but maybe there is a new variant or another malware does the same thing.
Back in 2007 when the computer was reformatted and the OS reinstalled I had a computer tech helping me. It is possible he created and then deleted accounts, which can cause left-over SIDs. I'm pretty sure I didn't delete any accounts. However, if he deleted user accounts I would think that the unknown SIDs would match the other local account SIDs except for that last group of letters and it's just the opposite of that.
My understanding of SIDs are that they are local to the computer, so reconfiguring the computer for a different workgroup wouldn't affect them.
Do I need to check further for malware, and if so how?
mac 10.6 on macbook pro
WinXP sp2 on Dell 380 w/ 512 MB RAM- currently dead in the water
WinXP tab ed sp 3 on Thinkpad X41 w/ 1.5 GB RAM - lemony flavored
Win2K Sp4 on Sony VAIO GXR600 w/ 512 MB RAM - currently blue screening