Click here to get back home

Server has been hacked, need to delete hidden user account
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Server has been hacked, need to delete hidden user account Øyvind Isaksen 05-25-2007
Posted by Øyvind Isaksen on May 25, 2007, 5:44 am
Please log in for more thread options
 I need urgent help! My windows 2003 server has been hacked. When I was
defragmentating my disks some files could not be defragmentated. I
discovered that the reason is because these files is created on a
userprofile called "superwayne$" at this location C:\Documents and
Settings\superwayne$. If I open this address in Explorer, I see folders like
"desktop", "Favorites", "Local Settings", "superwaynes$'s Documents" and so
on. There is alot of hacked software, movies and other stuff in these
folders.
If I open Active Directory Users and Computers, the user "superwaynes$" is
not there. In Server Management/Users I cant find this either. It seems
like the user "superwaynes$" has been created outside my domain or
something. How can I find and delete this user profile (not only the files
in C:\Documents and Settings\superwayne$)? How could this happen, what can I
do prevent this in future? My server has only licensed software (no hacks),
only I got access to it?



Posted by S. Pidgorny on May 25, 2007, 5:57 am
Please log in for more thread options
 Maybe there is no user and Superwayne just used Documents and Settings
folder to create a share. Look at the owner of the files to see who has
created those - you'll get idea what accounts were compromised.

At this stage you can start monitoring Superwayne's activity and perhaps
even catch the guy (or gal) - useful experience but not very rewarding in
most cases. Another alternative is cleaning out your system - most likely it
is infected with a trojan as well.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

>I need urgent help! My windows 2003 server has been hacked. When I was
>defragmentating my disks some files could not be defragmentated. I
>discovered that the reason is because these files is created on a
>userprofile called "superwayne$" at this location C:\Documents and
>Settings\superwayne$. If I open this address in Explorer, I see folders
>like "desktop", "Favorites", "Local Settings", "superwaynes$'s Documents"
>and so on. There is alot of hacked software, movies and other stuff in
>these folders.
> If I open Active Directory Users and Computers, the user "superwaynes$" is
> not there. In Server Management/Users I cant find this either. It seems
> like the user "superwaynes$" has been created outside my domain or
> something. How can I find and delete this user profile (not only the files
> in C:\Documents and Settings\superwayne$)? How could this happen, what can
> I do prevent this in future? My server has only licensed software (no
> hacks), only I got access to it?
>



Posted by Øyvind Isaksen on May 25, 2007, 6:21 am
Please log in for more thread options
If I open "C:\Documents and Settings\superwayne$" and look at the owner of
the files it is "Administrator". Does this mean that the "hacker" has used
my administrator account? Is it smart to disable this account and make a
new administrator account (example called "Admin" with a new password)? Is
it ok to delete (from Command / cmd.exe) the folder "C:\Documents and
Settings\superwayne$" with all content?




> Maybe there is no user and Superwayne just used Documents and Settings
> folder to create a share. Look at the owner of the files to see who has
> created those - you'll get idea what accounts were compromised.
>
> At this stage you can start monitoring Superwayne's activity and perhaps
> even catch the guy (or gal) - useful experience but not very rewarding in
> most cases. Another alternative is cleaning out your system - most likely
> it is infected with a trojan as well.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>>I need urgent help! My windows 2003 server has been hacked. When I was
>>defragmentating my disks some files could not be defragmentated. I
>>discovered that the reason is because these files is created on a
>>userprofile called "superwayne$" at this location C:\Documents and
>>Settings\superwayne$. If I open this address in Explorer, I see folders
>>like "desktop", "Favorites", "Local Settings", "superwaynes$'s Documents"
>>and so on. There is alot of hacked software, movies and other stuff in
>>these folders.
>> If I open Active Directory Users and Computers, the user "superwaynes$"
>> is not there. In Server Management/Users I cant find this either. It
>> seems like the user "superwaynes$" has been created outside my domain or
>> something. How can I find and delete this user profile (not only the
>> files in C:\Documents and Settings\superwayne$)? How could this happen,
>> what can I do prevent this in future? My server has only licensed
>> software (no hacks), only I got access to it?
>>
>
>



Posted by S. Pidgorny on May 25, 2007, 7:54 am
Please log in for more thread options
It is okay to delete the rubbish.
Create a new administrative account; change password for existing, and alert
on every logon attempt using that account.
The danjer is - if you have a trojan that runs as system, the intruder will
be aware f your actions, and control new account as well.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

> If I open "C:\Documents and Settings\superwayne$" and look at the owner of
> the files it is "Administrator". Does this mean that the "hacker" has used
> my administrator account? Is it smart to disable this account and make a
> new administrator account (example called "Admin" with a new password)? Is
> it ok to delete (from Command / cmd.exe) the folder "C:\Documents and
> Settings\superwayne$" with all content?
>
>
>
>
>> Maybe there is no user and Superwayne just used Documents and Settings
>> folder to create a share. Look at the owner of the files to see who has
>> created those - you'll get idea what accounts were compromised.
>>
>> At this stage you can start monitoring Superwayne's activity and perhaps
>> even catch the guy (or gal) - useful experience but not very rewarding in
>> most cases. Another alternative is cleaning out your system - most likely
>> it is infected with a trojan as well.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>>>I need urgent help! My windows 2003 server has been hacked. When I was
>>>defragmentating my disks some files could not be defragmentated. I
>>>discovered that the reason is because these files is created on a
>>>userprofile called "superwayne$" at this location C:\Documents and
>>>Settings\superwayne$. If I open this address in Explorer, I see folders
>>>like "desktop", "Favorites", "Local Settings", "superwaynes$'s Documents"
>>>and so on. There is alot of hacked software, movies and other stuff in
>>>these folders.
>>> If I open Active Directory Users and Computers, the user "superwaynes$"
>>> is not there. In Server Management/Users I cant find this either. It
>>> seems like the user "superwaynes$" has been created outside my domain or
>>> something. How can I find and delete this user profile (not only the
>>> files in C:\Documents and Settings\superwayne$)? How could this happen,
>>> what can I do prevent this in future? My server has only licensed
>>> software (no hacks), only I got access to it?
>>>
>>
>>
>
>



Posted by Øyvind Isaksen on May 25, 2007, 8:13 am
Please log in for more thread options
Thank you! One more question: What is the best way to remove trojans? Any
recommended software for this?





> It is okay to delete the rubbish.
> Create a new administrative account; change password for existing, and
> alert on every logon attempt using that account.
> The danjer is - if you have a trojan that runs as system, the intruder
> will be aware f your actions, and control new account as well.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
>> If I open "C:\Documents and Settings\superwayne$" and look at the owner
>> of the files it is "Administrator". Does this mean that the "hacker" has
>> used my administrator account? Is it smart to disable this account and
>> make a new administrator account (example called "Admin" with a new
>> password)? Is it ok to delete (from Command / cmd.exe) the folder
>> "C:\Documents and Settings\superwayne$" with all content?
>>
>>
>>
>>
>>> Maybe there is no user and Superwayne just used Documents and Settings
>>> folder to create a share. Look at the owner of the files to see who has
>>> created those - you'll get idea what accounts were compromised.
>>>
>>> At this stage you can start monitoring Superwayne's activity and perhaps
>>> even catch the guy (or gal) - useful experience but not very rewarding
>>> in most cases. Another alternative is cleaning out your system - most
>>> likely it is infected with a trojan as well.
>>>
>>> --
>>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>>> -= F1 is the key =-
>>>
>>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>>
>>>>I need urgent help! My windows 2003 server has been hacked. When I was
>>>>defragmentating my disks some files could not be defragmentated. I
>>>>discovered that the reason is because these files is created on a
>>>>userprofile called "superwayne$" at this location C:\Documents and
>>>>Settings\superwayne$. If I open this address in Explorer, I see folders
>>>>like "desktop", "Favorites", "Local Settings", "superwaynes$'s
>>>>Documents" and so on. There is alot of hacked software, movies and other
>>>>stuff in these folders.
>>>> If I open Active Directory Users and Computers, the user "superwaynes$"
>>>> is not there. In Server Management/Users I cant find this either. It
>>>> seems like the user "superwaynes$" has been created outside my domain
>>>> or something. How can I find and delete this user profile (not only the
>>>> files in C:\Documents and Settings\superwayne$)? How could this happen,
>>>> what can I do prevent this in future? My server has only licensed
>>>> software (no hacks), only I got access to it?
>>>>
>>>
>>>
>>
>>
>
>



Similar ThreadsPosted
Hidden user August 29, 2005, 10:56 am
Hacked 2003 SBS Server - temp fix required April 13, 2008, 2:35 pm
Create restricted user account, 2003 server AD domain November 10, 2005, 10:39 pm
Pass Through Authentication chooses wrong user account on remote server?? May 9, 2006, 12:13 pm
Delete cached local copy of mandatory profile and non roaming domain user profiles ? May 1, 2008, 5:50 am
failed/successfull audit delete folder and delete file and folder November 15, 2006, 8:12 am
User Account Created - 624 And User Account Enabled - 626 for Hel October 13, 2005, 1:56 pm
how to use the user account and the computers account to ... March 9, 2007, 10:38 am
Hidden Users November 25, 2005, 8:26 am
hidden firewall January 12, 2008, 5:29 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap