RE: unknown user on home computer

["Murda Mcloud" <murdamcloud () bigpond com>]

Does anyone else have access to the machine(physical access?).
I can see a user called david.
Before you bought the router, was there any kind of firewall and/or
anti-virus installed?

Are there any strange users on the laptop?

Have you since run any anti virus/spyware/rootkit scans?

Do you have any kind of peer to peer software that you use(eg LimeWire
bearShare etc)

> > It's
> > possible I have utilized some online program to gather information on my
> > system which created those files

Does this mean you're not sure if you ever did this?
Is this a lenovo laptop?



> > -----Original Message-----
> > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> > On Behalf Of Margaret Wolfe-Roberts
> > Sent: Sunday, March 02, 2008 1:18 AM
> > To: security-basics () securityfocus com
> > Subject: unknown user on home computer
> >
> > Hello,
> >
> > I am a home user with one laptop and one desktop and I'm hoping you can
> > help me with a security concern.   Recently I installed a router in order
> > to share the Internet connection.   In the process of learning to enable
> > File Sharing I clicked on some stuff and the desktop generated a list of
> > users that includes a username I have never seen before, a strange one
> > called "ratnkwCNHERF".   When I did a whole-computer search to find out
> > more, the search generated a list of three files where the same term is
> > used, all in the C://SWSHARE folder.
> >
> > I checked the three files: egathcmp.xml, egath.xml and eGathComp.html
> > (Firefox doc).   They seem to be reviews of the overall system.   It's
> > possible I have utilized some online program to gather information on my
> > system which created those files.
> > The html file is entitled Gathered Information for [computer name] and
> > includes this information about users:
> >
> > Workstation Security
> > .    User Accounts
> >
> > User ID/Name/Password Set/Password age in days/Privilege
> > Level/Disabled/Password Not Required/Cannot Change Password/Locked Out/
> >     Password Never Expires/Password Expired
> >
> > 2700                 true    97      Administrator   false   true
false
> >     false   true    false
> > Administrator                true    480     Administrator   true
false   false
> >     false   true    false
> > David        David           true    0       User            false
false   false
> >     false   true    false
> > Guest                        true    0       Guest           false   true
true
> >     false   true    false
> > od2700       Margaret        true    97      User            false   true
false
> >     false   true    false
> > ratnkwCNHERF ratnkwCNHERF   true  55 Administrator   false   false
> >     false   false   false   true
> >
> > Here I find out that the "rat" user has Administrator privileges and
> > appears to have had a password created AFTER I set passwords for myself
> > and the administrator account as I know it -the "2700" account (password
> > age 55 days vs 97 days).  I purchased the computer last October from
> > Office Depot.   However, the table also indicates the "rat" user's
> > password is expired, though the account is not disabled.
> >
> > I also notice that there is an extra Administrator account (now disabled)
> > listed separately from the account I know as administrator (2700) which
> > appears to long predate my purchase of the computer (password age 480
> > days).
> >
> > Is there some benign explanation for this mysterious user (who still
> > shows up as an option for sharing my files with) or have I uncovered
> > evidence of some kind of security breach of my computer?  How and for
> > what purpose would this extra user account have been created, and without
> > my knowledge?
> >
> > I will be truly grateful for any insight you can share with me.
> >
> > Margaret Wolfe-Roberts