Windows 10: Suspicious account owning C:/ and OneDriveTemp file named after an SID

Hi,I have had a few alerts regarding a Trojan program in my computer. I have identified a folder in OneDriveTemp named : C:\OneDriveTemp\S-1-5-21-2566854302-1957120293-848769299-1001which looks very suspicious. This folder contains a 0kb file named : a6f896e07d0445b18f7874bfbbf5bad8-Personal.I've also seen, after looking at similar issues people had, that the C:/ respository is owned by an unknown user with a different SID starting with S-1-15-3-65536. From what I could read, it seems to be a legit user but I'm not sure I understand fully why does it exist and how is it not dangerous if it cou

:)

 

Suspicious Unknown Accounts

They're capability SIDs built into Windows. These accounts shouldn't be deleted.

Please see my post here:

:C Drive owned by an unknown account - Microsoft Community:

Redirecting

What is “Account Unknown” in the Security tab?

https://www.winhelponline.com/blog/account-unknown-sid-security-tab/

 

Lost myWin10 User Partition Name  

Stu, I do not understand:- 1 The "USER" account appears in many places in Admin 2 bootable user - you've used this term before but it is not a defined term and I don't know what you mean. I can take you through a series of commands to check exactly what each user account thinks is its user folder path. It's going to get too confusing with aliases such as "USER" so, if you are willing, perhaps you can post the results of the checks in PMs to me and I'll be careful to avoid using real usernames in posts here. Step 0 In all steps, ignore user 'accounts' called DefaultAccount, defaultuser0/1/…, Guest, WDAGUtilityAccount Step 1 Run this command Code:

This tells you the SID for each username. Step 2 Run RegEdit, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList Step 3 For each of the SIDs in the Registry SubKeys beginning S-1-5-21, select it and look at its ProfileImagePath entry. Step 4 Step 3 tells you the ProfileImagePath [user folder path] for each SID and you can then look up which user name it relates to using the results of Step 1. So now you can see which user folder path Windows thinks it should use for each username. Please post [here or in a PM to me] the list of usernames, SIDs, user folder paths. Please confirm that those user folder paths get shown in File explorer, C:\Users. Denis

 

Remove account

I suggest you backup your personalized files first before removing the account.
To delete an account, follow these steps:

1. Press WIN + X keys and click Command Prompt (Admin) from the menu.
2. Type the following command and press Enter. Replace test with the name of your sister's account. Code: