Did Malware Create a new User?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DCallaway, Aug 17, 2008.

  1. DCallaway

    DCallaway Private E-2

    After a one week vacation we returned home to find our house sitter invited in every malware imaginable!! After 24-hours of floundering I found “READ & RUN ME FIRST.” After following the procedures (almost another entire day) I now believe that I am malware free, GOD BLESS MAJOR GEEKS. One issue that bothers me and may be a symptom of my problems is that my “Documents and Settings” directory has a new sub directory; it has the same name as our primary user but is in the form of “user name.USERNAME”.

    I couldn’t find this in any of the posts. I only have two Accounts in “User Accounts” and boot to the new account. Because of this many of our settings were inactive. I copied the old files into the new user account, and most of the functionality was restored, was this OK? Did the malware create this new user account? Although I do not seem to have any active problems should I do anything else (other than getting a new house sitter)?

    Thanks Again
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    New housesitter or passwords!

    Attach the requested logs from running the Read and RUn First and I will look and see.
     
  3. DCallaway

    DCallaway Private E-2

    I know instructions say Run Ssans Only Once, but I have repeted the entire process several times over the last three days. The logs are generally from the first run.

    Could the new user account have been created when our house sitter tried to run a Restore?

    Thanks, Danny
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The scans took care of the malware.....now tell me what user account was created.

    Users on this computer:
    Is Admin? | Username
    ------------------
    Yes | Administrator
    | ASPNET ----> if you are referring to this, it is normal.
    | Guest (Disabled)
    | HelpAssistant (Disabled)
    Yes | Marilyn Callaway
    | SUPPORT_388945a0 (Disabled)

    You can use add/remove programs to uninstall:
    Viewpoint Media Player

    And use windows explorer to find and delete:
    C:\Temp

    Now tell me what malware issues you may still be having.
     
  5. DCallaway

    DCallaway Private E-2

    Tim,

    Thanks for looking at our log files, I hope that you're right and we are Malware free. I am still wondering how our user account info was changed, I am attaching a zip with a Windows Explorer Screen Shot, can you tell anything from this information? Does the System Restore create a new user directory such as we are seeing?

    Thanks again,
    Danny
     

    Attached Files:

    • Tim.zip
      File size:
      150.9 KB
      Views:
      5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    System restore would not have done that......nor would any of the scanning tools.

    From one of our resident registry guru's
     
    Last edited: Aug 20, 2008
  7. DCallaway

    DCallaway Private E-2

    Tim,

    You asked if I tried to delete the second user directioies, yes I did. I forgot I deleted the "user name.USERNAME" directory set as one of the first things when I found out we had Malware. The sequence was something like this:

    I found out we had Malware.
    I found out we specifically had "Antivirus XP 2008" (I didn't know that this was just the tip of the iceburg).
    I found a site that recommended "Malwarebytes" to remove "Antivirus XP 2008"
    I ran "Malwarebytes"
    I thought I was OK (not by a long shot).
    I went into "Safe Mode" and deleted the "user name.USERNAME" directory
    I rebooted but the computer recreated the "user name.USERNAME" directory
    I continued to have issues, including problems booting up.
    I discovered the MajorGeeks "READ & RUN ME FIRST"
    I uninstalled all old spyware/antivirus programs
    I ran "READ & RUN ME FIRST"

    Now that I am feeling virus free (or at least in virus remission) I tried the following:

    I went to "Safe Mode" as Administrator and created a Zip of the "user name. USERNAME" directory.
    I then deleted the "user name.USERNAME" directory and rebooted.
    The computer created a new set of clean directory files in the format "user name.USERNAME"

    Tim, as long as this user directory was not Malware created then I can live with it.

    Thanks again for your help, and thanks to the resident registry guru.
    Danny
     
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to get all of you data and folders transferred to the "username.USERNAME" account and then delete the original "username" account. then you should be able to rename the " username.USERNAME" back to the "original name".

    The original one was/is corrupt and the new one may not have all the files folders and data that was in the original one.....so you should make sure you have moved it all over to the new account before you delete the original one. You just can't have two accounts with the exact same name which is what happened.

    You may get better help in the software section. Let me know.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds