Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: New user created automatically with each restart

13 Nov 2014   #11
gregrocker

 

Can you also provide a screenshot of all of your installed Programs in Control Panel? Screenshots and Files - Upload and Post in Seven Forums - Windows 7 Forums

If it's not an infection, and it's not Windows Update which would show up in google search for the User name, then it must be an obscure backup or other program which can be isolated by process of elimination.


My System SpecsSystem Spec
.
13 Nov 2014   #12
andrew129260

Windows 10 Pro
 
 

thank you for the logs, give me some additional time to look through them. I do see that you have utorrent installed. If you are using torrents, your machines possible infection rates increases significantly.

Edit: Okay, I looked through the logs and other than the torrent software you appear to be clean. NO guarantee however.

I know a lot about malware but I am not an expert.


I would like you to scan with Hitman Pro as another run just to see, it certainly cannot hurt.

1.) Download hitman pro here for your windows version and install it.

2.) Open hitman pro. Click next.



Read and Accept the license agreement, then checkmark the box and click next.



Choose to only run a one time with this computer and click next



The scan will start, wait until it completes, then click the save log button.



Choose a place to save it for upload later



Close out of hitman pro.

Find the log file wherever you saved it and upload it using the paperclip

My System SpecsSystem Spec
14 Nov 2014   #13
ij2014

Windows 7 Ultimate 32bit
 
 

Here goes the Hitman Pro scan log


Attached Files
File Type: log HitmanPro_20141114_1201.log (19.1 KB, 3 views)
My System SpecsSystem Spec
.

14 Nov 2014   #14
ij2014

Windows 7 Ultimate 32bit
 
 

Is there any way to track this user creation? Any tool that will track the user creation and corresponding process that initiates the activity?
My System SpecsSystem Spec
14 Nov 2014   #15
andrew129260

Windows 10 Pro
 
 

log looks good.

Unfortunately I no of know way to track this. Only suggestion I can think of is to keep checking computer management local users and groups after every reboot. It might seem annoying but try checking it after running some applications. Then restart, narrow a list down to find the cause.
My System SpecsSystem Spec
14 Nov 2014   #16
gregrocker

 

One of the Windows logs in the Computer Management>Event Viewer may log it, possibly System.

Waiting to see the installed Programs list.

Check again at msconfig>Startup and >Services (after Hiding all MS) to see if anything is checked now.
My System SpecsSystem Spec
14 Nov 2014   #17
ij2014

Windows 7 Ultimate 32bit
 
 

Please find installed programs list and MSConfig screenshots attached


Attached Images
New user created automatically with each restart-msconfig-startup.jpg New user created automatically with each restart-msconfig-services.jpg 
Attached Files
File Type: doc Program List.doc (141.0 KB, 2 views)
My System SpecsSystem Spec
14 Nov 2014   #18
ij2014

Windows 7 Ultimate 32bit
 
 

Windows security log has entries for this user creation event. I am providing the details associated with this
"A user account was created" event. [The computer name is Indra]




A user account was created.

Subject:
Security ID: SYSTEM
Account Name: INDRA$
Account Domain: WORKGROUP
Logon ID: 0x3e7

New Account:
Security ID: INDRA\wobrsqqw
Account Name: wobrsqqw
Account Domain: INDRA

Attributes:
SAM Account Name: wobrsqqw
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters: <value not set>
SID History: -
Logon Hours: All

Additional Information:
Privileges -


------------The Details section of the above event:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4720</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2014-11-14T15:36:58.716478800Z" />
<EventRecordID>43911</EventRecordID>
<Correlation />
<Execution ProcessID="580" ThreadID="616" />
<Channel>Security</Channel>
<Computer>Indra</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">wobrsqqw</Data>
<Data Name="TargetDomainName">INDRA</Data>
<Data Name="TargetSid">S-1-5-21-3330774905-1691639123-4124171393-1029</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">INDRA$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">wobrsqqw</Data>
<Data Name="DisplayName">%%1793</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">%%1793</Data>
<Data Name="HomePath">%%1793</Data>
<Data Name="ScriptPath">%%1793</Data>
<Data Name="ProfilePath">%%1793</Data>
<Data Name="UserWorkstations">%%1793</Data>
<Data Name="PasswordLastSet">%%1794</Data>
<Data Name="AccountExpires">%%1794</Data>
<Data Name="PrimaryGroupId">513</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x0</Data>
<Data Name="NewUacValue">0x15</Data>
<Data Name="UserAccountControl">%%2080 %%2082 %%2084</Data>
<Data Name="UserParameters">%%1793</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">%%1797</Data>
</EventData>
</Event>



Do these provide any clue?
My System SpecsSystem Spec
14 Nov 2014   #19
gregrocker

 

I google the text and ID# of repeat errors to see how others resolve them. In this case there is no known standard use of that account name found by Google so it must be randomly generated. It also appears to be a part of MS Security Audit, possibly run on or by your domain. Security Auditing Overview

Is this PC used for work? If so I would consult your IT dept.

I would not have Catalyst bloatware, Komodo, and would question Solid Fire Gold demo, Sentinel Protection installer.

None of those Services (after hiding all MS) need to start with Windows except your AV.
My System SpecsSystem Spec
14 Nov 2014   #20
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

My System SpecsSystem Spec
Reply

 New user created automatically with each restart




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
System restore points not being automatically created
Hello Everyone - it's been a while since I posted here, so I apologize for any errors I may make. I have a Dell Inspiron Core I5 Windows 7 SP1 PC with Norton internet security. My question is: what are the rules that govern when the system will make automatic restore points. I've read...
Backup and Restore
Created admin User but can see on 'Switch User" cntrl/alt/del
Hello Interestingly on boot up I see "another user" but the picture is blank, with a frame around it (I can see through it to the boot wallpaper that I have changed to prove) .. Who is another user? Please help as I have been on the 2 days now:o
System Security
Where are the pictures that automatically get created in GameExplorer
My problem is: I know the GameBox pictues are in> C:\Users\Username\AppData\Local\Microsoft\Windows\GameExplorer But what about pictures that automatically get created in GameExplorer, these are not in the C:\Users\Username\AppData\Local\Microsoft\Windows\GameExplorer folder. Where do I find...
Gaming
User accounts created but not able to logon - No user profile
I am a lab technician for Microsoft classes at a community college. One of our students somehow messed up his hard drive. The computer is running Windows 7 Enterprise SP1 64-bit. The system has two administrator accounts and one standard user account. I am still able to logon with those accounts...
General Discussion
Automatically open a created folder
So one cool thing I liked about vista was that it switched (aka opened) the folder you just created. I know for some this was probably annoying depending on what you were doing but it fit my usage scenarios perfectly. I am hoping it is nothing more than a registry setting but I havenít been able...
Customization
Administrator folder automatically created!
Administrator forlder automatically creared! http://img15.imageshack.us/img15/9172/win7administratorproblejw8.jpg As you can see above, there are 3 Administrator folders! 1. Administrator_ploc.WINDSTORY7 <- this is qhat I installed 2. Administrator_ploc <- I don't know who made...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 17:23.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App