Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: New user created automatically with each restart

14 Nov 2014   #21
gregrocker

 

I didn't search Indra because he said his PC was named that.


My System SpecsSystem Spec
.
14 Nov 2014   #22
andrew129260

Windows 10 Pro
 
 

Why did I not think of that? Of course the windows security log would help. It looks something similar to group policy or what gregrocker said. Is this pc used for work? Is it a work laptop?

So far I have seen nothing to indicate an infection. One thing to do would be turning on rootkit detection in malwarebytes scanner then running another threat scan.
My System SpecsSystem Spec
14 Nov 2014   #23
Anak

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

I came across this:
Quote:
You've been put into a temporary user profile because the original one was corrupted. You can try the techniques below. If that doesn't work, let me know and I'll give you an alternate path.
The critical files are under %systemdrive%\users\user-account\ntuser. The ntuser.dat file is actually a registry hive. Run regedit elevated and select HKEY_USERS and "load hive" from the menu. Now navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

There is one line for each profile. If a profile is bad, check:

a) That the key name doesn't end in ".bak" (remove .bak if there)
b) That the RefCount value is 0 (change it if different)
c) That the State value is 0 (change if different)

Source, second answer by Malkeleah: System Reboot created new user profile - Microsoft Community
It would involve a few minutes by ij2014 to check if any of his profiles were corrupt and then go from there to create new ones.

Remember to run an elevated Registry Editor:
  • Copy/paste/type: regedit into the Start Search box.
  • At the top under Programs, right click on regedit.exe and click on Run as administrator.
  • Search for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to check the profiles.
My System SpecsSystem Spec
.

14 Nov 2014   #24
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by ij2014 View Post
....What might be the possible reason behind this? Thanks in advance.
It sounds like the Anti-Theft feature of your ESET Smart Security 8 install.

Please see this old post of mine.

Other ESET users saw this happen too:
Unknown user account re-installs itself...

Unknown User account at Windows login

Was wondering If I have been hacked.

http://www.sevenforums.com/general-d...-registry.html

edit: the new interface for asking ESET to create this phantom account looks like this:

New user created automatically with each restart-eset1.png


My System SpecsSystem Spec
15 Nov 2014   #25
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by ij2014 View Post
gregrocker, I unchecked all of those, except Eset. Touchpad lost its scrolling functionality. Next, I unchecked Eset too. But even then, result was the same - the user got created perfectly each time.
I was not able to disable ESET via msconfig:



The same thing happens on the Startup tab.
My System SpecsSystem Spec
15 Nov 2014   #26
Anak

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Quote   Quote: Originally Posted by ij2014 View Post
Is there any way to track this user creation? Any tool that will track the user creation and corresponding process that initiates the activity?
There may be a couple on this list: Sysinternals Process Utilities Process Monitor is usually recommended also:
  • Handle
  • PsList
  • Process Explorer
Don't forget to check Mark Russinovich's other tools like Sysmon that might help, the list is in the left panel under Utilities. I found sysmon under Security Utilities.
My System SpecsSystem Spec
15 Nov 2014   #27
ij2014

Windows 7 Ultimate 32bit
 
 

Greg, this ain't a work laptop, so can't consult any IT dept unfortunately.

In case its something similar to group policy, can it be somehow attributed to the LAN policies of the local internet service provider? Other than setting up the proxy server settings, no other changes were made though.

Anak, checked the registry key. There are 3 user profiles right now - an admin account, a standard user account and this loathsome wobrsqqw. In the registry, no key ended in ".bak". The other details are:
  • Admin account - RefCount:4, State:0
  • The standard account - RefCount:0, State:0
  • wobrsqqw - RefCount:1, State:204

And thanks for the tools info (Sysinternals and Sysmon) - it was much needed.

UsernameIssues, many thanks for the informative links. Anti-Theft feature was enabled more than a year back. And this issue came up recently. ESET claims, when device theft is reported, other accounts are hidden and only the phantom account is shown. I haven't tested it though. Moreover, in the present case, all other accounts are shown and most importantly, no device theft was ever reported.

And yes, I unchecked ESET from the Startup tab. Because I posted pic of the Startup tab, I meant removing ESET from that tab only, not from the Services tab. After reading your reply I tried it again. After I unchecked ESET from the Startup tab and restarted, ESET was missing from the system tray though the ESET service was running. ESET showed up in the system tray only after I manually started it.
My System SpecsSystem Spec
15 Nov 2014   #28
gregrocker

 

Could you uninstall ESET for a test period of a few days to a week, replace it with Microsoft Security Essentials?

To get it cleanest use the ESET removal tool: Uninstallers (removal tools) for common Windows antivirus software - ESET Knowledgebase

It's never a good sign IMO when an AV needs a special removal tool since it points to bloatware. I suspect we are seeing an example of that here.
My System SpecsSystem Spec
15 Nov 2014   #29
ij2014

Windows 7 Ultimate 32bit
 
 

I think to remove ESET, Start -> All Programs -> ESET -> ESET Smart Security -> Uninstall should suffice ( How do I uninstall or reinstall ESET Smart Security/ESET NOD32 Antivirus? - ESET Knowledgebase )
My System SpecsSystem Spec
15 Nov 2014   #30
Anak

Microsoft Community Contributor Award Recipient

Win 7 Home Premium 64bit Ver 6.1.7600 Build 7601 - SP1
 
 

Your welcome about the tools link.

From the fourth post down by Mike S.
Quote:
Hey Mark,
I got this from a MS technician:

The State information for each profile is stored in the following location:

Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\SID

Value: State

DataType: REG_DWORD

Data:

A value of 256 in the State would be decoded in this manner:
256 = 200 + 040 + 010 + 002 + 004

You can math the numbers with the following terms to determine the flag
settings on the profile:

001 = PROFILE_MANDATORY
Profile is mandatory.

002 = PROFILE_USE_CACHE
Update locally Cached profile.

004 = PROFILE_NEW_LOCAL
Using a new local profile.

008 = PROFILE_NEW_CENTRAL
Using a new central profile.

010 = PROFILE_UPDATE_CENTRAL
Need to update central profile.

020 = PROFILE_DELETE_CACHE
Need to delete cached profile.

040 = PROFILE_UPGRADE
Need to upgrade profile.

080 = PROFILE_GUEST_USER
Using guest user profile.

100 = PROFILE_ADMIN_USER
Using administrator profile.

200 = DEFAULT_NET_READY
Default net profile is available & ready.

400 = PROFILE_SLOW_LINK
Identified slow network link.

800 = PROFILE_TEMP_ASSIGNED
Temporary profile loaded.
So your State Count of 204 would be:

200 = DEFAULT_NET_READY
Default net profile is available & ready.

Plus:

004 = PROFILE_NEW_LOCAL
Using a new local profile.

Something did a job on your profile and I've run across posts where this can happen whether or not the profile has a .bak suffix or not.

Since UNI brought up the fact that ESET has that anti-theft feature I'd go along with that until you can rule it out starting with Greg's request to remove ESET to test, maybe you can check and see if you can disable just that anti-theft feature, I'm not sure if that would be sufficient or not.

Quote   Quote: Originally Posted by ij2014 View Post
ESET claims, when device theft is reported, other accounts are hidden and only the phantom account is shown. I haven't tested it though. Moreover, in the present case, all other accounts are shown and most importantly, no device theft was ever reported.
It wouldn't be the first time one of these features went FUBAR especially with the rounds of security updates Windows has been sending down the pipe and the third-party anti-virus companies trying to keep up.
My System SpecsSystem Spec
Reply

 New user created automatically with each restart




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
System restore points not being automatically created
Hello Everyone - it's been a while since I posted here, so I apologize for any errors I may make. I have a Dell Inspiron Core I5 Windows 7 SP1 PC with Norton internet security. My question is: what are the rules that govern when the system will make automatic restore points. I've read...
Backup and Restore
Created admin User but can see on 'Switch User" cntrl/alt/del
Hello Interestingly on boot up I see "another user" but the picture is blank, with a frame around it (I can see through it to the boot wallpaper that I have changed to prove) .. Who is another user? Please help as I have been on the 2 days now:o
System Security
Where are the pictures that automatically get created in GameExplorer
My problem is: I know the GameBox pictues are in> C:\Users\Username\AppData\Local\Microsoft\Windows\GameExplorer But what about pictures that automatically get created in GameExplorer, these are not in the C:\Users\Username\AppData\Local\Microsoft\Windows\GameExplorer folder. Where do I find...
Gaming
User accounts created but not able to logon - No user profile
I am a lab technician for Microsoft classes at a community college. One of our students somehow messed up his hard drive. The computer is running Windows 7 Enterprise SP1 64-bit. The system has two administrator accounts and one standard user account. I am still able to logon with those accounts...
General Discussion
Automatically open a created folder
So one cool thing I liked about vista was that it switched (aka opened) the folder you just created. I know for some this was probably annoying depending on what you were doing but it fit my usage scenarios perfectly. I am hoping it is nothing more than a registry setting but I havenít been able...
Customization
Administrator folder automatically created!
Administrator forlder automatically creared! http://img15.imageshack.us/img15/9172/win7administratorproblejw8.jpg As you can see above, there are 3 Administrator folders! 1. Administrator_ploc.WINDSTORY7 <- this is qhat I installed 2. Administrator_ploc <- I don't know who made...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 02:11.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App