New
#21
I didn't search Indra because he said his PC was named that.
I didn't search Indra because he said his PC was named that.
Why did I not think of that? Of course the windows security log would help. It looks something similar to group policy or what gregrocker said. Is this pc used for work? Is it a work laptop?
So far I have seen nothing to indicate an infection. One thing to do would be turning on rootkit detection in malwarebytes scanner then running another threat scan.
I came across this:It would involve a few minutes by ij2014 to check if any of his profiles were corrupt and then go from there to create new ones.You've been put into a temporary user profile because the original one was corrupted. You can try the techniques below. If that doesn't work, let me know and I'll give you an alternate path.
The critical files are under %systemdrive%\users\user-account\ntuser. The ntuser.dat file is actually a registry hive. Run regedit elevated and select HKEY_USERS and "load hive" from the menu. Now navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
There is one line for each profile. If a profile is bad, check:
a) That the key name doesn't end in ".bak" (remove .bak if there)
b) That the RefCount value is 0 (change it if different)
c) That the State value is 0 (change if different)
Source, second answer by Malkeleah: System Reboot created new user profile - Microsoft Community
Remember to run an elevated Registry Editor:
- Copy/paste/type: regedit into the Start Search box.
- At the top under Programs, right click on regedit.exe and click on Run as administrator.
- Search for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to check the profiles.
It sounds like the Anti-Theft feature of your ESET Smart Security 8 install.
Please see this old post of mine.
Other ESET users saw this happen too:
Unknown user account re-installs itself...
Unknown User account at Windows login
Was wondering If I have been hacked.
https://www.sevenforums.com/general-d...-registry.html
edit: the new interface for asking ESET to create this phantom account looks like this:
Last edited by UsernameIssues; 15 Nov 2014 at 00:04.
There may be a couple on this list: Sysinternals Process Utilities Process Monitor is usually recommended also:
- Handle
- PsList
- Process Explorer
Don't forget to check Mark Russinovich's other tools like Sysmon that might help, the list is in the left panel under Utilities. I found sysmon under Security Utilities.
Greg, this ain't a work laptop, so can't consult any IT dept unfortunately.
In case its something similar to group policy, can it be somehow attributed to the LAN policies of the local internet service provider? Other than setting up the proxy server settings, no other changes were made though.
Anak, checked the registry key. There are 3 user profiles right now - an admin account, a standard user account and this loathsome wobrsqqw. In the registry, no key ended in ".bak". The other details are:
- Admin account - RefCount:4, State:0
- The standard account - RefCount:0, State:0
- wobrsqqw - RefCount:1, State:204
And thanks for the tools info (Sysinternals and Sysmon) - it was much needed.
UsernameIssues, many thanks for the informative links. Anti-Theft feature was enabled more than a year back. And this issue came up recently. ESET claims, when device theft is reported, other accounts are hidden and only the phantom account is shown. I haven't tested it though. Moreover, in the present case, all other accounts are shown and most importantly, no device theft was ever reported.
And yes, I unchecked ESET from the Startup tab. Because I posted pic of the Startup tab, I meant removing ESET from that tab only, not from the Services tab. After reading your reply I tried it again. After I unchecked ESET from the Startup tab and restarted, ESET was missing from the system tray though the ESET service was running. ESET showed up in the system tray only after I manually started it.
Could you uninstall ESET for a test period of a few days to a week, replace it with Microsoft Security Essentials?
To get it cleanest use the ESET removal tool: Uninstallers (removal tools) for common Windows antivirus software - ESET Knowledgebase
It's never a good sign IMO when an AV needs a special removal tool since it points to bloatware. I suspect we are seeing an example of that here.
I think to remove ESET, Start -> All Programs -> ESET -> ESET Smart Security -> Uninstall should suffice ( How do I uninstall or reinstall ESET Smart Security/ESET NOD32 Antivirus? - ESET Knowledgebase )
Your welcome about the tools link.
From the fourth post down by Mike S.
So your State Count of 204 would be:Hey Mark,
I got this from a MS technician:
The State information for each profile is stored in the following location:
Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\SID
Value: State
DataType: REG_DWORD
Data:
A value of 256 in the State would be decoded in this manner:
256 = 200 + 040 + 010 + 002 + 004
You can math the numbers with the following terms to determine the flag
settings on the profile:
001 = PROFILE_MANDATORY
Profile is mandatory.
002 = PROFILE_USE_CACHE
Update locally Cached profile.
004 = PROFILE_NEW_LOCAL
Using a new local profile.
008 = PROFILE_NEW_CENTRAL
Using a new central profile.
010 = PROFILE_UPDATE_CENTRAL
Need to update central profile.
020 = PROFILE_DELETE_CACHE
Need to delete cached profile.
040 = PROFILE_UPGRADE
Need to upgrade profile.
080 = PROFILE_GUEST_USER
Using guest user profile.
100 = PROFILE_ADMIN_USER
Using administrator profile.
200 = DEFAULT_NET_READY
Default net profile is available & ready.
400 = PROFILE_SLOW_LINK
Identified slow network link.
800 = PROFILE_TEMP_ASSIGNED
Temporary profile loaded.
200 = DEFAULT_NET_READY
Default net profile is available & ready.
Plus:
004 = PROFILE_NEW_LOCAL
Using a new local profile.
Something did a job on your profile and I've run across posts where this can happen whether or not the profile has a .bak suffix or not.
Since UNI brought up the fact that ESET has that anti-theft feature I'd go along with that until you can rule it out starting with Greg's request to remove ESET to test, maybe you can check and see if you can disable just that anti-theft feature, I'm not sure if that would be sufficient or not.
It wouldn't be the first time one of these features went FUBAR especially with the rounds of security updates Windows has been sending down the pipe and the third-party anti-virus companies trying to keep up.