Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Unknown user showing in user accounts - possibly compromised?

27 Oct 2013   #1
Gideetudee

Windows 7 Home Premium 64-bit
 
 
Unknown user showing in user accounts - possibly compromised?

Hi all,

Hoping someone might be able to help. Recently, a few strange things have happened with the PC, which first started when I found I couldn't use the Backup & Recovery software in Windows 7. Whenever I clicked on one of the buttons with a shield, nothing would happen at all. I've looked around and just can't find the solution to this. However, today when trying to fix this, I've come across a new user account in the permissions section. The name is jvactaett - I certainly haven't made this! Does anyone have any ideas how this account has got there, and how I can remove it? It doesn't show in user accounts through Control Panel.

I've put a screenshot as well. To get there, I right clicked a hard drive and went to properties, Security, Add, advanced and then clicked Find Now.

I don't know if the two things above are linked or not...
Thanks!




Attached Images
 
My System SpecsSystem Spec
27 Oct 2013   #2
Gideetudee

Windows 7 Home Premium 64-bit
 
 

A further observation is that when I do sfc /scannow through cmd, it stops at 59%. Same problem as this post, but didn't follow all the things that were replied as I didn't know if they were relevant to me...

Windows Firewall Service unable to activate, SFC scan unable to work
My System SpecsSystem Spec
27 Oct 2013   #3
andrew129260

Windows 7 Professional x64 Sp1
 
 

"Disclaimer" : I am not a known malware removal person, But I have done a lot in my lifetime. Just not recognized. Therefor a malware removal assistant should assist you shortly, but until they do these are my thoughts:

That down arrow on the "unknown jvactaett" account means the account is disabled. So relax a little
You can delete the account several ways:

User Account - Delete

Are you sure you never created it? This is your pc and your the only one who ever used it?


You state that sfc does not complete. We may need to do a Repair Install but lets check some things out first.


I suggest doing the following:

Please use the Farbar Recovery Scan Tool
Download: http://www.bleepingcomputer.com/down...ery-scan-tool/
Select the version that applies to your system.
Save it to your Desktop.

Double-click the downloaded file to run it.
When the tool opens click Yes to the disclaimer.

Press the Scan button.

The tool makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).
Please provide the FRST.txt in your reply.

The first time the tool is run, it also makes another log: Addition.txt
Also post the Addition.txt in your reply.



Next, download the Farbar Service Scanner

http://www.bleepingcomputer.com/down...rvice-scanner/

Save to the Desktop
Make sure the following options are checked:
Internet Services
Windows Firewall
System Restore
Security Center
Windows Update
Windows Defender
Press: Scan
FSS creates a log, FSS.txt, on the Desktop.
Please provide the FSS.txt in your reply
My System SpecsSystem Spec
28 Oct 2013   #4
MellowCream

Windows 7 Home Premium x64
 
 

Like andrew said, the account is disabled, so relax a little.

1. Boot in Safe Mode WITH NETWORKING How to: How to Enable Safe Mode in Windows 7 | PCWorld


2. Install Malwarebytes IN SAFE MODE!


3. During installation, it should say that the database is outdated, update it.


4. Run a "Full System Scan"


5. Post the report.txt file it makes here
My System SpecsSystem Spec
28 Oct 2013   #5
Gideetudee

Windows 7 Home Premium 64-bit
 
 

Hi Andrew,

Thanks for the response

100% positive that I, nor my wife, have ever created that account. Thing is, it doesn't appear in the user accounts at all. It's only if I go to security settings that I can see it. It's odd....

Anyway, I've attached all of those txt files, can you see anything untoward there?

Quote   Quote: Originally Posted by andrew129260 View Post
"Disclaimer" : I am not a known malware removal person, But I have done a lot in my lifetime. Just not recognized. Therefor a malware removal assistant should assist you shortly, but until they do these are my thoughts:

That down arrow on the "unknown jvactaett" account means the account is disabled. So relax a little
You can delete the account several ways:

User Account - Delete

Are you sure you never created it? This is your pc and your the only one who ever used it?


You state that sfc does not complete. We may need to do a Repair Install but lets check some things out first.


I suggest doing the following:

Please use the Farbar Recovery Scan Tool
Download: Farbar Recovery Scan Tool Download
Select the version that applies to your system.
Save it to your Desktop.

Double-click the downloaded file to run it.
When the tool opens click Yes to the disclaimer.

Press the Scan button.

The tool makes a log (FRST.txt) in the same directory from which the tool is run (Desktop).
Please provide the FRST.txt in your reply.

The first time the tool is run, it also makes another log: Addition.txt
Also post the Addition.txt in your reply.



Next, download the Farbar Service Scanner

Farbar Service Scanner Download

Save to the Desktop
Make sure the following options are checked:
Internet Services
Windows Firewall
System Restore
Security Center
Windows Update
Windows Defender
Press: Scan
FSS creates a log, FSS.txt, on the Desktop.
Please provide the FSS.txt in your reply


Attached Files
File Type: txt FRST.txt (61.4 KB, 4 views)
File Type: txt Addition.txt (28.3 KB, 2 views)
File Type: txt FSS.txt (2.6 KB, 2 views)
My System SpecsSystem Spec
28 Oct 2013   #6
andrew129260

Windows 7 Professional x64 Sp1
 
 

"Disclaimer" : I am not a known malware removal person, But I have done a lot in my lifetime. Just not recognized. These are my thoughts only and do not reflect seven forums. Always back up your data.

**Please answer all questions asked, it helps me help you.**

Hello Gideetudee:

Did you follow this guide I gave you on how to delete that jvactaett account? User Account - Delete
You have a lot of toolbars, and I notice some files related to the zero access botnet on your system.
Please do the steps in order, rebooting after each step. This is important.

Lets get started:

1.) ** I know you said you could not backup your data using backup and restore, so I suggest Doing the following before proceeding: Go to start-computer. Double Click C, then users. Copy both your wifes and your account name to an external hard drive. This will backup all your data files such as pictures, documents etc.**

2.) Go to this guide here: User Account Control - UAC - Change Notification Settings
Under option Two use the first option there to always have UAC notify you. Follow the directions there.

3.) I notice you have eset security installed. Did you pay for this software and install it on your system as your antivirus?
If so,
Please update it and run a full scan. Then please click this link to see instructions on how to attach the log to this forum. (Export the log as you would, but then upload it here instead.)

4.) Download Malwarebytes antimalware free version and at the last screen of the install there are 3 check boxes. Uncheck the top one where it states about running the free trial. Leave the other 2 boxes checked. Once it updates do a full scan with the product. Delete anything found. Upload the log in your reply please.


5.) Please download and install adw cleaner.

-Click the scan button, and then the clean button once it completes. This will then automatically restart your PC.
Once this happens, a log will appear on the next reboot. Save that log and upload it here as well.


6.) Please see these guides below so that we can run sfc before boot. Please be thorough when reading this and don't skim.

-*Create a repair cd : System Repair Disc - Create

The cd should then load in your pc the next time your computer restarts. You may need to tell the computer you want to use the cd as a boot option. If you need help on this let me know.

-*Go to step 6 in this guide on how to run the sfc scan.
SFC /SCANNOW : Run in Command Prompt at Boot
Please post back the results of the sfc scan.


7.) I notice you have Java installed. I recommend uninstalling it. While the program itself is safe, it has multiple problems with backdoors and is commonly attacked, leading to infection. Most websites do not use it anymore. If after you remove it, and you visit a website that needs it to work, you can easily install it again from javas website.
I am sure you know how to uninstall a program but just in case here is a tutorial on that.
Programs and Features - Uninstall or Change a Program
While you are in there, uninstall any other software you do not use, such as google earth, and any other software your wife and you do not use.

8.) Post back with your findings and We will see how it goes. We will then look into optimizing and securing your system.
My System SpecsSystem Spec
30 Oct 2013   #7
Gideetudee

Windows 7 Home Premium 64-bit
 
 

Hi Andrew,

Thanks again for your help with this

I've got as far as point 6, which is where i'm having an issue. When I start Windows with the repair cd, it says it's found errors. It then reboots, and I have the option of booting Win 7 as it is, or win 7 (recovered). If I boot the recovered version, it boots from my secondary hard drive, rather than my SSD....any ideas?! I will say that on that boot, backup does work
My System SpecsSystem Spec
30 Oct 2013   #8
andrew129260

Windows 7 Professional x64 Sp1
 
 

It looks like you did not answer some of my questions:

Did you follow this guide I gave you on how to delete that jvactaett account?

I notice you have eset security installed. Did you pay for this software and install it on your system as your antivirus?


Please answer these questions.

Also,

When you say step 6, do you mean my step 6 or the step 6 in the tutorial for running the sfc scan?
My System SpecsSystem Spec
01 Nov 2013   #9
Gideetudee

Windows 7 Home Premium 64-bit
 
 

Hi Andrew,

Sorry, didn't have much time when I posted before. Let me answer in a little more detail

I've followed the guides, but the account doesn't seem to show up anywhere. It's a little puzzling to be honest. When I go in through User Accounts in the Control Panel, I find no mention of it, not even when I click on "Configure Advanced User profile properties". I can't find it anywhere, except how I mentioned above in going to security for a drive and looking there.

I have purchased ESET, and that is my main antivirus solution. It's been running on the PC for a couple of years now. Full ESET scan found one issue in the PC. Scan is attached

Malwarebytes and adwcleaner logs also attached - they each found a couple of things to clean as well.

In my last post, I was referring to point 6 on how to start sfc at bootup. I think the explanation above states what's happened - essentially, I've now got 2 OS to pick from whenever I boot. If I pick the recovered option, it boots from my old hard drive. If I pick the normal version, that's the one I'm running now. I want it to repair my OS on my SSD though

Sorry for the short reply last time - hopefully that's a little more comprehensive.

Thanks again for your time


Attached Images
 
Attached Files
File Type: txt MBAM-log-2013-10-29 (18-48-02).txt (2.5 KB, 4 views)
File Type: txt AdwCleaner[R0].txt (5.8 KB, 3 views)
File Type: txt AdwCleaner[S0].txt (5.9 KB, 3 views)
My System SpecsSystem Spec
02 Nov 2013   #10
andrew129260

Windows 7 Professional x64 Sp1
 
 

Hello Gideetudee,

Looking at your logs quick, I notice that you did hit clean and let adwcleaner clean the threats (There was a ton), but you did not tell malware bytes to do so.

Just like before, please do all the steps and answer all questions Thank you!


1.) Run a check for update in malwarebytes, and then run a full scan again. Remove everything found.

Then restart the pc.

How is your PC now after doing this? Probably running a little better and faster.

2.) I noticed you did full scan with eset and provided me a log as instructed above. However the log is not there. There are 2 of the adwcleaner. I think it was just a mistake. Thats okay.

3.) Do you know why you have 2 windows 7 partitions? What do you mean boot from old hard drive?

4.) Also TRY THIS if having issues running from the cd:

Tap f8 repeatably before windows loads, then choose repair your computer. Then follow the guide again on how to run sfc. Let me know if repair your computer is not an option.


Please post back with as much detail as possible. Let me know if you have any questions or need more explanation.

I will be back online on Monday.
Have a good day!
My System SpecsSystem Spec
Reply

 Unknown user showing in user accounts - possibly compromised?




Thread Tools



Similar help and support threads for2: Unknown user showing in user accounts - possibly compromised?
Thread Forum
User accounts I didn't create showing up System Security
Strange Unknown Accounts In User list General Discussion
User accounts created but not able to logon - No user profile General Discussion
Two unknown user accounts showing in the security tab General Discussion
not all user accounts showing General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 07:53 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App