New user created automatically with each restart

Page 2 of 5 FirstFirst 1234 ... LastLast
  1.    #11

    Can you also provide a screenshot of all of your installed Programs in Control Panel? Screenshots and Files - Upload and Post in Seven Forums - Windows 7 Forums

    If it's not an infection, and it's not Windows Update which would show up in google search for the User name, then it must be an obscure backup or other program which can be isolated by process of elimination.
      My Computer


  2. Posts : 4,566
    Windows 10 Pro
       #12

    thank you for the logs, give me some additional time to look through them. I do see that you have utorrent installed. If you are using torrents, your machines possible infection rates increases significantly.

    Edit: Okay, I looked through the logs and other than the torrent software you appear to be clean. NO guarantee however.

    I know a lot about malware but I am not an expert.


    I would like you to scan with Hitman Pro as another run just to see, it certainly cannot hurt.

    1.) Download hitman pro here for your windows version and install it.

    2.) Open hitman pro. Click next.



    Read and Accept the license agreement, then checkmark the box and click next.



    Choose to only run a one time with this computer and click next



    The scan will start, wait until it completes, then click the save log button.



    Choose a place to save it for upload later



    Close out of hitman pro.

    Find the log file wherever you saved it and upload it using the paperclip

    Last edited by andrew129260; 13 Nov 2014 at 18:46.
      My Computer


  3. Posts : 16
    Windows 7 Ultimate 32bit
    Thread Starter
       #13

    Here goes the Hitman Pro scan log
    New user created automatically with each restart Attached Files
      My Computer


  4. Posts : 16
    Windows 7 Ultimate 32bit
    Thread Starter
       #14

    Is there any way to track this user creation? Any tool that will track the user creation and corresponding process that initiates the activity?
      My Computer


  5. Posts : 4,566
    Windows 10 Pro
       #15

    log looks good.

    Unfortunately I no of know way to track this. Only suggestion I can think of is to keep checking computer management local users and groups after every reboot. It might seem annoying but try checking it after running some applications. Then restart, narrow a list down to find the cause.
      My Computer

  6.    #16

    One of the Windows logs in the Computer Management>Event Viewer may log it, possibly System.

    Waiting to see the installed Programs list.

    Check again at msconfig>Startup and >Services (after Hiding all MS) to see if anything is checked now.
      My Computer


  7. Posts : 16
    Windows 7 Ultimate 32bit
    Thread Starter
       #17

    Please find installed programs list and MSConfig screenshots attached
    Attached Thumbnails Attached Thumbnails New user created automatically with each restart-msconfig-startup.jpg   New user created automatically with each restart-msconfig-services.jpg  
    New user created automatically with each restart Attached Files
      My Computer


  8. Posts : 16
    Windows 7 Ultimate 32bit
    Thread Starter
       #18

    Windows security log has entries for this user creation event. I am providing the details associated with this
    "A user account was created" event. [The computer name is Indra]




    A user account was created.

    Subject:
    Security ID: SYSTEM
    Account Name: INDRA$
    Account Domain: WORKGROUP
    Logon ID: 0x3e7

    New Account:
    Security ID: INDRA\wobrsqqw
    Account Name: wobrsqqw
    Account Domain: INDRA

    Attributes:
    SAM Account Name: wobrsqqw
    Display Name: <value not set>
    User Principal Name: -
    Home Directory: <value not set>
    Home Drive: <value not set>
    Script Path: <value not set>
    Profile Path: <value not set>
    User Workstations: <value not set>
    Password Last Set: <never>
    Account Expires: <never>
    Primary Group ID: 513
    Allowed To Delegate To: -
    Old UAC Value: 0x0
    New UAC Value: 0x15
    User Account Control:
    Account Disabled
    'Password Not Required' - Enabled
    'Normal Account' - Enabled
    User Parameters: <value not set>
    SID History: -
    Logon Hours: All

    Additional Information:
    Privileges -


    ------------The Details section of the above event:

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4720</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13824</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-11-14T15:36:58.716478800Z" />
    <EventRecordID>43911</EventRecordID>
    <Correlation />
    <Execution ProcessID="580" ThreadID="616" />
    <Channel>Security</Channel>
    <Computer>Indra</Computer>
    <Security />
    </System>
    - <EventData>
    <Data Name="TargetUserName">wobrsqqw</Data>
    <Data Name="TargetDomainName">INDRA</Data>
    <Data Name="TargetSid">S-1-5-21-3330774905-1691639123-4124171393-1029</Data>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">INDRA$</Data>
    <Data Name="SubjectDomainName">WORKGROUP</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="PrivilegeList">-</Data>
    <Data Name="SamAccountName">wobrsqqw</Data>
    <Data Name="DisplayName">%%1793</Data>
    <Data Name="UserPrincipalName">-</Data>
    <Data Name="HomeDirectory">%%1793</Data>
    <Data Name="HomePath">%%1793</Data>
    <Data Name="ScriptPath">%%1793</Data>
    <Data Name="ProfilePath">%%1793</Data>
    <Data Name="UserWorkstations">%%1793</Data>
    <Data Name="PasswordLastSet">%%1794</Data>
    <Data Name="AccountExpires">%%1794</Data>
    <Data Name="PrimaryGroupId">513</Data>
    <Data Name="AllowedToDelegateTo">-</Data>
    <Data Name="OldUacValue">0x0</Data>
    <Data Name="NewUacValue">0x15</Data>
    <Data Name="UserAccountControl">%%2080 %%2082 %%2084</Data>
    <Data Name="UserParameters">%%1793</Data>
    <Data Name="SidHistory">-</Data>
    <Data Name="LogonHours">%%1797</Data>
    </EventData>
    </Event>



    Do these provide any clue?
      My Computer

  9.    #19

    I google the text and ID# of repeat errors to see how others resolve them. In this case there is no known standard use of that account name found by Google so it must be randomly generated. It also appears to be a part of MS Security Audit, possibly run on or by your domain. Security Auditing Overview

    Is this PC used for work? If so I would consult your IT dept.

    I would not have Catalyst bloatware, Komodo, and would question Solid Fire Gold demo, Sentinel Protection installer.

    None of those Services (after hiding all MS) need to start with Windows except your AV.
      My Computer


  10. Posts : 25,847
    Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
       #20
      My Computer


 
Page 2 of 5 FirstFirst 1234 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 21:19.
Find Us