New user created automatically with each restart

Page 3 of 5 FirstFirst 12345 LastLast
  1.    #21

    I didn't search Indra because he said his PC was named that.
      My Computer


  2. Posts : 4,566
    Windows 10 Pro
       #22

    Why did I not think of that? Of course the windows security log would help. It looks something similar to group policy or what gregrocker said. Is this pc used for work? Is it a work laptop?

    So far I have seen nothing to indicate an infection. One thing to do would be turning on rootkit detection in malwarebytes scanner then running another threat scan.
      My Computer


  3. Posts : 5,605
    Originally Win 7 Hm Prem x64 Ver 6.1.7600 Build 7601-SP1 | Upgraded to Windows 10 December 14, 2019
       #23

    I came across this:
    You've been put into a temporary user profile because the original one was corrupted. You can try the techniques below. If that doesn't work, let me know and I'll give you an alternate path.
    The critical files are under %systemdrive%\users\user-account\ntuser. The ntuser.dat file is actually a registry hive. Run regedit elevated and select HKEY_USERS and "load hive" from the menu. Now navigate to:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

    There is one line for each profile. If a profile is bad, check:

    a) That the key name doesn't end in ".bak" (remove .bak if there)
    b) That the RefCount value is 0 (change it if different)
    c) That the State value is 0 (change if different)

    Source, second answer by Malkeleah: System Reboot created new user profile - Microsoft Community
    It would involve a few minutes by ij2014 to check if any of his profiles were corrupt and then go from there to create new ones.

    Remember to run an elevated Registry Editor:

    • Copy/paste/type: regedit into the Start Search box.


    • At the top under Programs, right click on regedit.exe and click on Run as administrator.


    • Search for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to check the profiles.
      My Computer


  4. Posts : 10,485
    W7 Pro SP1 64bit
       #24

    ij2014 said:
    ....What might be the possible reason behind this? Thanks in advance.
    It sounds like the Anti-Theft feature of your ESET Smart Security 8 install.

    Please see this old post of mine.

    Other ESET users saw this happen too:
    Unknown user account re-installs itself...

    Unknown User account at Windows login

    Was wondering If I have been hacked.

    https://www.sevenforums.com/general-d...-registry.html

    edit: the new interface for asking ESET to create this phantom account looks like this:

    New user created automatically with each restart-eset1.png
    Last edited by UsernameIssues; 15 Nov 2014 at 00:04.
      My Computer


  5. Posts : 10,485
    W7 Pro SP1 64bit
       #25

    ij2014 said:
    gregrocker, I unchecked all of those, except Eset. Touchpad lost its scrolling functionality. Next, I unchecked Eset too. But even then, result was the same - the user got created perfectly each time.
    I was not able to disable ESET via msconfig:



    The same thing happens on the Startup tab.
      My Computer


  6. Posts : 5,605
    Originally Win 7 Hm Prem x64 Ver 6.1.7600 Build 7601-SP1 | Upgraded to Windows 10 December 14, 2019
       #26

    ij2014 said:
    Is there any way to track this user creation? Any tool that will track the user creation and corresponding process that initiates the activity?
    There may be a couple on this list: Sysinternals Process Utilities Process Monitor is usually recommended also:

    • Handle


    • PsList


    • Process Explorer

    Don't forget to check Mark Russinovich's other tools like Sysmon that might help, the list is in the left panel under Utilities. I found sysmon under Security Utilities.
      My Computer


  7. Posts : 16
    Windows 7 Ultimate 32bit
    Thread Starter
       #27

    Greg, this ain't a work laptop, so can't consult any IT dept unfortunately.

    In case its something similar to group policy, can it be somehow attributed to the LAN policies of the local internet service provider? Other than setting up the proxy server settings, no other changes were made though.

    Anak, checked the registry key. There are 3 user profiles right now - an admin account, a standard user account and this loathsome wobrsqqw. In the registry, no key ended in ".bak". The other details are:

    • Admin account - RefCount:4, State:0

    • The standard account - RefCount:0, State:0

    • wobrsqqw - RefCount:1, State:204


    And thanks for the tools info (Sysinternals and Sysmon) - it was much needed.

    UsernameIssues, many thanks for the informative links. Anti-Theft feature was enabled more than a year back. And this issue came up recently. ESET claims, when device theft is reported, other accounts are hidden and only the phantom account is shown. I haven't tested it though. Moreover, in the present case, all other accounts are shown and most importantly, no device theft was ever reported.

    And yes, I unchecked ESET from the Startup tab. Because I posted pic of the Startup tab, I meant removing ESET from that tab only, not from the Services tab. After reading your reply I tried it again. After I unchecked ESET from the Startup tab and restarted, ESET was missing from the system tray though the ESET service was running. ESET showed up in the system tray only after I manually started it.
      My Computer

  8.    #28

    Could you uninstall ESET for a test period of a few days to a week, replace it with Microsoft Security Essentials?

    To get it cleanest use the ESET removal tool: Uninstallers (removal tools) for common Windows antivirus software - ESET Knowledgebase

    It's never a good sign IMO when an AV needs a special removal tool since it points to bloatware. I suspect we are seeing an example of that here.
      My Computer


  9. Posts : 16
    Windows 7 Ultimate 32bit
    Thread Starter
       #29

    I think to remove ESET, Start -> All Programs -> ESET -> ESET Smart Security -> Uninstall should suffice ( How do I uninstall or reinstall ESET Smart Security/ESET NOD32 Antivirus? - ESET Knowledgebase )
      My Computer


  10. Posts : 5,605
    Originally Win 7 Hm Prem x64 Ver 6.1.7600 Build 7601-SP1 | Upgraded to Windows 10 December 14, 2019
       #30

    Your welcome about the tools link.

    From the fourth post down by Mike S.
    Hey Mark,
    I got this from a MS technician:

    The State information for each profile is stored in the following location:

    Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\SID

    Value: State

    DataType: REG_DWORD

    Data:

    A value of 256 in the State would be decoded in this manner:
    256 = 200 + 040 + 010 + 002 + 004

    You can math the numbers with the following terms to determine the flag
    settings on the profile:

    001 = PROFILE_MANDATORY
    Profile is mandatory.

    002 = PROFILE_USE_CACHE
    Update locally Cached profile.

    004 = PROFILE_NEW_LOCAL
    Using a new local profile.

    008 = PROFILE_NEW_CENTRAL
    Using a new central profile.

    010 = PROFILE_UPDATE_CENTRAL
    Need to update central profile.

    020 = PROFILE_DELETE_CACHE
    Need to delete cached profile.

    040 = PROFILE_UPGRADE
    Need to upgrade profile.

    080 = PROFILE_GUEST_USER
    Using guest user profile.

    100 = PROFILE_ADMIN_USER
    Using administrator profile.

    200 = DEFAULT_NET_READY
    Default net profile is available & ready.

    400 = PROFILE_SLOW_LINK
    Identified slow network link.

    800 = PROFILE_TEMP_ASSIGNED
    Temporary profile loaded.
    So your State Count of 204 would be:

    200 = DEFAULT_NET_READY
    Default net profile is available & ready.

    Plus:

    004 = PROFILE_NEW_LOCAL
    Using a new local profile.

    Something did a job on your profile and I've run across posts where this can happen whether or not the profile has a .bak suffix or not.

    Since UNI brought up the fact that ESET has that anti-theft feature I'd go along with that until you can rule it out starting with Greg's request to remove ESET to test, maybe you can check and see if you can disable just that anti-theft feature, I'm not sure if that would be sufficient or not.

    ij2014 said:
    ESET claims, when device theft is reported, other accounts are hidden and only the phantom account is shown. I haven't tested it though. Moreover, in the present case, all other accounts are shown and most importantly, no device theft was ever reported.
    It wouldn't be the first time one of these features went FUBAR especially with the rounds of security updates Windows has been sending down the pipe and the third-party anti-virus companies trying to keep up.
      My Computer


 
Page 3 of 5 FirstFirst 12345 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 23:06.
Find Us