Solved New user created automatically with each restart

[ij2014]

I am facing this peculiar problem since last 4/5 days. Whenever I log into windows, a new user "wobrsqqw" gets created which is of the type "Standard User". From the control panel, it can be easily deleted. But, if I restart again, as soon as I get into windows, the same user gets created again. Once, I renamed it and restarted and surprisingly no new user got created. As soon as I deleted it and restarted again, again it got created. What might be the possible reason behind this? Thanks in advance.

 

[Ztruker]

Sounds like some kind of malware to me. Try running a full scan with your anti-virus software.
Download, install and run Malware Bytes Anti Malware (free version) and do a full scan.

Let them fix whatever they find. See if that helps.

Also run msconfig and check the Startup tab to see if there is anything starting there that looks suspecious or unusual.

Windows key + R, type msconfig and press Enter.

 

[gregrocker]

The only time this happens legitimately is if Windows Update needs a way to update your account to get past your password, or if an imaging or backup program has similar need. Are any of these the case?

Let us know what the scans find.

 

[ij2014]

Thanks for your responses.
Ztruker, I also suspected it to be some malware. But a full scan with the antivirus did not reveal anything significant. I also downloaded and installed Malware Bytes Anti Malware and did a full scan. It too, did not find anything. I also checked the Startup tab of System Config. I am attaching screen shots of it.


gregrocker, no imaging or backup program as per my knowledge was getting executed during all this while. Is there a way to check them out?

 

[andrew129260]

Can you also post a screenshot of task scheduler?

1.) Download herdprotect: (choose the portable version)

Download herdProtect - Free Anti-Malware Platform

2.) Run the scan.

3.) When the scan finishes, save the results per the screenshot below. Then upload the log here.

DO NOT REMOVE ANYTHING YET. I will advise if anything needs removed when I receive the log.

Attached Images

_____________________________________________________________________________________

Download DDS:

DDS.com

Save the file to your pc. Then open the dds icon to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop.
Include the contents of both logs in your next post by using the paperclip

 

[gregrocker]

You can uncheck all of those except Eset. Then test your touchpad to see if you have all the functions you want, e.g. scrolling.

 

[ij2014]

andrew129260, as per your suggestion I am attaching the log files.

 

[ij2014]

gregrocker, I unchecked all of those, except Eset. Touchpad lost its scrolling functionality. Next, I unchecked Eset too. But even then, result was the same - the user got created perfectly each time.

 

[gregrocker]

You can re-enable the touchpad software then if you want scrolling.

Continue working through the Troubleshooting Steps for Windows 7
while you work with Andrew .

 

[ij2014]

Ok Greg, I will see if the guidelines given in the troubleshooting steps page help. Thanks.

 

[gregrocker]

Can you also provide a screenshot of all of your installed Programs in Control Panel? Screenshots and Files - Upload and Post in Seven Forums - Windows 7 Forums

If it's not an infection, and it's not Windows Update which would show up in google search for the User name, then it must be an obscure backup or other program which can be isolated by process of elimination.

 

[andrew129260]

thank you for the logs, give me some additional time to look through them. I do see that you have utorrent installed. If you are using torrents, your machines possible infection rates increases significantly.

Edit: Okay, I looked through the logs and other than the torrent software you appear to be clean. NO guarantee however.

I know a lot about malware but I am not an expert.


I would like you to scan with Hitman Pro as another run just to see, it certainly cannot hurt.

1.) Download hitman pro here for your windows version and install it.

2.) Open hitman pro. Click next.

Read and Accept the license agreement, then checkmark the box and click next.

Choose to only run a one time with this computer and click next

The scan will start, wait until it completes, then click the save log button.

Choose a place to save it for upload later

Close out of hitman pro.

Find the log file wherever you saved it and upload it using the paperclip

 

[ij2014]

Here goes the Hitman Pro scan log

 

[ij2014]

Is there any way to track this user creation? Any tool that will track the user creation and corresponding process that initiates the activity?

 

[andrew129260]

log looks good.

Unfortunately I no of know way to track this. Only suggestion I can think of is to keep checking computer management local users and groups after every reboot. It might seem annoying but try checking it after running some applications. Then restart, narrow a list down to find the cause.

 

[gregrocker]

One of the Windows logs in the Computer Management>Event Viewer may log it, possibly System.

Waiting to see the installed Programs list.

Check again at msconfig>Startup and >Services (after Hiding all MS) to see if anything is checked now.

 

[ij2014]

Please find installed programs list and MSConfig screenshots attached

 

[ij2014]

Windows security log has entries for this user creation event. I am providing the details associated with this
"A user account was created" event. [The computer name is Indra]




A user account was created.

Subject:
Security ID: SYSTEM
Account Name: INDRA$
Account Domain: WORKGROUP
Logon ID: 0x3e7

New Account:
Security ID: INDRA\wobrsqqw
Account Name: wobrsqqw
Account Domain: INDRA

Attributes:
SAM Account Name: wobrsqqw
Display Name: <value not set>
User Principal Name: -
Home Directory: <value not set>
Home Drive: <value not set>
Script Path: <value not set>
Profile Path: <value not set>
User Workstations: <value not set>
Password Last Set: <never>
Account Expires: <never>
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters: <value not set>
SID History: -
Logon Hours: All

Additional Information:
Privileges -


------------The Details section of the above event:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4720</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2014-11-14T15:36:58.716478800Z" />
<EventRecordID>43911</EventRecordID>
<Correlation />
<Execution ProcessID="580" ThreadID="616" />
<Channel>Security</Channel>
<Computer>Indra</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">wobrsqqw</Data>
<Data Name="TargetDomainName">INDRA</Data>
<Data Name="TargetSid">S-1-5-21-3330774905-1691639123-4124171393-1029</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">INDRA$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">wobrsqqw</Data>
<Data Name="DisplayName">%%1793</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">%%1793</Data>
<Data Name="HomePath">%%1793</Data>
<Data Name="ScriptPath">%%1793</Data>
<Data Name="ProfilePath">%%1793</Data>
<Data Name="UserWorkstations">%%1793</Data>
<Data Name="PasswordLastSet">%%1794</Data>
<Data Name="AccountExpires">%%1794</Data>
<Data Name="PrimaryGroupId">513</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x0</Data>
<Data Name="NewUacValue">0x15</Data>
<Data Name="UserAccountControl">%%2080 %%2082 %%2084</Data>
<Data Name="UserParameters">%%1793</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">%%1797</Data>
</EventData>
</Event>



Do these provide any clue?

 

[gregrocker]

I google the text and ID# of repeat errors to see how others resolve them. In this case there is no known standard use of that account name found by Google so it must be randomly generated. It also appears to be a part of MS Security Audit, possibly run on or by your domain. Security Auditing Overview

Is this PC used for work? If so I would consult your IT dept.

I would not have Catalyst bloatware, Komodo, and would question Solid Fire Gold demo, Sentinel Protection installer.

None of those Services (after hiding all MS) need to start with Windows except your AV.

 

[Layback Bear]

This might help.

Indra$ - Indra | listen to Indra$ Playlists PlayList | movies Playlists Songs