Solved New user created automatically with each restart

[gregrocker]

I didn't search Indra because he said his PC was named that.

 

[andrew129260]

icnic: Why did I not think of that? Of course the windows security log would help. It looks something similar to group policy or what gregrocker said. Is this pc used for work? Is it a work laptop?

So far I have seen nothing to indicate an infection. One thing to do would be turning on rootkit detection in malwarebytes scanner then running another threat scan.

 

[Anak]

I came across this:

You've been put into a temporary user profile because the original one was corrupted. You can try the techniques below. If that doesn't work, let me know and I'll give you an alternate path.
The critical files are under %systemdrive%\users\user-account\ntuser. The ntuser.dat file is actually a registry hive. Run regedit elevated and select HKEY_USERS and "load hive" from the menu. Now navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

There is one line for each profile. If a profile is bad, check:

a) That the key name doesn't end in ".bak" (remove .bak if there)
b) That the RefCount value is 0 (change it if different)
c) That the State value is 0 (change if different)

Source, second answer by Malkeleah: System Reboot created new user profile - Microsoft Community

It would involve a few minutes by ij2014 to check if any of his profiles were corrupt and then go from there to create new ones.

Remember to run an elevated Registry Editor:

• Copy/paste/type: regedit into the Start Search box.

• At the top under Programs, right click on regedit.exe and click on Run as administrator.

• Search for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList to check the profiles.

 

[UsernameIssues]

....What might be the possible reason behind this? Thanks in advance.

It sounds like the Anti-Theft feature of your ESET Smart Security 8 install.

Please see this old post of mine.

Other ESET users saw this happen too:
http://www.sevenforums.com/general-discussion/281110-unknown-user-account-re-installs-itself.html

http://www.sevenforums.com/system-security/281084-unknown-user-account-windows-login.html

http://www.sevenforums.com/system-security/281063-wondering-if-i-have-been-hacked.html

http://www.sevenforums.com/general-...out-my-permission-doesn-t-exist-registry.html

edit: the new interface for asking ESET to create this phantom account looks like this:

 

[UsernameIssues]

gregrocker, I unchecked all of those, except Eset. Touchpad lost its scrolling functionality. Next, I unchecked Eset too. But even then, result was the same - the user got created perfectly each time.

I was not able to disable ESET via msconfig:



The same thing happens on the Startup tab.

 

[Anak]

Is there any way to track this user creation? Any tool that will track the user creation and corresponding process that initiates the activity?

There may be a couple on this list: Sysinternals Process Utilities Process Monitor is usually recommended also:

• Handle

• PsList

• Process Explorer

Don't forget to check Mark Russinovich's other tools like Sysmon that might help, the list is in the left panel under Utilities. I found sysmon under Security Utilities.

 

[ij2014]

Greg, this ain't a work laptop, so can't consult any IT dept unfortunately.

In case its something similar to group policy, can it be somehow attributed to the LAN policies of the local internet service provider? Other than setting up the proxy server settings, no other changes were made though.

Anak, checked the registry key. There are 3 user profiles right now - an admin account, a standard user account and this loathsome wobrsqqw. In the registry, no key ended in ".bak". The other details are:

• 
  Admin account - RefCount:4, State:0

• The standard account - RefCount:0, State:0

• wobrsqqw - RefCount:1, State:204

And thanks for the tools info (Sysinternals and Sysmon) - it was much needed.

UsernameIssues, many thanks for the informative links. Anti-Theft feature was enabled more than a year back. And this issue came up recently. ESET claims, when device theft is reported, other accounts are hidden and only the phantom account is shown. I haven't tested it though. Moreover, in the present case, all other accounts are shown and most importantly, no device theft was ever reported.

And yes, I unchecked ESET from the Startup tab. Because I posted pic of the Startup tab, I meant removing ESET from that tab only, not from the Services tab. After reading your reply I tried it again. After I unchecked ESET from the Startup tab and restarted, ESET was missing from the system tray though the ESET service was running. ESET showed up in the system tray only after I manually started it.

 

[gregrocker]

Could you uninstall ESET for a test period of a few days to a week, replace it with Microsoft Security Essentials?

To get it cleanest use the ESET removal tool: Uninstallers (removal tools) for common Windows antivirus software - ESET Knowledgebase

It's never a good sign IMO when an AV needs a special removal tool since it points to bloatware. I suspect we are seeing an example of that here.

 

[ij2014]

I think to remove ESET, Start -> All Programs -> ESET -> ESET Smart Security -> Uninstall should suffice ( How do I uninstall or reinstall ESET Smart Security/ESET NOD32 Antivirus? - ESET Knowledgebase )

 

[Anak]

Your welcome about the tools link.

From the fourth post down by Mike S.

Hey Mark,
I got this from a MS technician:

The State information for each profile is stored in the following location:

Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\SID

Value: State

DataType: REG_DWORD

Data:

A value of 256 in the State would be decoded in this manner:
256 = 200 + 040 + 010 + 002 + 004

You can math the numbers with the following terms to determine the flag
settings on the profile:

001 = PROFILE_MANDATORY
Profile is mandatory.

002 = PROFILE_USE_CACHE
Update locally Cached profile.

004 = PROFILE_NEW_LOCAL
Using a new local profile.

008 = PROFILE_NEW_CENTRAL
Using a new central profile.

010 = PROFILE_UPDATE_CENTRAL
Need to update central profile.

020 = PROFILE_DELETE_CACHE
Need to delete cached profile.

040 = PROFILE_UPGRADE
Need to upgrade profile.

080 = PROFILE_GUEST_USER
Using guest user profile.

100 = PROFILE_ADMIN_USER
Using administrator profile.

200 = DEFAULT_NET_READY
Default net profile is available & ready.

400 = PROFILE_SLOW_LINK
Identified slow network link.

800 = PROFILE_TEMP_ASSIGNED
Temporary profile loaded.

So your State Count of 204 would be:

200 = DEFAULT_NET_READY
Default net profile is available & ready.

Plus:

004 = PROFILE_NEW_LOCAL
Using a new local profile.

Something did a job on your profile and I've run across posts where this can happen whether or not the profile has a .bak suffix or not.

Since UNI brought up the fact that ESET has that anti-theft feature I'd go along with that until you can rule it out starting with Greg's request to remove ESET to test, maybe you can check and see if you can disable just that anti-theft feature, I'm not sure if that would be sufficient or not.

ESET claims, when device theft is reported, other accounts are hidden and only the phantom account is shown. I haven't tested it though. Moreover, in the present case, all other accounts are shown and most importantly, no device theft was ever reported.

It wouldn't be the first time one of these features went FUBAR especially with the rounds of security updates Windows has been sending down the pipe and the third-party anti-virus companies trying to keep up.

 

[ij2014]

Ever since UsernameIssues mentioned that Phantom account, I started to suspect ESET badly. And after reading Greg's suggestion of uninstalling ESET, I knew what to get hold of. And yes Anak, you were spot on. A while ago I disabled the Anti-theft feature, deleted the evil account and restarted. For the first time during the last 8/9 days, there was no other account (other than the ones I created) showing in "Manage Accounts". Next, I enabled the feature again and had to create a Phantom account, with a nice friendly name, once again. Restarted. In the login screen the Phantom account showed up. Next, I deleted this account from the control panel. The next restart gave birth to an awful account in the "Manage Accounts" again, only with a different name.

When I activated Anti-theft a year back, I had to create a Phantom account which is the standard user account I was having all the time. I think, somehow, ESET lost track of this account and went on creating account on its own. Any way, have to check a few days before I can really breathe a sigh of relief.

 

[Anak]

This.....

How to revert the status of a device to normal

To revert a device to a normal state, click I recovered my device. The device will reboot and your normal user account will be re-enabled. After selecting I recovered my device, a device status change confirmation message will appear in a pop-up window which will include additional summary information.

.... sounds like you can reset the protection.

Its at the bottom of this page: Activate and configure Anti-Theft protection in ESET Smart Security - ESET Knowledgebase

 

[ij2014]

.... sounds like you can reset the protection.

Thats basically resetting the "missing" status of the device - it changes the status of the protected device to "Not missing" and the anti-theft mechanism becomes inactive.

 

[andrew129260]

It's never a good sign IMO when an AV needs a special removal tool since it points to bloatware. I suspect we are seeing an example of that here.

Just pointing out that every AV has a removal tool. Even Microsoft security essentials. It has nothing to do with bloatware, just making sure all files and keys are removed.

Ever since UsernameIssues mentioned that Phantom account, I started to suspect ESET badly. And after reading Greg's suggestion of uninstalling ESET, I knew what to get hold of. And yes Anak, you were spot on. A while ago I disabled the Anti-theft feature, deleted the evil account and restarted. For the first time during the last 8/9 days, there was no other account (other than the ones I created) showing in "Manage Accounts". Next, I enabled the feature again and had to create a Phantom account, with a nice friendly name, once again. Restarted. In the login screen the Phantom account showed up. Next, I deleted this account from the control panel. The next restart gave birth to an awful account in the "Manage Accounts" again, only with a different name.

When I activated Anti-theft a year back, I had to create a Phantom account which is the standard user account I was having all the time. I think, somehow, ESET lost track of this account and went on creating account on its own. Any way, have to check a few days before I can really breathe a sigh of relief.

That makes a lot of sense. Good spot greg, uni, and anak. The hidden account is so that no matter what an attacker does to a system it hopefully will not be noticed and can follow the users every move who stole it. Then get it back. I hope that solves your issue.

 

[gregrocker]

MSE doesn't have an additional removal tool, but offers a manual uninstaller that's only for the purpose of removing it if it can't be removed in Programs and Features.

The bloatware AV's require an additional uninstaller because all of the extra crap they install can't be uninstalled by typical program Uninstall. The classic example is Norton. For years to uninstall it completely required also running the Norton Removal Tool to uninstall your Norton product .

 

[Anak]

This.....

The device will reboot and your normal user account will be re-enabled.

Thats basically resetting the "missing" status of the device - it changes the status of the protected device to "Not missing" and the anti-theft mechanism becomes inactive.

Isn't that what you want?

 

[UsernameIssues]

This.....

Thats basically resetting the "missing" status of the device - it changes the status of the protected device to "Not missing" and the anti-theft mechanism becomes inactive.

Isn't that what you want?

As I recall, there are 3 states: something like missing, found and test.

I don't think that ESET thinks that the device is missing... so there will be no button to push to change the computer from missing to found. The OP's normal user account on this computer is already enabled. See post #1 where the OP seems to be using a normal admin account to delete the phantom standard account.

If the device were in the missing mode, then all normal accounts would be hidden. Only the phantom standard user account will be on the Welcome screen - and since that account has no password - the computer boots straight to the desktop for that phantom account. The OP could not delete the phantom account while logged into that account... hence my guess that the OP is using a normal admin account for the actions mentioned in post #1.


When I was playing with that test mode, I could see all of the accounts (the normal ones and the phantom one). But maybe I was rushing things a bit. Maybe if I had given the test some more of my time - it might have hidden the normal accounts and been like a real test of a missing computer.

Either way - I think that we can say that the phantom account is not malicious. The OP can uninstall and re-install ESET's software to see if that fixes the issue. Or live with the extra account. Or contact ESET for diagnostics of their app. I'm not sure that we will know the answer as to why the phantom account is being created at times when it should not be.

:::back to lurking:::

 

[Anak]

Good explanation UNI I don't have ESET or have ever used it, and I am attempting to offer educated explanations. It's nice to have someone here with the experience using it.

 

[ij2014]

This.....

Thats basically resetting the "missing" status of the device - it changes the status of the protected device to "Not missing" and the anti-theft mechanism becomes inactive.

Isn't that what you want?

No Anak, for, my device was always in the "Not missing" state

 

[ij2014]

I don't think that ESET thinks that the device is missing... so there will be no button to push to change the computer from missing to found. The OP's normal user account on this computer is already enabled. See post #1 where the OP seems to be using a normal admin account to delete the phantom standard account.

If the device were in the missing mode, then all normal accounts would be hidden. Only the phantom standard user account will be on the Welcome screen - and since that account has no password - the computer boots straight to the desktop for that phantom account. The OP could not delete the phantom account while logged into that account... hence my guess that the OP is using a normal admin account for the actions mentioned in post #1.

Absolutely correct UNI. It's just an admin account from which I used to delete that creepy account - it's only later that we learnt it was a phantom account generated by ESET on its own. And the state of my device was always "Not missing".

Either way - I think that we can say that the phantom account is not malicious. The OP can uninstall and re-install ESET's software to see if that fixes the issue. Or live with the extra account. Or contact ESET for diagnostics of their app. I'm not sure that we will know the answer as to why the phantom account is being created at times when it should not be.

Phantom account is created so that if the device is stolen, photos and screenshots and perhaps other info from the stolen device can be seen from an online ESET account (which might help in tracking down the stealer), provided the stolen device connects to net. And regarding uninstall and re-install, UNI, perhaps you have missed this post of mine:

Ever since UsernameIssues mentioned that Phantom account, I started to suspect ESET badly. And after reading Greg's suggestion of uninstalling ESET, I knew what to get hold of. And yes Anak, you were spot on. A while ago I disabled the Anti-theft feature, deleted the evil account and restarted. For the first time during the last 8/9 days, there was no other account (other than the ones I created) showing in "Manage Accounts". Next, I enabled the feature again and had to create a Phantom account, with a nice friendly name, once again. Restarted. In the login screen the Phantom account showed up. Next, I deleted this account from the control panel. The next restart gave birth to an awful account in the "Manage Accounts" again, only with a different name.

When I activated Anti-theft a year back, I had to create a Phantom account which is the standard user account I was having all the time. I think, somehow, ESET lost track of this account and went on creating account on its own. Any way, have to check a few days before I can really breathe a sigh of relief.