Jump to content

[RESOLVED] HELP needed! Windows 10 process (?) is copying my "user" to "user1"


Recommended Posts

  • ESET Insiders

Hi all,

I urgently need some serious help tackling my issue! As stated in the titles my SSD-WIN10PRO is out of control creating additional strange user names. After deleting them manually, I now even face a security risk, because some process is even copying my own "username" as "username1"? :o

58ac25e7cdefc_ScreenCap2017-02-19at20_54_29.jpg.e75053569a0e8b71a43222f6b235fff5.jpg

58ac25eb29981_ScreenCap2017-02-19at21_03_24.jpg.8d69ec363586b76070024c84f0154c49.jpg

58ac25e847911_ScreenCap2017-02-19at20_56_55.jpg.f657c80aff8ea1cf4b7e3fcdceecc1c0.jpg

58ac25e9a4b22_ScreenCap2017-02-19at20_58_47.thumb.jpg.3359e1d1f9051ae3b69b595d6106739b.jpg


Running ESET SS 10.0.390.0 with latest updates. I rebooted my SSD-WIN10PRO as an isolated VM now in VMware Fusion, killing the internet connection as well!

Help much needed and appreciated ATM!

Cheers

 

ScreenCap 2017-02-19 at 20.59.39.jpg

Edited by m4v3r1ck
Link to comment
Share on other sites

  • ESET Insiders

Thanks guys for your immediate response, much appreciated. Will check your options right after the in-depth scan as administrator!

58ac2f5aef423_ScreenCap2017-02-21at12_58_09.jpg.846f58cfb120e5e76643ed507632087b.jpg

 

 

 

 

Link to comment
Share on other sites

  • Administrators

If you suspect ESET to be the culprit, you can try temporarily disabling automatic start of real-time protection in the advanced setup and restarting the computer. Should the problem persist, disable HIPS as well and reboot the computer. If nothing helps, try temporarily uninstalling ESET and see if the issue actually goes away or not.

Link to comment
Share on other sites

  • ESET Insiders

Hi Marcos,

Thanks, atm I don't suspect anything because I'm still investigating, running ESET scan and Windows Defender.

Will report back...

Link to comment
Share on other sites

  • ESET Insiders

1. ESET SS in-depth scan as administrator returned CLEAN!

2. Malwarebytes macOS returned CLEAN!

3. Running ESET CSP atm for ALL disks and all DAS/NAS!

Keep you posted...

Edited by m4v3r1ck
Link to comment
Share on other sites

Here's what is strange. The accounts the malware are creating show the "admin" symbol but they are missing the wording "local administrator account."

Personally if you have malware that can at will create local admin accounts, it might be time to do a "repair" or full Win 10 reinstall. I would try the "repair" in place option first. I assume you haven't created periodic full image backups?

You can also try a system restore to some previous time where malware activity wasn't present. Doubtful about the effectiveness of that but it's worth a shot. 

Edited by itman
Link to comment
Share on other sites

  • ESET Insiders
1 hour ago, itman said:

Here's what is strange. The accounts the malware are creating show the "admin" symbol but they are missing the wording "local administrator account."

Personally if you have malware that can at will create local admin accounts, it might be time to do a "repair" or full Win 10 reinstall. I would try the "repair" in place option first. I assume you haven't created periodic full image backups?

You can also try a system restore to some previous time where malware activity wasn't present. Doubtful about the effectiveness of that but it's worth a shot. 

Thanks for chiming in @itman, appreciated! This is an e-mail I found in the Apple Mail junk folder, please note that yesterday I booted my Windows 10 SSD in a NOT ISOLATED Vmware Fusion VM, but picked it up and booted as native "BootCamp" partition with regular shares Win10 <-> macOS

58acbc59867c9_ScreenCap2017-02-21at22_41_30.thumb.jpg.7ffab05a7221260f7ceca2b06b4b7ba0.jpg

Here's the screen for the copied user account:

58acc06e821f2_ScreenCap2017-02-21at23_20_19.jpg.b97b82f1d513cc173b18283768cb1ed7.jpg

Any thoughts guys?

TIA!

Edited by m4v3r1ck
typo
Link to comment
Share on other sites

  • ESET Insiders

UPDATE! | SOLVED!

Because I killed the internet connection as soon as I saw the accounts added, I was not able to check the Anti Theft (AT) status.

@Marcos a big thank you to you! It was indeed the caused by the AT ghost account, I changed it immediately to another and for me much more recognisable ghost-name! I apologize for my panic-attack.

Pff guys, I'm really sorry for stirring up things around here :wacko:, never had encountered this issues before, since I use ESET AT.

For now all-systems-are-GO! A very BIG thank you for all who tried to help me solve this headache 

Note to self: keep better track of your system thingies & RTFM! 

Cheers

Edited by m4v3r1ck
typo
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...