SpyWare BeWare! ASAP
April 28, 2017, 05:09:57 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News:
 
   Home   Help Search Calendar Donations Login Register Chat  



Google It!
Pages: 1 [2] 3   Go Down
  Print  
Author Topic: Auto Create User Account  (Read 2615 times)
0 Members and 1 Guest are viewing this topic.
patwwh
Guest
« Reply #15 on: March 27, 2014, 07:55:58 PM »

I have downloaded the files twice and run it twice.
Please see the attached result.
1~3 items seems cannot be removed.
I have the "Unlocker" program. If need, please call me to a location and manually delete the file.
Logged
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6662


Coby


WWW
« Reply #16 on: March 28, 2014, 10:42:47 AM »

The fix was successful, is there any difference??

MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
patwwh
Guest
« Reply #17 on: March 28, 2014, 11:17:04 AM »

Thanks a lot.
Unfortunately, the problem is still here. huh
Is it possible to monitor or check the log and find out the program which auto create that suspicious account?
Logged
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6662


Coby


WWW
« Reply #18 on: March 28, 2014, 12:19:25 PM »

Do you think it's possible related to Acronis Virtual Disk??

MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
patwwh
Guest
« Reply #19 on: March 28, 2014, 09:29:47 PM »

I haven't setup virtual disk from Acronis, or not yet run any backup from it.
But I keep open for any possibility.
Let me uninstall and test it, or ask Acronis directly on Monday. Will report you soon later.
Thanks for your advice.
Logged
patwwh
Guest
« Reply #20 on: March 28, 2014, 10:11:39 PM »

Just uninstall Acronis and test 2 times. Nothing changed.  Cry Cry Cry

I can describe the phenomenons in detail in every time I delete the account:
Usually, after reboot and login, it is generated.
I remember 1 time, just after reboot without login, it is generated and show in the login page already.
Just 10 mins before, after reboot, I haven't login, and then reboot again directly, the account is generated in login page.

In my system, only 3 services are specially installed by me:
Acronis, Truecrypt and SQL Server. I know the last 2 are also not the killer.
Logged
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6662


Coby


WWW
« Reply #21 on: March 29, 2014, 07:15:19 AM »

Run another scan with FRST, make sure the Addition box is checked.

MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
patwwh
Guest
« Reply #22 on: March 29, 2014, 07:32:11 AM »

Not sure if you really mean "Scan" or "fix" this time.
Anyway, I copy addition.txt, select the option and run fix. Output is Fixlog -3rd Run.txt.
Then I copy addition.txt again, select the option and run scan, and then run fix. Output is FRST.txt and Fixlog -4th Run.txt
Logged
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6662


Coby


WWW
« Reply #23 on: March 29, 2014, 08:50:41 AM »


I wanted you to use Scan, so I can get 2 new logs.

Take a look here and you'll see how to get info on that account:
http://www.sevenforums.com/installation-setup/184141-unknown-user-account.html

MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
patwwh
Guest
« Reply #24 on: March 29, 2014, 09:17:15 AM »

No problem. You should see a scan log in my last attachment.

Your link hasn't shown how to get special info on a account.
I keep looking at that account by Management / right-click.
Every time it is generated, I will go there, remove all its belonged group, add a password on it, and then remove its authority made on c:\ and c:\Users
Logged
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6662


Coby


WWW
« Reply #25 on: March 29, 2014, 09:54:12 AM »

OK, let me know....MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
patwwh
Guest
« Reply #26 on: March 29, 2014, 11:55:50 AM »

Hi Mr Charlie,

Don't understand. Let you know what ??
Your link hasn't shown anything. What info did you need?
Is it the output of net user command?
If yes, here it is (I translated the terms to English):

User Name             yzfvcbgk
Full Name               yzfvcbgk
Remark                   
User Remark           
National Code         000 (System Default)
Account Using        Yes
Account Expire        Never

Password set last time      29/3/2014 11:05:01
Password Expire               Never
Password Changeable        29/3/2014 11:05:01
Please input password       Yes
User can change password  No

Allowed Workstation           All
Login Command File             
User Setting File           
Main Directory                 
Last Login                        Never

Allowed Login Time            All

Local Group Member           
Domain Group member       *None                 
Command has been finished.
Logged
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6662


Coby


WWW
« Reply #27 on: March 29, 2014, 06:55:12 PM »

Is this a program you recognize:

C:\Program Files (x86)\Yellow Blue Soft\Tabbles\TabblesExplorerListener.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please fix your Java:

Java(TM) 6 Update 20 <-------uninstall from your add/remove programs

Java 7 Update 9 <--------Go to control panel > Java > Update Tab > Update Now
Uncheck the box to install the Ask toolbar!!! and any other free "stuff". (should be Update 51)

If there's no update tab in Java, uninstall it and Download and install the latest version from Here
Uncheck the box to install the Ask toolbar!!! and any other free "stuff".

------------------------------------------------------

When you delete the account and reboot, is the account automatically created or do you have to open up a browser first???

-----------------------------------------------------

I just looked over all the logs and all of these came back:

Quote
2014-03-27 18:44 - 2014-03-27 18:44 - 00098816 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\win32api.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00110080 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\pywintypes27.dll
2014-03-27 18:44 - 2014-03-27 18:44 - 00364544 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\pythoncom27.dll
2014-03-27 18:44 - 2014-03-27 18:44 - 00044032 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\_socket.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 01157120 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\_ssl.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00320512 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\win32com.shell.shell.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00712192 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\_hashlib.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 01175040 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\wx._core_.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00805888 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\wx._gdi_.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00811008 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\wx._windows_.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 01062400 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\wx._controls_.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00735232 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\wx._misc_.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00128512 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\_elementtree.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00127488 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\pyexpat.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00557056 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\pysqlite2._sqlite.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00087040 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\_ctypes.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00119808 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\win32file.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00108544 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\win32security.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00018432 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\win32event.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00038912 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\win32inet.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00122368 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\wx._wizard.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00070656 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\wx._html2.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00026624 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\_multiprocessing.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00010240 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\select.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00024064 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\win32pipe.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00686080 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\unicodedata.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00025600 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\win32pdh.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00525640 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\windows._lib_cacheinvalidation.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00011264 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\win32crypt.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00035840 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\win32process.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00017408 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\win32profile.pyd
2014-03-27 18:44 - 2014-03-27 18:44 - 00022528 _____ () C:\Users\Biz\AppData\Local\Temp\_MEI47082\win32ts.pyd

--------------------------------

Clean out all your temp files and...

Please run FRST again (scan) and make sure the Addition box is checked.

Post back both logs.

MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
patwwh
Guest
« Reply #28 on: March 30, 2014, 01:51:32 AM »

I haven't removed Java 1.6 since one of my important program need it, but not v1.7.

Since it was proved that the problem was not come from Tencent QQ and PDFCreator, I have re-installed them previously due to practical needs, but in their older versions.
I believe the current PDFCreator should have no spam inside.
Tencent QQ would have, but it is a big company. Its spam won't be too harmful.
I used all of these programs for many years without problem.
But some logs listed by you may be generated by them.

I run CCleaner again and scan of FRST. Please see attachments.
Logged
MrCharlie
Moderator
Hero Member
*****
Offline Offline

Gender: Male
Date Registered:June 06, 2004, 05:50:23 PM
Posts: 6662


Coby


WWW
« Reply #29 on: March 30, 2014, 07:45:24 AM »

Not seeing  much, run this scan and see if it finds anything, it can take a while to scan!

Please run a free online scan with the ESET Online Scanner (it may take a while to run)
Note: You will need to use Internet Explorer for this scan.
First please Disable any Antivirus you have active, as shown in This Topic

Note: Don't forget to re-enable it after the scan.
http://www.eset.eu/online-scanner
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats is unchecked and the option Scan unwanted applications is checked
Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
Click Start
Wait for the scan to finish
If threats were found:
Click on "list of threats found"
Click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
Put a checkmark in "Uninstall application on close"
Click on finish
Post back the log.....MrC
Logged

My help is always free here but if you would like to show your appreciation, it will be much appreciated.
Thanks MrC
Pages: 1 [2] 3   Go Up
  Print  
 
Jump to:  


Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!