1.    21 Feb 2017 #1
    Join Date : Nov 2014
    The Netherlands
    Posts : 628
    Win 10 Pro x64 1607 (Build 14393.953)

    [RESOLVED] Windows 10 suddenly creates strange -unknown- user names?


    As stated in the title, all of a sudden my SSD-WIN10PRO - booted in VMware - is creating unknown usernames e.g.:

    Click image for larger version. 

Name:	ScreenCap 2017-02-19 at 20.54.29.jpg 
Views:	38 
Size:	20.4 KB 
ID:	122197
    Click image for larger version. 

Name:	ScreenCap 2017-02-19 at 21.03.24.jpg 
Views:	38 
Size:	5.2 KB 
ID:	122200
    Click image for larger version. 

Name:	ScreenCap 2017-02-19 at 20.56.55.jpg 
Views:	38 
Size:	5.0 KB 
ID:	122198
    Click image for larger version. 

Name:	ScreenCap 2017-02-19 at 20.58.47.jpg 
Views:	4 
Size:	103.2 KB 
ID:	122199

    I've disabled above user for now.

    Click image for larger version. 

Name:	ScreenCap 2017-02-19 at 20.59.39.jpg 
Views:	3 
Size:	112.1 KB 
ID:	122212

    Even though working with a booted SSD in VMware for many years, I've never seen this before. I have no idea why or what is causing this, every time deleting the account, but it keeps coming back with another username. I can't manage to find a direction to check what process is responsible for this. Help much appreciated.

    Cheers
    Last edited by M4v3r1ck; 22 Feb 2017 at 17:08.
      My ComputerSystem Spec
  2.    21 Feb 2017 #2
    Join Date : Jul 2015
    Posts : 3,750
    10 Pro

    When does it come back? Immediately or when you reboot? You could have a look in Event Viewer for Event ID 614 (New user created) and see if it gives any clue.

    You could also have a look in AutoRuns and see if there is a start up task that is creating a user on startup/logon. Look under "Everything" after selecting "Hide Microsoft Entries" on the "View" tab and see if there is anything odd looking. Like in this case...https://answers.microsoft.com/en-us/...7-59e78ce027ec

    Probably a virus/malware scan would be wise also.
      My ComputerSystem Spec
  3.    21 Feb 2017 #3
    Join Date : Nov 2014
    The Netherlands
    Posts : 628
    Win 10 Pro x64 1607 (Build 14393.953)
    Thread Starter

    Quote Originally Posted by lx07 View Post
    When does it come back? Immediately or when you reboot? You could have a look in Event Viewer for Event ID 614 (New user created) and see if it gives any clue.
    You could also have a look in AutoRuns and see if there is a start up task that is creating a user on startup/logon. Look under "Everything" after selecting "Hide Microsoft Entries" on the "View" tab and see if there is anything odd looking. Like in this case...https://answers.microsoft.com/en-us/...7-59e78ce027ec
    Probably a virus/malware scan would be wise also.

    Hi, thanks so much for your quick reply, much appreciated. It's even copying my own user account "username" to "username1". I need to boot without internet connection and review your options. Oh boy, what's happening? I'll send in a ticket at ESET forums ASAP. This is really spinning out of control now!

    Will report back asap!

    Cheers
    Last edited by M4v3r1ck; 21 Feb 2017 at 06:50.
      My ComputerSystem Spec
  4.    21 Feb 2017 #4
    Join Date : Nov 2014
    The Netherlands
    Posts : 628
    Win 10 Pro x64 1607 (Build 14393.953)
    Thread Starter

    Quote Originally Posted by lx07 View Post
    When does it come back? Immediately or when you reboot? You could have a look in Event Viewer for Event ID 614 (New user created) and see if it gives any clue.
    You could also have a look in AutoRuns and see if there is a start up task that is creating a user on startup/logon. Look under "Everything" after selecting "Hide Microsoft Entries" on the "View" tab and see if there is anything odd looking. Like in this case...https://answers.microsoft.com/en-us/...7-59e78ce027ec
    Probably a virus/malware scan would be wise also.

    1. No event ID 614 (New user created).

    2. Running ESET "in depth scan" as admin now.

    Click image for larger version. 

Name:	ScreenCap 2017-02-21 at 12.58.09.jpg 
Views:	2 
Size:	68.3 KB 
ID:	122219

    To be continued...

    Cheers
    Last edited by M4v3r1ck; 21 Feb 2017 at 07:12. Reason: changed screencap
      My ComputerSystem Spec
  5.    21 Feb 2017 #5
    Join Date : Nov 2014
    The Netherlands
    Posts : 628
    Win 10 Pro x64 1607 (Build 14393.953)
    Thread Starter

    3. Running WD Periodic Scanning at the same time now....
      My ComputerSystem Spec
  6.    21 Feb 2017 #6
    Join Date : May 2016
    Posts : 757
    Windows 10 Pro

    Have you thought about you system being hacked.....because that sure does look like it has been. There should never ever under any circumstances that you have mysterious user accounts created unless (you/owner) created them.

    Either your VM or main system has been compromised....and it looks to be remotely. Run every spyware/malware/junkware and AV you have and see what they report. I've had some success with "Norton Power Eraser" for hard to get rid of and deeply embedded malicious software. And even then there's no guarantee that it's gone.

    The only sure way is to format the drive and do a clean install......which I would recommend doing after you've tried everything else.
      My ComputerSystem Spec
  7.    21 Feb 2017 #7
    Join Date : Nov 2014
    The Netherlands
    Posts : 628
    Win 10 Pro x64 1607 (Build 14393.953)
    Thread Starter

    Quote Originally Posted by Plankton View Post
    Have you thought about you system being hacked.....because that sure does look like it has been. There should never ever under any circumstances that you have mysterious user accounts created unless (you/owner) created them.
    Either your VM or main system has been compromised....and it looks to be remotely. Run every spyware/malware/junkware and AV you have and see what they report. I've had some success with "Norton Power Eraser" for hard to get rid of and deeply embedded malicious software. And even then there's no guarantee that it's gone.
    The only sure way is to format the drive and do a clean install......which I would recommend doing after you've tried everything else.

    Yes, for 101% I'm thinking about the possibility of being hacked/compromised, but I'm running the advised checks maintenance first now step-by-step.

    2a. ESET SS reported a clean system!
    Last edited by M4v3r1ck; 21 Feb 2017 at 08:03.
      My ComputerSystem Spec
  8.    22 Feb 2017 #8
    Join Date : Nov 2014
    The Netherlands
    Posts : 628
    Win 10 Pro x64 1607 (Build 14393.953)
    Thread Starter

    Update | Work in progress!

    3a. WD Periodic Scanning returned clean!

    4. Ran Process Explorer, and turned on the VirusTotal check -> found 3 issues, but for all processes only 1 AV Engine detected it! ESET reported all clean, so no worries?

    Click image for larger version. 

Name:	ScreenCap 2017-02-22 at 22.12.52.jpg 
Views:	14 
Size:	12.0 KB 
ID:	122398

    - The 2nd is a process from Speccy System Info v1.29.714 (64) application, blocked it with ESET firewall.
      My ComputerSystem Spec
  9.    22 Feb 2017 #9
    Join Date : Nov 2014
    The Netherlands
    Posts : 628
    Win 10 Pro x64 1607 (Build 14393.953)
    Thread Starter

    *** this is an integrated copy of the one I posted on my 3 forums in question ***

    UPDATE!
    | SOLVED!

    Because I killed the internet connection as soon as I saw the account added, I was not able to check the Anti Theft (AT) status.

    ESET, a big thank you to you! It was indeed caused by the AT ghost account, I changed it immediately to another and for me much more recognisable ghost-name! I apologize for my panic-attack.


    Pff guys, I'm really sorry for stirring up things around here , never had encountered this issues before, since I use ESET AT.


    For now all-systems-are-GO! A very BIG thank you for all who tried to help me solve this headache issue!


    Note to self:
    keep better track of your system thingies & RTFM!


    Cheers
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Solved System using two different names for same user account
I am setting up a new PC. Win 10 seems to force you to use a Microsoft email account/address as the basis for setting it up. It then uses 5 letters from the email name as your user account name. You can then convert the user account to a "local"...
User Accounts and Family Safety
Suddenly receiving lots of strange SPAM
Hi guys, I'm hoping someone could help me as I'm tearing my hair out. Basically over the last few weeks I've started receiving spam email in my outlook/hotmail email. I access outlook via google chrome browser. I've hardly ever got spam...
Browsers and Email
browser user names
In Chrome, when signing into different websites...how do I get chrome to remember more than 1 user login name?
Browsers and Email
Different installs - different user names
Over time I had a few retail licenses for Windows 7(seven) Pro and one Windows 10 x64 retail. In the Windows Explorer->Help->About, they show different users under licensed to. One old (blabla at hotmail) and one new (blabla at outlook.com) They...
General Support
Strange & Unknown User Name
When I start up the computer, I get presented with this message "The user name or password is incorrect. Try again." Below that is an "OK" button. The user name displayed is "morga" -- my last name is "morgan". So when I click "OK" it clears off the...
User Accounts and Family Safety
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 22:32.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums