Windows 10 Pro suddenly creates strange - unknown to me - user names?

  1. M4v3r1ck's Avatar
    Posts : 632
    Win 10 Pro x64 1607 (Build 14393.953)
       #1

    [RESOLVED] Windows 10 suddenly creates strange -unknown- user names?


    As stated in the title, all of a sudden my SSD-WIN10PRO - booted in VMware - is creating unknown usernames e.g.:

    Windows 10 Pro suddenly creates strange - unknown to me - user names?-screencap-2017-02-19-20.54.29.jpg
    Windows 10 Pro suddenly creates strange - unknown to me - user names?-screencap-2017-02-19-21.03.24.jpg
    Windows 10 Pro suddenly creates strange - unknown to me - user names?-screencap-2017-02-19-20.56.55.jpg
    Windows 10 Pro suddenly creates strange - unknown to me - user names?-screencap-2017-02-19-20.58.47.jpg

    I've disabled above user for now.

    Windows 10 Pro suddenly creates strange - unknown to me - user names?-screencap-2017-02-19-20.59.39.jpg

    Even though working with a booted SSD in VMware for many years, I've never seen this before. I have no idea why or what is causing this, every time deleting the account, but it keeps coming back with another username. I can't manage to find a direction to check what process is responsible for this. Help much appreciated.

    Cheers
    Last edited by M4v3r1ck; 22 Feb 2017 at 16:08.
      My Computer

  2. lx07's Avatar
    Posts : 5,479
    2004
       #2

    When does it come back? Immediately or when you reboot? You could have a look in Event Viewer for Event ID 614 (New user created) and see if it gives any clue.

    You could also have a look in AutoRuns and see if there is a start up task that is creating a user on startup/logon. Look under "Everything" after selecting "Hide Microsoft Entries" on the "View" tab and see if there is anything odd looking. Like in this case...https://answers.microsoft.com/en-us/...7-59e78ce027ec

    Probably a virus/malware scan would be wise also.
      My Computer

  3. M4v3r1ck's Avatar
    Posts : 632
    Win 10 Pro x64 1607 (Build 14393.953)
    Thread Starter
       #3

    lx07 said:
    When does it come back? Immediately or when you reboot? You could have a look in Event Viewer for Event ID 614 (New user created) and see if it gives any clue.
    You could also have a look in AutoRuns and see if there is a start up task that is creating a user on startup/logon. Look under "Everything" after selecting "Hide Microsoft Entries" on the "View" tab and see if there is anything odd looking. Like in this case...https://answers.microsoft.com/en-us/...7-59e78ce027ec
    Probably a virus/malware scan would be wise also.

    Hi, thanks so much for your quick reply, much appreciated. It's even copying my own user account "username" to "username1". I need to boot without internet connection and review your options. Oh boy, what's happening? I'll send in a ticket at ESET forums ASAP. This is really spinning out of control now!

    Will report back asap!

    Cheers
    Last edited by M4v3r1ck; 21 Feb 2017 at 05:50.
      My Computer

  4. M4v3r1ck's Avatar
    Posts : 632
    Win 10 Pro x64 1607 (Build 14393.953)
    Thread Starter
       #4

    lx07 said:
    When does it come back? Immediately or when you reboot? You could have a look in Event Viewer for Event ID 614 (New user created) and see if it gives any clue.
    You could also have a look in AutoRuns and see if there is a start up task that is creating a user on startup/logon. Look under "Everything" after selecting "Hide Microsoft Entries" on the "View" tab and see if there is anything odd looking. Like in this case...https://answers.microsoft.com/en-us/...7-59e78ce027ec
    Probably a virus/malware scan would be wise also.

    1. No event ID 614 (New user created).

    2. Running ESET "in depth scan" as admin now.

    Windows 10 Pro suddenly creates strange - unknown to me - user names?-screencap-2017-02-21-12.58.09.jpg

    To be continued...

    Cheers
    Last edited by M4v3r1ck; 21 Feb 2017 at 06:12. Reason: changed screencap
      My Computer

  5. M4v3r1ck's Avatar
    Posts : 632
    Win 10 Pro x64 1607 (Build 14393.953)
    Thread Starter
       #5

    3. Running WD Periodic Scanning at the same time now....
      My Computer

  6. Plankton's Avatar
    Posts : 2,078
    Windows 10 Pro
       #6

    Have you thought about you system being hacked.....because that sure does look like it has been. There should never ever under any circumstances that you have mysterious user accounts created unless (you/owner) created them.

    Either your VM or main system has been compromised....and it looks to be remotely. Run every spyware/malware/junkware and AV you have and see what they report. I've had some success with "Norton Power Eraser" for hard to get rid of and deeply embedded malicious software. And even then there's no guarantee that it's gone.

    The only sure way is to format the drive and do a clean install......which I would recommend doing after you've tried everything else.
      My Computer


  7. M4v3r1ck's Avatar
    Posts : 632
    Win 10 Pro x64 1607 (Build 14393.953)
    Thread Starter
       #7

    Plankton said:
    Have you thought about you system being hacked.....because that sure does look like it has been. There should never ever under any circumstances that you have mysterious user accounts created unless (you/owner) created them.
    Either your VM or main system has been compromised....and it looks to be remotely. Run every spyware/malware/junkware and AV you have and see what they report. I've had some success with "Norton Power Eraser" for hard to get rid of and deeply embedded malicious software. And even then there's no guarantee that it's gone.
    The only sure way is to format the drive and do a clean install......which I would recommend doing after you've tried everything else.

    Yes, for 101% I'm thinking about the possibility of being hacked/compromised, but I'm running the advised checks maintenance first now step-by-step.

    2a. ESET SS reported a clean system!
    Last edited by M4v3r1ck; 21 Feb 2017 at 07:03.
      My Computer

  8. M4v3r1ck's Avatar
    Posts : 632
    Win 10 Pro x64 1607 (Build 14393.953)
    Thread Starter
       #8

    Update | Work in progress!

    3a. WD Periodic Scanning returned clean!

    4. Ran Process Explorer, and turned on the VirusTotal check -> found 3 issues, but for all processes only 1 AV Engine detected it! ESET reported all clean, so no worries?

    Windows 10 Pro suddenly creates strange - unknown to me - user names?-screencap-2017-02-22-22.12.52.jpg

    - The 2nd is a process from Speccy System Info v1.29.714 (64) application, blocked it with ESET firewall.
      My Computer

  9. M4v3r1ck's Avatar
    Posts : 632
    Win 10 Pro x64 1607 (Build 14393.953)
    Thread Starter
       #9

    *** this is an integrated copy of the one I posted on my 3 forums in question ***

    UPDATE!
    | SOLVED!

    Because I killed the internet connection as soon as I saw the account added, I was not able to check the Anti Theft (AT) status.

    ESET, a big thank you to you! It was indeed caused by the AT ghost account, I changed it immediately to another and for me much more recognisable ghost-name! I apologize for my panic-attack.


    Pff guys, I'm really sorry for stirring up things around here , never had encountered this issues before, since I use ESET AT.


    For now all-systems-are-GO! A very BIG thank you for all who tried to help me solve this headache issue!


    Note to self:
    keep better track of your system thingies & RTFM!


    Cheers
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 04:49.
Find Us




Windows 10 Forums