locked
Removing a username appended to admin account RRS feed

  • Question

  • Hello, I will try to state this as clearly as I can:  My own pc is one I built running XP; no one uses it but myself & I have never had to mess with group policy, permissions, etc.

    I work as an assistant to a gentleman who has an HP desktop running Vista.  One day as I was downloading something for him, I noticed that the download speed was only 3 kbps.  Long story short, it looked like he'd been compromised by a botnet.  I have located and deleted the files involved and the symptoms have ceased; however there is one problem remaining.

    There is a username appended to or substituted for his own username on the admin account.  This username is one he has never heard of and it is no one he knows.  I understand that if a username is changed, the original name will persist in the path, but he insists that the only username he has ever had is just the one.  What concerns me the most is that this other username has a roaming profile which contains settings for numerous apps, all of which are completely unfamiliar to him. 

    What I wish to know is whether someone could run down for me a step-by-step procedure to remove the roaming profile and disable roaming profiles altogether, and also to remove all references to the malicious username if it is possible.  What I am trying to do is make sure that username has no
    permissions or access to the system at all.

    I want to make it clear that the other username is also attached to his own profile; i.e., the path:  "C:\docs & settings\users\malicious username" contains his desktop and personal documents as well as the roaming profile.  There is only one profile on the welcome screen (his name).  Perhaps I should collect all of his important data separately, transfer it to a new admin profile, and delete the old one?

    Thanks for your help.


    Saturday, November 15, 2008 12:17 PM

Answers

  • Hi,

     

    The botnet account may be created by malware. You may run your anti-virus. If it does not help, try the OneCare online scan.

     

    http://onecare.live.com/site/en-us/default.htm

     

    Also please run Windows Defender.

     

    If it cannot be removed by these anti-viruses and anti-spyware, you may need to reload the system on the computer with the HP recovery drive.

     

     

    Tuesday, November 25, 2008 9:57 AM
    Moderator

All replies

  • If you want to get rid of the profile - back up all you need first to a separate folder outside of c:\docs...

    Then I would go to the control panel - create a new user with Administrator priviledges. In fact before doing that you might try to log on to the pc as "Adminstrator" username.

    Regardless - if you are logged in as another user with admin role - you should be able to remove the unwanted user - and delete all its paths manually.

    Then create another standard user which will create a new profile path and away you go.
    Sunday, November 16, 2008 3:57 PM
  • Hi Brujaja,

     

    Do you mean that you did something with dotnet?

     

    If Hotkee's suggestion does not resolve the issue, I recommend that you reinstall .Net Framework 2.0. Please follow the steps below.

     

    1. Visit: http://download.microsoft.com/download/E/9/D/E9D80355-7AB4-45B8-80E8-983A48D5E1BD/msicuu2.exe

    2. Save the file to your computer.

    3. Right click "msicuu2.exe", click "Run as administrator" and follow the wizard to install this tool on your computer.

    4.Click Start ->All Programs->Windows Installer Clean Up, click Allow.

    5. See if you can find .Net Framework software. If so, remove them.

    6. Download a third party removal tool.

     

    http://astebner.sts.winisp.net/Tools/dotnetfx_cleanup_tool.zip

     

    Important Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

     

    7. Run the tool to remove components of .Net Framework 1.1

    8. Download and install Microsoft .NET Framework Version 1.1 Redistributable Package.

    http://download.microsoft.com/download/a/a/c/aac39226-8825-44ce-90e3-bf8203e74006/dotnetfx.exe

     

    9. Download and install Microsoft .NET Framework 1.1 Service Pack 1

    http://download.microsoft.com/download/8/b/4/8b4addd8-e957-4dea-bdb8-c4e00af5b94b/NDP1.1sp1-KB867460-X86.exe

     

    10. Download and install .NET Framework 1.1 Service Pack 1 SYSTEM.WEB.DLL and MSCOREE.DLL Security Update for Windows Vista (KB929729)

    http://download.microsoft.com/download/6/c/c/6ccd11ec-a7ca-4294-92fb-60beff5502e9/NDP1.1sp1-KB929729-X86.exe

     

    Check if the issue still exists.

     

    If it persists, please let us know the user name. Also let us know the version of the Windows Vista system and if it is upgraded to SP1.

     

    Tuesday, November 18, 2008 6:31 AM
    Moderator
  • Thank you, Mr. Xie.  But no, I meant "botnet."  The malware kind.  It's hard to represent in words the kind of holographic information that tells a seasoned user that a system is compromised, but I think many of you know what I mean.  In this case, it was pretty clear because of things like the roaming profile.

    I would never mess with dotnet, because I have a healthy respect for all things .NET.  (and I don't like to tinker with things that are that much of a project to re-install.)

    The username in question is "Rachel."  Before I noticed the roaming profile, I thought possibly Rachel might have been a "trusted installer."  But there's just no reason for someone he has never heard of to have a roaming profile with folders and apps he does not recognize or use.

    I believe he must have SP1 installed, because he always had automatic updates enabled.  When I go and work today (I work with him Wed & Thu) I'll find out the version number and confirm SP1 or no.  I am going to try and figure out how to disable roaming profiles in Vista with the help of an online how-to.  However, if anyone has anything to add I am eager for the advice of people more conversant with Vista than I am.
    Wednesday, November 19, 2008 8:02 PM
  • Yes, it's Vista home SP1.  I cannot find any reference to specifically how to disable roaming profiles in Vista.  Help?
    Thursday, November 20, 2008 4:06 PM
  • Hi,

     

    The botnet account may be created by malware. You may run your anti-virus. If it does not help, try the OneCare online scan.

     

    http://onecare.live.com/site/en-us/default.htm

     

    Also please run Windows Defender.

     

    If it cannot be removed by these anti-viruses and anti-spyware, you may need to reload the system on the computer with the HP recovery drive.

     

     

    Tuesday, November 25, 2008 9:57 AM
    Moderator