Solved

Strange windows user account 'tsinternetus6r' in Windows Vista !?

Posted on 2010-08-22
9
334 Views
Last Modified: 2013-12-04
It seems that a new user account named 'tsinternetus6r' is created automatically in my Windows Vista Laptop!
When I checked User accounts, It has 'Administrator' previlages, also password protected.
Note the user name's last word 'us6r' - looks like 'user' !! (e ~ 6)
 tsinternetus6r

I tried googling...
http://www.google.co.in/search?hl=en&q=tsinternetus6r&aq=f&aqi=&aql=&oq=&gs_rfai=

I really wonder how this account created. Only my brother was sharing this laptop. He also not done this.

Any idea or anyone faced similar issue ?

Any help would be highly appreciated
Raj
0
Comment
Question by:Rajkumar Gs
  • 5
  • 4
9 Comments
 
LVL 24

Assisted Solution

by:B H
B H earned 500 total points
ID: 33495896
yeah it really looks like a virus created it...

i'd delete it, check your firewall, and run a full scan with malwarebytes... also change ALL the passwords for all the users in your vista, including administrator.

i'm thinking someone remotely connected by remote desktop, and created that.  or, a script was ran that created it and then told the chinese what your ip address is
0
 
LVL 24

Assisted Solution

by:B H
B H earned 500 total points
ID: 33495913
curious, the "default" password for that account/infection appears to be:  adminok7758521
wonder if that works - try to log in as it and see what it's been doing!

or just delete it.

some chinese sites are saying it was made by someone logging in with the SA sql user and creating it... others say it comes from a "remote desktop diagnostic" tool that is actually the virus.
0
 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33495957
Thanks great Byron for your immediate response (shocking response).

Just to test whether I can delete its password, I already deleted it's password before posting this question. So I can't test login with the password you specified. :(

I was using 'Bitdefender Internet Security' last year (3 year license genuine version).
Now I am using 'Kaspersky Internet Security 2010'. Both seems to have good firewall protection.

Remote Assistance was enabled in my system. I just disabled that option.
When I checked for that user's documents (normally that should with the same username), it is not found.

I am really shocked to realize that some hacking attempt happened to my computer. I mostly take utmost care to use good security software in my system.

Raj
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33495964
I think better not to login to that account. delete it ?

Raj
0
 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33495975
Another one dangerous thing is that there was no password for Administrator for some months.
Raj
0
 
LVL 24

Accepted Solution

by:
B H earned 500 total points
ID: 33496281
yeah you can delete the account - by it not having a "users" folder means it was never logged on to.

it seems like someone on your computer ran a program, which created the user and the program would have secretly emailed some hacker the ip address, username and password.  since your firewall doesn't apparently allow remote desktop, the account couldn't be logged into

i have seen similiar incidents where a foreign username was actively logged onto a remote desktop session, running a denial of service attack against some website.  they logged in, ran the program and disconnected - the program continued to run.

it appears that it was set up to do something like that, but they couldn't actually log into your machine

one thing you could do is take your "security" log (start > run > eventvwr > windows logs  > security) and export them to a CSV file (text)

then do a search for all instances of the username, you'll probably be able to see when it got created... then it's up to you to find out what was going on in the computer at that time... was some local user browsing weird websites, or installing some game or something?
0
 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33496437
I verified Windows Log. But it has log starting may of this year. This account was created before that.
I have deleted that account.

Thanks for your time and support, Bryon
Raj
0
 
LVL 23

Author Closing Comment

by:Rajkumar Gs
ID: 33496453
I read your profile - excellent man!

My wishes.
Raj
0
 
LVL 24

Expert Comment

by:B H
ID: 33497015
well thanks :)   you were one question away from me getting 1,000,000 points too - the next accepted answer is it :)

odd that your hacker account was there for so long though - it wouldn't be a bad idea to check up on things every month or so just in case

but it looks like there was no unauthorized access this time, so all is well
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question