Solved

Strange windows user account 'tsinternetus6r' in Windows Vista !?

Posted on 2010-08-22
9
339 Views
Last Modified: 2013-12-04
It seems that a new user account named 'tsinternetus6r' is created automatically in my Windows Vista Laptop!
When I checked User accounts, It has 'Administrator' previlages, also password protected.
Note the user name's last word 'us6r' - looks like 'user' !! (e ~ 6)
 tsinternetus6r

I tried googling...
http://www.google.co.in/search?hl=en&q=tsinternetus6r&aq=f&aqi=&aql=&oq=&gs_rfai=

I really wonder how this account created. Only my brother was sharing this laptop. He also not done this.

Any idea or anyone faced similar issue ?

Any help would be highly appreciated
Raj
0
Comment
Question by:Rajkumar Gs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 24

Assisted Solution

by:B H
B H earned 500 total points
ID: 33495896
yeah it really looks like a virus created it...

i'd delete it, check your firewall, and run a full scan with malwarebytes... also change ALL the passwords for all the users in your vista, including administrator.

i'm thinking someone remotely connected by remote desktop, and created that.  or, a script was ran that created it and then told the chinese what your ip address is
0
 
LVL 24

Assisted Solution

by:B H
B H earned 500 total points
ID: 33495913
curious, the "default" password for that account/infection appears to be:  adminok7758521
wonder if that works - try to log in as it and see what it's been doing!

or just delete it.

some chinese sites are saying it was made by someone logging in with the SA sql user and creating it... others say it comes from a "remote desktop diagnostic" tool that is actually the virus.
0
 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33495957
Thanks great Byron for your immediate response (shocking response).

Just to test whether I can delete its password, I already deleted it's password before posting this question. So I can't test login with the password you specified. :(

I was using 'Bitdefender Internet Security' last year (3 year license genuine version).
Now I am using 'Kaspersky Internet Security 2010'. Both seems to have good firewall protection.

Remote Assistance was enabled in my system. I just disabled that option.
When I checked for that user's documents (normally that should with the same username), it is not found.

I am really shocked to realize that some hacking attempt happened to my computer. I mostly take utmost care to use good security software in my system.

Raj
0
Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33495964
I think better not to login to that account. delete it ?

Raj
0
 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33495975
Another one dangerous thing is that there was no password for Administrator for some months.
Raj
0
 
LVL 24

Accepted Solution

by:
B H earned 500 total points
ID: 33496281
yeah you can delete the account - by it not having a "users" folder means it was never logged on to.

it seems like someone on your computer ran a program, which created the user and the program would have secretly emailed some hacker the ip address, username and password.  since your firewall doesn't apparently allow remote desktop, the account couldn't be logged into

i have seen similiar incidents where a foreign username was actively logged onto a remote desktop session, running a denial of service attack against some website.  they logged in, ran the program and disconnected - the program continued to run.

it appears that it was set up to do something like that, but they couldn't actually log into your machine

one thing you could do is take your "security" log (start > run > eventvwr > windows logs  > security) and export them to a CSV file (text)

then do a search for all instances of the username, you'll probably be able to see when it got created... then it's up to you to find out what was going on in the computer at that time... was some local user browsing weird websites, or installing some game or something?
0
 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33496437
I verified Windows Log. But it has log starting may of this year. This account was created before that.
I have deleted that account.

Thanks for your time and support, Bryon
Raj
0
 
LVL 23

Author Closing Comment

by:Rajkumar Gs
ID: 33496453
I read your profile - excellent man!

My wishes.
Raj
0
 
LVL 24

Expert Comment

by:B H
ID: 33497015
well thanks :)   you were one question away from me getting 1,000,000 points too - the next accepted answer is it :)

odd that your hacker account was there for so long though - it wouldn't be a bad idea to check up on things every month or so just in case

but it looks like there was no unauthorized access this time, so all is well
0

Featured Post

RoboForm Secure Password Management System

RoboForm Everywhere - Superb Browser Support
Windows / Apple / IOS / Android / Linux / Chrome OS
Use different complex passwords everywhere
Best Secure Password Management by far
Synchronize all of your devices instantly
Safe, Secure & Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
harddrive crash 6 43
Windows 7's Backup Utility 12 65
Seeing Who Changed Files in Windows 1 58
Unable to Install .NET 3.5 on Windows 2012 server 4 18
Configuring Remote Assistance for use with SCCM
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question