Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 345
  • Last Modified:

Strange windows user account 'tsinternetus6r' in Windows Vista !?

It seems that a new user account named 'tsinternetus6r' is created automatically in my Windows Vista Laptop!
When I checked User accounts, It has 'Administrator' previlages, also password protected.
Note the user name's last word 'us6r' - looks like 'user' !! (e ~ 6)
 tsinternetus6r

I tried googling...
http://www.google.co.in/search?hl=en&q=tsinternetus6r&aq=f&aqi=&aql=&oq=&gs_rfai=

I really wonder how this account created. Only my brother was sharing this laptop. He also not done this.

Any idea or anyone faced similar issue ?

Any help would be highly appreciated
Raj
0
Rajkumar Gs
Asked:
Rajkumar Gs
  • 5
  • 4
3 Solutions
 
B HCommented:
yeah it really looks like a virus created it...

i'd delete it, check your firewall, and run a full scan with malwarebytes... also change ALL the passwords for all the users in your vista, including administrator.

i'm thinking someone remotely connected by remote desktop, and created that.  or, a script was ran that created it and then told the chinese what your ip address is
0
 
B HCommented:
curious, the "default" password for that account/infection appears to be:  adminok7758521
wonder if that works - try to log in as it and see what it's been doing!

or just delete it.

some chinese sites are saying it was made by someone logging in with the SA sql user and creating it... others say it comes from a "remote desktop diagnostic" tool that is actually the virus.
0
 
Rajkumar GsSoftware EngineerAuthor Commented:
Thanks great Byron for your immediate response (shocking response).

Just to test whether I can delete its password, I already deleted it's password before posting this question. So I can't test login with the password you specified. :(

I was using 'Bitdefender Internet Security' last year (3 year license genuine version).
Now I am using 'Kaspersky Internet Security 2010'. Both seems to have good firewall protection.

Remote Assistance was enabled in my system. I just disabled that option.
When I checked for that user's documents (normally that should with the same username), it is not found.

I am really shocked to realize that some hacking attempt happened to my computer. I mostly take utmost care to use good security software in my system.

Raj
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
Rajkumar GsSoftware EngineerAuthor Commented:
I think better not to login to that account. delete it ?

Raj
0
 
Rajkumar GsSoftware EngineerAuthor Commented:
Another one dangerous thing is that there was no password for Administrator for some months.
Raj
0
 
B HCommented:
yeah you can delete the account - by it not having a "users" folder means it was never logged on to.

it seems like someone on your computer ran a program, which created the user and the program would have secretly emailed some hacker the ip address, username and password.  since your firewall doesn't apparently allow remote desktop, the account couldn't be logged into

i have seen similiar incidents where a foreign username was actively logged onto a remote desktop session, running a denial of service attack against some website.  they logged in, ran the program and disconnected - the program continued to run.

it appears that it was set up to do something like that, but they couldn't actually log into your machine

one thing you could do is take your "security" log (start > run > eventvwr > windows logs  > security) and export them to a CSV file (text)

then do a search for all instances of the username, you'll probably be able to see when it got created... then it's up to you to find out what was going on in the computer at that time... was some local user browsing weird websites, or installing some game or something?
0
 
Rajkumar GsSoftware EngineerAuthor Commented:
I verified Windows Log. But it has log starting may of this year. This account was created before that.
I have deleted that account.

Thanks for your time and support, Bryon
Raj
0
 
Rajkumar GsSoftware EngineerAuthor Commented:
I read your profile - excellent man!

My wishes.
Raj
0
 
B HCommented:
well thanks :)   you were one question away from me getting 1,000,000 points too - the next accepted answer is it :)

odd that your hacker account was there for so long though - it wouldn't be a bad idea to check up on things every month or so just in case

but it looks like there was no unauthorized access this time, so all is well
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now