Solved

Strange windows user account 'tsinternetus6r' in Windows Vista !?

Posted on 2010-08-22
9
331 Views
Last Modified: 2013-12-04
It seems that a new user account named 'tsinternetus6r' is created automatically in my Windows Vista Laptop!
When I checked User accounts, It has 'Administrator' previlages, also password protected.
Note the user name's last word 'us6r' - looks like 'user' !! (e ~ 6)
 tsinternetus6r

I tried googling...
http://www.google.co.in/search?hl=en&q=tsinternetus6r&aq=f&aqi=&aql=&oq=&gs_rfai=

I really wonder how this account created. Only my brother was sharing this laptop. He also not done this.

Any idea or anyone faced similar issue ?

Any help would be highly appreciated
Raj
0
Comment
Question by:Rajkumar Gs
  • 5
  • 4
9 Comments
 
LVL 24

Assisted Solution

by:B H
B H earned 500 total points
ID: 33495896
yeah it really looks like a virus created it...

i'd delete it, check your firewall, and run a full scan with malwarebytes... also change ALL the passwords for all the users in your vista, including administrator.

i'm thinking someone remotely connected by remote desktop, and created that.  or, a script was ran that created it and then told the chinese what your ip address is
0
 
LVL 24

Assisted Solution

by:B H
B H earned 500 total points
ID: 33495913
curious, the "default" password for that account/infection appears to be:  adminok7758521
wonder if that works - try to log in as it and see what it's been doing!

or just delete it.

some chinese sites are saying it was made by someone logging in with the SA sql user and creating it... others say it comes from a "remote desktop diagnostic" tool that is actually the virus.
0
 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33495957
Thanks great Byron for your immediate response (shocking response).

Just to test whether I can delete its password, I already deleted it's password before posting this question. So I can't test login with the password you specified. :(

I was using 'Bitdefender Internet Security' last year (3 year license genuine version).
Now I am using 'Kaspersky Internet Security 2010'. Both seems to have good firewall protection.

Remote Assistance was enabled in my system. I just disabled that option.
When I checked for that user's documents (normally that should with the same username), it is not found.

I am really shocked to realize that some hacking attempt happened to my computer. I mostly take utmost care to use good security software in my system.

Raj
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33495964
I think better not to login to that account. delete it ?

Raj
0
 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33495975
Another one dangerous thing is that there was no password for Administrator for some months.
Raj
0
 
LVL 24

Accepted Solution

by:
B H earned 500 total points
ID: 33496281
yeah you can delete the account - by it not having a "users" folder means it was never logged on to.

it seems like someone on your computer ran a program, which created the user and the program would have secretly emailed some hacker the ip address, username and password.  since your firewall doesn't apparently allow remote desktop, the account couldn't be logged into

i have seen similiar incidents where a foreign username was actively logged onto a remote desktop session, running a denial of service attack against some website.  they logged in, ran the program and disconnected - the program continued to run.

it appears that it was set up to do something like that, but they couldn't actually log into your machine

one thing you could do is take your "security" log (start > run > eventvwr > windows logs  > security) and export them to a CSV file (text)

then do a search for all instances of the username, you'll probably be able to see when it got created... then it's up to you to find out what was going on in the computer at that time... was some local user browsing weird websites, or installing some game or something?
0
 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33496437
I verified Windows Log. But it has log starting may of this year. This account was created before that.
I have deleted that account.

Thanks for your time and support, Bryon
Raj
0
 
LVL 23

Author Closing Comment

by:Rajkumar Gs
ID: 33496453
I read your profile - excellent man!

My wishes.
Raj
0
 
LVL 24

Expert Comment

by:B H
ID: 33497015
well thanks :)   you were one question away from me getting 1,000,000 points too - the next accepted answer is it :)

odd that your hacker account was there for so long though - it wouldn't be a bad idea to check up on things every month or so just in case

but it looks like there was no unauthorized access this time, so all is well
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
An article on effective troubleshooting
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question