Solved

Strange windows user account 'tsinternetus6r' in Windows Vista !?

Posted on 2010-08-22
9
323 Views
Last Modified: 2013-12-04
It seems that a new user account named 'tsinternetus6r' is created automatically in my Windows Vista Laptop!
When I checked User accounts, It has 'Administrator' previlages, also password protected.
Note the user name's last word 'us6r' - looks like 'user' !! (e ~ 6)
 tsinternetus6r

I tried googling...
http://www.google.co.in/search?hl=en&q=tsinternetus6r&aq=f&aqi=&aql=&oq=&gs_rfai=

I really wonder how this account created. Only my brother was sharing this laptop. He also not done this.

Any idea or anyone faced similar issue ?

Any help would be highly appreciated
Raj
0
Comment
Question by:Rajkumar Gs
  • 5
  • 4
9 Comments
 
LVL 24

Assisted Solution

by:B H
B H earned 500 total points
ID: 33495896
yeah it really looks like a virus created it...

i'd delete it, check your firewall, and run a full scan with malwarebytes... also change ALL the passwords for all the users in your vista, including administrator.

i'm thinking someone remotely connected by remote desktop, and created that.  or, a script was ran that created it and then told the chinese what your ip address is
0
 
LVL 24

Assisted Solution

by:B H
B H earned 500 total points
ID: 33495913
curious, the "default" password for that account/infection appears to be:  adminok7758521
wonder if that works - try to log in as it and see what it's been doing!

or just delete it.

some chinese sites are saying it was made by someone logging in with the SA sql user and creating it... others say it comes from a "remote desktop diagnostic" tool that is actually the virus.
0
 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33495957
Thanks great Byron for your immediate response (shocking response).

Just to test whether I can delete its password, I already deleted it's password before posting this question. So I can't test login with the password you specified. :(

I was using 'Bitdefender Internet Security' last year (3 year license genuine version).
Now I am using 'Kaspersky Internet Security 2010'. Both seems to have good firewall protection.

Remote Assistance was enabled in my system. I just disabled that option.
When I checked for that user's documents (normally that should with the same username), it is not found.

I am really shocked to realize that some hacking attempt happened to my computer. I mostly take utmost care to use good security software in my system.

Raj
0
 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33495964
I think better not to login to that account. delete it ?

Raj
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33495975
Another one dangerous thing is that there was no password for Administrator for some months.
Raj
0
 
LVL 24

Accepted Solution

by:
B H earned 500 total points
ID: 33496281
yeah you can delete the account - by it not having a "users" folder means it was never logged on to.

it seems like someone on your computer ran a program, which created the user and the program would have secretly emailed some hacker the ip address, username and password.  since your firewall doesn't apparently allow remote desktop, the account couldn't be logged into

i have seen similiar incidents where a foreign username was actively logged onto a remote desktop session, running a denial of service attack against some website.  they logged in, ran the program and disconnected - the program continued to run.

it appears that it was set up to do something like that, but they couldn't actually log into your machine

one thing you could do is take your "security" log (start > run > eventvwr > windows logs  > security) and export them to a CSV file (text)

then do a search for all instances of the username, you'll probably be able to see when it got created... then it's up to you to find out what was going on in the computer at that time... was some local user browsing weird websites, or installing some game or something?
0
 
LVL 23

Author Comment

by:Rajkumar Gs
ID: 33496437
I verified Windows Log. But it has log starting may of this year. This account was created before that.
I have deleted that account.

Thanks for your time and support, Bryon
Raj
0
 
LVL 23

Author Closing Comment

by:Rajkumar Gs
ID: 33496453
I read your profile - excellent man!

My wishes.
Raj
0
 
LVL 24

Expert Comment

by:B H
ID: 33497015
well thanks :)   you were one question away from me getting 1,000,000 points too - the next accepted answer is it :)

odd that your hacker account was there for so long though - it wouldn't be a bad idea to check up on things every month or so just in case

but it looks like there was no unauthorized access this time, so all is well
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now