Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Why at random login in Windows 8 my 'home-path' changes

Posted on 2016-09-20
14
Medium Priority
?
59 Views
Last Modified: 2016-09-30
We had a computer Windows 8 infected with malicious data.  We ran comodo antivirus, spybot S&D, malware, etc. and cleaned it up.

At bootup, the %homepath% changed to temp.username.001 and randomly next boot up to .002 and so on.  Yet the username at top is the same exact as when first purchased.  It's like the path is always created and the user has to go to the original user\user-name to access the files.

whats going on?
0
Comment
Question by:rayluvs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
  • 2
  • +1
14 Comments
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 668 total points
ID: 41807751
Sounds like your malware scan was incomplete.  Sounds about right for Comodo and spybot.  Run these programs in this order:

1.  TFC TempFileCleaner by OldTimers
2.  MBAR Malwarebytes AntiRootkit
3.  MBAM MAlwarebytes antimalware
4.  HitmanPro
5.  JRT Junkware REmoval Tool (recently purchased by malwarebytes)
6.  AdwCleaner

If that still doesn't do it, run ComboFix.  If ComboFix can't do it, then you need a factory reset/fresh operating system install.

All of them are free to download and I have personally tested this process over 200 times to great effect.
0
 

Author Comment

by:rayluvs
ID: 41807766
what do you mean by " Sounds about right for Comodo and spybot."?
0
 
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 668 total points
ID: 41807886
the user profile is hosed. backup the user's data, remove and then re-add the user and restore their data.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:rayluvs
ID: 41807949
What is "hosed"?
0
 
LVL 93

Assisted Solution

by:nobus
nobus earned 664 total points
ID: 41808133
i would backup and do a fresh install in such a case
0
 

Author Comment

by:rayluvs
ID: 41812270
We are currently running the recommended apps for cleanup.  However, our question still is:

  • Why after the initial cleanup with the apps (with apps comodo antivirus, spybot S&D, malware, etc.) it changed the %homepath% to temp.username.001 and an actual folder is created as temp.username.001? (where the 'username' is replaced by an actual user name of the user, example 'temp.SusanSmith.001')
  • Then at random PC restart %homepath% is changed to temp.username.002 and a folder is created with same name
  • Again, in another restart, change the %homepath% to temp.username.003 and so on?
  • Yet the username at top of the user screen is the same exact as when first purchased, for example it says at top 'SusanSmith'.

When the this happens and the user logged in, he thinks that all his pix, videos, documentation has been deleted when it's not because when we go into the original username folder (c:\users\SusanSmith), all his data is there.

At this point the user has the following folders created under c:\users folder

c:\users\SusanSmith
c:\users\temp.SusanSmith.001
c:\users\temp.SusanSmith.002
c:\users\temp.SusanSmith.003

Can somebody explain this?

Thanx in advance.
0
 

Assisted Solution

by:rayluvs
rayluvs earned 0 total points
ID: 41814072
we think we found something related...

e1
u1
0
 
LVL 93

Expert Comment

by:nobus
ID: 41814375
that seems a likely cause at last
0
 

Author Comment

by:rayluvs
ID: 41814609
We ran then recommendations in ID: 41807751 to no avail.
0
 
LVL 93

Expert Comment

by:nobus
ID: 41814641
that can be - but it does not hurt imo
0
 

Accepted Solution

by:
rayluvs earned 0 total points
ID: 41815101
We had an assistance from another EE in another related question and found the solution:

EE suggested to copy from original user to new user, create user, etc.  When proceeding with your comment, the end-user informed us that prior our intervention, that is what they did (the copy part).  When they logged in they notice the '001', etc. folders.  So they just copied the contents of their \Users\Jamie folder to whatever folder they saw as their %userprofile% as their current folder.
     
That said, now we know exactly why their personal data were missing: it was deleted by window as soon as they logged off from their temp user account (as we stated  in our fining in 'ID: 41814072').  And also why the "00x" usernames in c:\users and differnte vallues in  %homepath%.  Unfortunately, they never paid attention to the message since it display quickly and vanishes (as they said).

For the benefit of all members that may run into this problem:

Possible cause:
As some of the Ees here stated, could be corruption, infection, windows system files damage, etc.

Solution:
To try solve this problem we found a series of tedious steps that comprehend of working with registry, etc.  However, we found a great tool really help: ReProfiler (http://iwrconsultancy.co.uk/download).  The tool re-associate the profile to the account.  You first download & install, make sure the bad username is not logged, then set the assign: Done!
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 41815113
hosed = corrupt
login as an administrator
from regedit go to
HKLM\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\ProfileList              
go through the SID's S-1-5-21's
locate the profile image path of interest and rename the GUID to GUID.old
in c:\users rename the profiles that are corrupted. or backup all of them
You will have to determine which ones have files in them.
Regedit i.e. rename S-1-5-21-262614696-1447481594-2233547090-1055 to S-1-5-21-262614696-1447481594-2233547090-1055.old
logoff and then login as the user, copy the users data (documents/pictures/video/music) from the backup to the user folder
0
 

Author Comment

by:rayluvs
ID: 41815807
Thanx for the info.  That is what we meant in "we found a series of tedious steps that comprehend of working with registry, etc." in D: 41815101.
0
 

Author Closing Comment

by:rayluvs
ID: 41823167
viable solution to our situation.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question