Why at random login in Windows 8 my 'home-path' changes

jana
jana used Ask the Experts™
on
We had a computer Windows 8 infected with malicious data.  We ran comodo antivirus, spybot S&D, malware, etc. and cleaned it up.

At bootup, the %homepath% changed to temp.username.001 and randomly next boot up to .002 and so on.  Yet the username at top is the same exact as when first purchased.  It's like the path is always created and the user has to go to the original user\user-name to access the files.

whats going on?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sounds like your malware scan was incomplete.  Sounds about right for Comodo and spybot.  Run these programs in this order:

1.  TFC TempFileCleaner by OldTimers
2.  MBAR Malwarebytes AntiRootkit
3.  MBAM MAlwarebytes antimalware
4.  HitmanPro
5.  JRT Junkware REmoval Tool (recently purchased by malwarebytes)
6.  AdwCleaner

If that still doesn't do it, run ComboFix.  If ComboFix can't do it, then you need a factory reset/fresh operating system install.

All of them are free to download and I have personally tested this process over 200 times to great effect.

Author

Commented:
what do you mean by " Sounds about right for Comodo and spybot."?
Top Expert 2016
Commented:
the user profile is hosed. backup the user's data, remove and then re-add the user and restore their data.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
What is "hosed"?
Top Expert 2013
Commented:
i would backup and do a fresh install in such a case

Author

Commented:
We are currently running the recommended apps for cleanup.  However, our question still is:

  • Why after the initial cleanup with the apps (with apps comodo antivirus, spybot S&D, malware, etc.) it changed the %homepath% to temp.username.001 and an actual folder is created as temp.username.001? (where the 'username' is replaced by an actual user name of the user, example 'temp.SusanSmith.001')
  • Then at random PC restart %homepath% is changed to temp.username.002 and a folder is created with same name
  • Again, in another restart, change the %homepath% to temp.username.003 and so on?
  • Yet the username at top of the user screen is the same exact as when first purchased, for example it says at top 'SusanSmith'.

When the this happens and the user logged in, he thinks that all his pix, videos, documentation has been deleted when it's not because when we go into the original username folder (c:\users\SusanSmith), all his data is there.

At this point the user has the following folders created under c:\users folder

c:\users\SusanSmith
c:\users\temp.SusanSmith.001
c:\users\temp.SusanSmith.002
c:\users\temp.SusanSmith.003

Can somebody explain this?

Thanx in advance.
Commented:
we think we found something related...

e1
u1
Top Expert 2013

Commented:
that seems a likely cause at last

Author

Commented:
We ran then recommendations in ID: 41807751 to no avail.
Top Expert 2013

Commented:
that can be - but it does not hurt imo
Commented:
We had an assistance from another EE in another related question and found the solution:

EE suggested to copy from original user to new user, create user, etc.  When proceeding with your comment, the end-user informed us that prior our intervention, that is what they did (the copy part).  When they logged in they notice the '001', etc. folders.  So they just copied the contents of their \Users\Jamie folder to whatever folder they saw as their %userprofile% as their current folder.
     
That said, now we know exactly why their personal data were missing: it was deleted by window as soon as they logged off from their temp user account (as we stated  in our fining in 'ID: 41814072').  And also why the "00x" usernames in c:\users and differnte vallues in  %homepath%.  Unfortunately, they never paid attention to the message since it display quickly and vanishes (as they said).

For the benefit of all members that may run into this problem:

Possible cause:
As some of the Ees here stated, could be corruption, infection, windows system files damage, etc.

Solution:
To try solve this problem we found a series of tedious steps that comprehend of working with registry, etc.  However, we found a great tool really help: ReProfiler (http://iwrconsultancy.co.uk/download).  The tool re-associate the profile to the account.  You first download & install, make sure the bad username is not logged, then set the assign: Done!
Top Expert 2016

Commented:
hosed = corrupt
login as an administrator
from regedit go to
HKLM\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\ProfileList              
go through the SID's S-1-5-21's
locate the profile image path of interest and rename the GUID to GUID.old
in c:\users rename the profiles that are corrupted. or backup all of them
You will have to determine which ones have files in them.
Regedit i.e. rename S-1-5-21-262614696-1447481594-2233547090-1055 to S-1-5-21-262614696-1447481594-2233547090-1055.old
logoff and then login as the user, copy the users data (documents/pictures/video/music) from the backup to the user folder

Author

Commented:
Thanx for the info.  That is what we meant in "we found a series of tedious steps that comprehend of working with registry, etc." in D: 41815101.

Author

Commented:
viable solution to our situation.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial