Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 70
  • Last Modified:

Why at random login in Windows 8 my 'home-path' changes

We had a computer Windows 8 infected with malicious data.  We ran comodo antivirus, spybot S&D, malware, etc. and cleaned it up.

At bootup, the %homepath% changed to temp.username.001 and randomly next boot up to .002 and so on.  Yet the username at top is the same exact as when first purchased.  It's like the path is always created and the user has to go to the original user\user-name to access the files.

whats going on?
0
rayluvs
Asked:
rayluvs
  • 8
  • 3
  • 2
  • +1
5 Solutions
 
Daniel ChecksumCommented:
Sounds like your malware scan was incomplete.  Sounds about right for Comodo and spybot.  Run these programs in this order:

1.  TFC TempFileCleaner by OldTimers
2.  MBAR Malwarebytes AntiRootkit
3.  MBAM MAlwarebytes antimalware
4.  HitmanPro
5.  JRT Junkware REmoval Tool (recently purchased by malwarebytes)
6.  AdwCleaner

If that still doesn't do it, run ComboFix.  If ComboFix can't do it, then you need a factory reset/fresh operating system install.

All of them are free to download and I have personally tested this process over 200 times to great effect.
0
 
rayluvsAuthor Commented:
what do you mean by " Sounds about right for Comodo and spybot."?
0
 
David Johnson, CD, MVPOwnerCommented:
the user profile is hosed. backup the user's data, remove and then re-add the user and restore their data.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
rayluvsAuthor Commented:
What is "hosed"?
0
 
nobusCommented:
i would backup and do a fresh install in such a case
0
 
rayluvsAuthor Commented:
We are currently running the recommended apps for cleanup.  However, our question still is:

  • Why after the initial cleanup with the apps (with apps comodo antivirus, spybot S&D, malware, etc.) it changed the %homepath% to temp.username.001 and an actual folder is created as temp.username.001? (where the 'username' is replaced by an actual user name of the user, example 'temp.SusanSmith.001')
  • Then at random PC restart %homepath% is changed to temp.username.002 and a folder is created with same name
  • Again, in another restart, change the %homepath% to temp.username.003 and so on?
  • Yet the username at top of the user screen is the same exact as when first purchased, for example it says at top 'SusanSmith'.

When the this happens and the user logged in, he thinks that all his pix, videos, documentation has been deleted when it's not because when we go into the original username folder (c:\users\SusanSmith), all his data is there.

At this point the user has the following folders created under c:\users folder

c:\users\SusanSmith
c:\users\temp.SusanSmith.001
c:\users\temp.SusanSmith.002
c:\users\temp.SusanSmith.003

Can somebody explain this?

Thanx in advance.
0
 
rayluvsAuthor Commented:
we think we found something related...

e1
u1
0
 
nobusCommented:
that seems a likely cause at last
0
 
rayluvsAuthor Commented:
We ran then recommendations in ID: 41807751 to no avail.
0
 
nobusCommented:
that can be - but it does not hurt imo
0
 
rayluvsAuthor Commented:
We had an assistance from another EE in another related question and found the solution:

EE suggested to copy from original user to new user, create user, etc.  When proceeding with your comment, the end-user informed us that prior our intervention, that is what they did (the copy part).  When they logged in they notice the '001', etc. folders.  So they just copied the contents of their \Users\Jamie folder to whatever folder they saw as their %userprofile% as their current folder.
     
That said, now we know exactly why their personal data were missing: it was deleted by window as soon as they logged off from their temp user account (as we stated  in our fining in 'ID: 41814072').  And also why the "00x" usernames in c:\users and differnte vallues in  %homepath%.  Unfortunately, they never paid attention to the message since it display quickly and vanishes (as they said).

For the benefit of all members that may run into this problem:

Possible cause:
As some of the Ees here stated, could be corruption, infection, windows system files damage, etc.

Solution:
To try solve this problem we found a series of tedious steps that comprehend of working with registry, etc.  However, we found a great tool really help: ReProfiler (http://iwrconsultancy.co.uk/download).  The tool re-associate the profile to the account.  You first download & install, make sure the bad username is not logged, then set the assign: Done!
0
 
David Johnson, CD, MVPOwnerCommented:
hosed = corrupt
login as an administrator
from regedit go to
HKLM\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\ProfileList              
go through the SID's S-1-5-21's
locate the profile image path of interest and rename the GUID to GUID.old
in c:\users rename the profiles that are corrupted. or backup all of them
You will have to determine which ones have files in them.
Regedit i.e. rename S-1-5-21-262614696-1447481594-2233547090-1055 to S-1-5-21-262614696-1447481594-2233547090-1055.old
logoff and then login as the user, copy the users data (documents/pictures/video/music) from the backup to the user folder
0
 
rayluvsAuthor Commented:
Thanx for the info.  That is what we meant in "we found a series of tedious steps that comprehend of working with registry, etc." in D: 41815101.
0
 
rayluvsAuthor Commented:
viable solution to our situation.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 8
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now