Solved

Why at random login in Windows 8 my 'home-path' changes

Posted on 2016-09-20
14
47 Views
Last Modified: 2016-09-30
We had a computer Windows 8 infected with malicious data.  We ran comodo antivirus, spybot S&D, malware, etc. and cleaned it up.

At bootup, the %homepath% changed to temp.username.001 and randomly next boot up to .002 and so on.  Yet the username at top is the same exact as when first purchased.  It's like the path is always created and the user has to go to the original user\user-name to access the files.

whats going on?
0
Comment
Question by:rayluvs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
  • 2
  • +1
14 Comments
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 167 total points
ID: 41807751
Sounds like your malware scan was incomplete.  Sounds about right for Comodo and spybot.  Run these programs in this order:

1.  TFC TempFileCleaner by OldTimers
2.  MBAR Malwarebytes AntiRootkit
3.  MBAM MAlwarebytes antimalware
4.  HitmanPro
5.  JRT Junkware REmoval Tool (recently purchased by malwarebytes)
6.  AdwCleaner

If that still doesn't do it, run ComboFix.  If ComboFix can't do it, then you need a factory reset/fresh operating system install.

All of them are free to download and I have personally tested this process over 200 times to great effect.
0
 

Author Comment

by:rayluvs
ID: 41807766
what do you mean by " Sounds about right for Comodo and spybot."?
0
 
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 167 total points
ID: 41807886
the user profile is hosed. backup the user's data, remove and then re-add the user and restore their data.
0
IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

 

Author Comment

by:rayluvs
ID: 41807949
What is "hosed"?
0
 
LVL 92

Assisted Solution

by:nobus
nobus earned 166 total points
ID: 41808133
i would backup and do a fresh install in such a case
0
 

Author Comment

by:rayluvs
ID: 41812270
We are currently running the recommended apps for cleanup.  However, our question still is:

  • Why after the initial cleanup with the apps (with apps comodo antivirus, spybot S&D, malware, etc.) it changed the %homepath% to temp.username.001 and an actual folder is created as temp.username.001? (where the 'username' is replaced by an actual user name of the user, example 'temp.SusanSmith.001')
  • Then at random PC restart %homepath% is changed to temp.username.002 and a folder is created with same name
  • Again, in another restart, change the %homepath% to temp.username.003 and so on?
  • Yet the username at top of the user screen is the same exact as when first purchased, for example it says at top 'SusanSmith'.

When the this happens and the user logged in, he thinks that all his pix, videos, documentation has been deleted when it's not because when we go into the original username folder (c:\users\SusanSmith), all his data is there.

At this point the user has the following folders created under c:\users folder

c:\users\SusanSmith
c:\users\temp.SusanSmith.001
c:\users\temp.SusanSmith.002
c:\users\temp.SusanSmith.003

Can somebody explain this?

Thanx in advance.
0
 

Assisted Solution

by:rayluvs
rayluvs earned 0 total points
ID: 41814072
we think we found something related...

e1
u1
0
 
LVL 92

Expert Comment

by:nobus
ID: 41814375
that seems a likely cause at last
0
 

Author Comment

by:rayluvs
ID: 41814609
We ran then recommendations in ID: 41807751 to no avail.
0
 
LVL 92

Expert Comment

by:nobus
ID: 41814641
that can be - but it does not hurt imo
0
 

Accepted Solution

by:
rayluvs earned 0 total points
ID: 41815101
We had an assistance from another EE in another related question and found the solution:

EE suggested to copy from original user to new user, create user, etc.  When proceeding with your comment, the end-user informed us that prior our intervention, that is what they did (the copy part).  When they logged in they notice the '001', etc. folders.  So they just copied the contents of their \Users\Jamie folder to whatever folder they saw as their %userprofile% as their current folder.
     
That said, now we know exactly why their personal data were missing: it was deleted by window as soon as they logged off from their temp user account (as we stated  in our fining in 'ID: 41814072').  And also why the "00x" usernames in c:\users and differnte vallues in  %homepath%.  Unfortunately, they never paid attention to the message since it display quickly and vanishes (as they said).

For the benefit of all members that may run into this problem:

Possible cause:
As some of the Ees here stated, could be corruption, infection, windows system files damage, etc.

Solution:
To try solve this problem we found a series of tedious steps that comprehend of working with registry, etc.  However, we found a great tool really help: ReProfiler (http://iwrconsultancy.co.uk/download).  The tool re-associate the profile to the account.  You first download & install, make sure the bad username is not logged, then set the assign: Done!
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 41815113
hosed = corrupt
login as an administrator
from regedit go to
HKLM\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\ProfileList              
go through the SID's S-1-5-21's
locate the profile image path of interest and rename the GUID to GUID.old
in c:\users rename the profiles that are corrupted. or backup all of them
You will have to determine which ones have files in them.
Regedit i.e. rename S-1-5-21-262614696-1447481594-2233547090-1055 to S-1-5-21-262614696-1447481594-2233547090-1055.old
logoff and then login as the user, copy the users data (documents/pictures/video/music) from the backup to the user folder
0
 

Author Comment

by:rayluvs
ID: 41815807
Thanx for the info.  That is what we meant in "we found a series of tedious steps that comprehend of working with registry, etc." in D: 41815101.
0
 

Author Closing Comment

by:rayluvs
ID: 41823167
viable solution to our situation.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question