Solved

Why at random login in Windows 8 my 'home-path' changes

Posted on 2016-09-20
14
23 Views
Last Modified: 2016-09-30
We had a computer Windows 8 infected with malicious data.  We ran comodo antivirus, spybot S&D, malware, etc. and cleaned it up.

At bootup, the %homepath% changed to temp.username.001 and randomly next boot up to .002 and so on.  Yet the username at top is the same exact as when first purchased.  It's like the path is always created and the user has to go to the original user\user-name to access the files.

whats going on?
0
Comment
Question by:rayluvs
  • 8
  • 3
  • 2
  • +1
14 Comments
 
LVL 1

Assisted Solution

by:Daniel Checksum
Daniel Checksum earned 167 total points
ID: 41807751
Sounds like your malware scan was incomplete.  Sounds about right for Comodo and spybot.  Run these programs in this order:

1.  TFC TempFileCleaner by OldTimers
2.  MBAR Malwarebytes AntiRootkit
3.  MBAM MAlwarebytes antimalware
4.  HitmanPro
5.  JRT Junkware REmoval Tool (recently purchased by malwarebytes)
6.  AdwCleaner

If that still doesn't do it, run ComboFix.  If ComboFix can't do it, then you need a factory reset/fresh operating system install.

All of them are free to download and I have personally tested this process over 200 times to great effect.
0
 

Author Comment

by:rayluvs
ID: 41807766
what do you mean by " Sounds about right for Comodo and spybot."?
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 167 total points
ID: 41807886
the user profile is hosed. backup the user's data, remove and then re-add the user and restore their data.
0
 

Author Comment

by:rayluvs
ID: 41807949
What is "hosed"?
0
 
LVL 91

Assisted Solution

by:nobus
nobus earned 166 total points
ID: 41808133
i would backup and do a fresh install in such a case
0
 

Author Comment

by:rayluvs
ID: 41812270
We are currently running the recommended apps for cleanup.  However, our question still is:

  • Why after the initial cleanup with the apps (with apps comodo antivirus, spybot S&D, malware, etc.) it changed the %homepath% to temp.username.001 and an actual folder is created as temp.username.001? (where the 'username' is replaced by an actual user name of the user, example 'temp.SusanSmith.001')
  • Then at random PC restart %homepath% is changed to temp.username.002 and a folder is created with same name
  • Again, in another restart, change the %homepath% to temp.username.003 and so on?
  • Yet the username at top of the user screen is the same exact as when first purchased, for example it says at top 'SusanSmith'.

When the this happens and the user logged in, he thinks that all his pix, videos, documentation has been deleted when it's not because when we go into the original username folder (c:\users\SusanSmith), all his data is there.

At this point the user has the following folders created under c:\users folder

c:\users\SusanSmith
c:\users\temp.SusanSmith.001
c:\users\temp.SusanSmith.002
c:\users\temp.SusanSmith.003

Can somebody explain this?

Thanx in advance.
0
 

Assisted Solution

by:rayluvs
rayluvs earned 0 total points
ID: 41814072
we think we found something related...

e1
u1
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 91

Expert Comment

by:nobus
ID: 41814375
that seems a likely cause at last
0
 

Author Comment

by:rayluvs
ID: 41814609
We ran then recommendations in ID: 41807751 to no avail.
0
 
LVL 91

Expert Comment

by:nobus
ID: 41814641
that can be - but it does not hurt imo
0
 

Accepted Solution

by:
rayluvs earned 0 total points
ID: 41815101
We had an assistance from another EE in another related question and found the solution:

EE suggested to copy from original user to new user, create user, etc.  When proceeding with your comment, the end-user informed us that prior our intervention, that is what they did (the copy part).  When they logged in they notice the '001', etc. folders.  So they just copied the contents of their \Users\Jamie folder to whatever folder they saw as their %userprofile% as their current folder.
     
That said, now we know exactly why their personal data were missing: it was deleted by window as soon as they logged off from their temp user account (as we stated  in our fining in 'ID: 41814072').  And also why the "00x" usernames in c:\users and differnte vallues in  %homepath%.  Unfortunately, they never paid attention to the message since it display quickly and vanishes (as they said).

For the benefit of all members that may run into this problem:

Possible cause:
As some of the Ees here stated, could be corruption, infection, windows system files damage, etc.

Solution:
To try solve this problem we found a series of tedious steps that comprehend of working with registry, etc.  However, we found a great tool really help: ReProfiler (http://iwrconsultancy.co.uk/download).  The tool re-associate the profile to the account.  You first download & install, make sure the bad username is not logged, then set the assign: Done!
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41815113
hosed = corrupt
login as an administrator
from regedit go to
HKLM\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\ProfileList              
go through the SID's S-1-5-21's
locate the profile image path of interest and rename the GUID to GUID.old
in c:\users rename the profiles that are corrupted. or backup all of them
You will have to determine which ones have files in them.
Regedit i.e. rename S-1-5-21-262614696-1447481594-2233547090-1055 to S-1-5-21-262614696-1447481594-2233547090-1055.old
logoff and then login as the user, copy the users data (documents/pictures/video/music) from the backup to the user folder
0
 

Author Comment

by:rayluvs
ID: 41815807
Thanx for the info.  That is what we meant in "we found a series of tedious steps that comprehend of working with registry, etc." in D: 41815101.
0
 

Author Closing Comment

by:rayluvs
ID: 41823167
viable solution to our situation.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now