1

Could a virus create duplicate accounts in Windows XP? Said duplicate accounts have same rights (admin...), same name, but the folder name under C:\Documents and Settings\ is OrignalName-CJP[RandomLetters]. If so, what virus would do that?

Further behaviour description: All account files (from My Documents, Desktop, etc) are in the -CJP folder, not the original user's folder, thus indicating that login effectively occurs in CJP account, even if the account selected in the logon screen is the original name.

MPelletier
  • 774
  • 2
  • 8
  • 28
  • It may not be a virus, it could be a temporary profile created by XP because the original user profile is corrupt. Did you scan for viruses yet? – Moab Apr 11 '11 at 01:05
  • @Moab I have, found one Trojan, but removal wasn't 100% successful. I was just wondering if that in itself could be a virus. My main symptom is somewhat unrelated, will post in another question. – MPelletier Apr 11 '11 at 01:28
  • 1
    When in doubt, back up important data and do a clean install of the OS. – Moab Apr 11 '11 at 01:32
  • @Moab Definitely working that angle. Thanks :) – MPelletier Apr 11 '11 at 01:33
  • which trojan? it might be related to the issue - since there appears to be a trojan of that name according to google – Journeyman Geek Apr 11 '11 at 03:28
  • Turns out there was (also?) a malware called Sera (http://forums.spybot.info/showthread.php?t=37685) on the computer. – MPelletier Sep 03 '11 at 20:44
  • @Moab Any further information on what this might be? I have a similar situation, except that I also always have 0 HD space left. – avi Jan 17 '12 at 08:01
  • @avi sounds like a virus, back up personal files and do a clean re-install of the OS. – Moab Jan 17 '12 at 14:59

1 Answers1

0

The "RandomLetters" are probably a temporary computer name under which the accounts were created (and using the other accounts of the same name as templates). I'm guessing that either a virus or SpyWare was attempting to set up a backdoor, or an update ran amock and this extraneous account creation was an unintended side-effect.

When an account, say "Administrator" for this example, already exists on a computer, and then you login to a network account by the same name, a local account called "Administrator.NETWORK_NAME" gets created to avoid a conflict with the local account that doesn't have that trailing computer name.

I've also noticed that accounts are sometimes created with this network or computer name added after a account of the same name was previous deleted by the data files remained. Obviously this is caused by Windows re-creating the account in a manner that doesn't conflict with another account of the same name (especially since some files in the user's "Documents and Settings" profile directories can't be deleted).

Randolf Richardson
  • 14,634
  • 39
  • 52