Hi guys,

I've searched my @ss off for a solution but not even google has something on this. (two or three useless pages)

One of our customers rebooted their machine and all of a sudden their usernames at the logon screen is gone, and instead there is three new ones named, HDSADMIN, HDSUSER and SMSINSTALL. Now just to be clear, it was NOT a previously owned machine and they have absolutely nothing to do with some company called HDS or anything. Their system worked fine for years and now all of a sudden this popped up. Below is what i've done so far and this morning when it seemed fine, it happened again. At first we booted it fine, but after a reboot it happened again.

PS. None of the users data or folders were deleted in Documents and Settings

OS: Windows XP Proffessional

Done so far:
- Did a repair install of Windows which didn't fix anything. Same problem.
- Used a bootable cd with a password resetter and logged in as localadmin.
- Created new accounts, logged in them to create the Documents and settings folders, logged in as localadmin again and deleted the new accounts. Renamed the old existing accounts to the newly created ones (so windows will point to the old accounts). This worked fine. All files were under the correct username.
- Scanned with MBAM and SuperAntispyware malware removal programs, found no threats
- Took the HDD out and slaved it to a test station and scanned for malware again, no threats found.
- In the office i rebooted about 4times and everything was fine.
- This morning however, it booted up fine, but when the customer rebooted again, it erasedd the accounts again and gave them the HDSADMIN, HDSUSER, and SMSINSTALL accounts which were password protected again.

So i can crack the passwords and gtet in the system, but it creates these accounts out of nowhere and deletes the other ones, but the files and Documents still stay in Documents and Settings.

I know this is a long post but I'm really out of ideas. I hope someone has encountered this and can help me. I'm sure someone else has ran into this problem too. (they just didn't post it online)

Hope to hear from you guys soon. Seeing that google doesn't give much results, i assume it's a rare issue.

Windows Repairs does not fix anything to do with user ccounts... it merely replaces system files and part of the system hive [it rewrites the sys enries, leaves others intact]. And removes all your security updates; doesn't touch any other software, but is able to lose registry entries to some of it.
Anyway, i have nothing to offer except to suggest that you try a rootkit scan. GMER is good.
Download gmer.zip from http://www.majorgeeks.com/GMER_d5198.html
-dclick on gmer.zip and unzip the file to its own folder or to your desktop.
-disconnect from the Internet and close all running programs including those in the system tray (bottom righthand corner ).
-dclick Gmer.exe to start it; uncheck Sections, IAT/EAT, use remaning default settings [ensure your system drive (C: ?) is the only drive checked] just click the Scan button and wait for the scan to finish (do not use your computer during the scan).
-click on the Copy button - this will copy the results to the clipboard. Open Notepad and paste into it.
The result - if positive, please zip it and post as an attachment via Go Advanced.

SMS.. System Mgmnt Server?

hello gerbil and thanks for replying. sorry it's taking a while to scan. almost an hour now. i will post the zip file when it's done. i really would like to fix this because there is nothing found when i google the unknown user accounts in google. so this might help a few who don't know what to do.
i'll post back later when it's done. thanks again.

hey, here is the zip file. i was told to stop working on this and continue with other work. so i'm very sorry if i can't do anything now. i hope the log shows you something valuable. coz i still don't know what it is. thanks again for your help.

Grand

Symantec is your active antivirus; trend micro is your firewall.... you are not running it as an active antivirus service also, are you? If so, remove it.
What is this process? C:\WINDOWS\TEMP\FTA9DA.EXE

==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then...
-in that folder start HijackThis by dclicking the .exe
-CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

hey gerbil,

i was told to stop working on this customer's computer because apparantly it is taking too much time and they don't like it. they shipped the computer back to the customer and they bought a new one. im sorry for not getting the hijackthis log. i would've wanted to see what the problem was but now i can't coz the computer is gone. sorry about this.
looks like i will neve know what the problem was. thanks for your reply though and willingness to help gerbil.

You shoulda told em i don't charge... :) I don't like executables running from TEMP folders except as bona fide installers.
No matter.. throwing a computer out is one good way to get rid of malware, if that is what it was. Just gotta work, an good.
Do you think we could start a new antivirus program based on that?
Microtossed work as a name?

Microtossed? yeah i think we should. We can patent it and we will make millions. hahahahahahahaha

But on a serious note, do you know of any program or virus or anything that could cause this? Google does not give any results for HDSADMIN, HDSUSER or SMSINSTALL. This computer was not a used one and they are not affiliated with someone else. I don't understand why the users' files would be in the Documents and Settings folder, all in tact, but the user accounts are deleted? Nobody at my work has seen anything like this. I would really have liked to solve this and post the solution here.
I scanned it with Superantispyware, Malwarebytes and AVG. All came up clean. Any ideas?

C:\WINDOWS\TEMP\FTA9DA.EXE
likely the cause ,and new maybe, that why google shows nothing on it .

hey caperjack, thanks for your reply. i don't understand logs that good, for now that is. is it a rootkit probably that changes the accounts like that or what is it? new virus? it wouldv'e been awesome to fix it and post the solution though. ugh

hey caperjack, thanks for your reply. i don't understand logs that good, for now that is. is it a rootkit probably that changes the accounts like that or what is it? new virus? it wouldv'e been awesome to fix it and post the solution though. ugh

yeah ,sounds like you work for a big box store that like to sell computer not fix them .lol
i did find a help forum on the topic ,that was dated 2005, creating the same user acct as yours

Grand... why don't you call those folk and suggest they delete that file. C:\WINDOWS\TEMP\FTA9DA.EXE
I can guess that it will not regenerate... if all it did was fool with user accounts in a non-destructive way there would be no point in equipping it so, and if sophisticated enough to have the files and keys to regenerate then MBAM and SAS should have found some of them. Or pointed them out.
Garn... take the kudos.
[an giss those logs...]

yeah ,sounds like you work for a big box store that like to sell computer not fix them .lol
i did find a help forum on the topic ,that was dated 2005, creating the same user acct as yours

caperjack...I found another forum where someone posted a similar problem, but they don't give any solutions. it sounds like the guy had the same issue, but they kept telling him that it's a second-hand computer. THIS ONE IS NOT. I also found a post with someone trying to install Marimba, and when it failed it generated the same user account. but still no solution.
i know it sounds like it but we actually do fix computers. (my job) lol. but the customer came back from vacation and they said if we can't get it fixed then they will buy a new one. so I kept playing with it until i was told to stop.coz they bought a new one. i would work on it till if ix it but time is money i guess. (not for me)

Grand... why don't you call those folk and suggest they delete that file. C:\WINDOWS\TEMP\FTA9DA.EXE
I can guess that it will not regenerate... if all it did was fool with user accounts in a non-destructive way there would be no point in equipping it so, and if sophisticated enough to have the files and keys to regenerate then MBAM and SAS should have found some of them. Or pointed them out.
Garn... take the kudos.
[an giss those logs...]

gerbil...another technician is going to take the old infected pc with the new one to the customer. their system is very messed up. some applications only work with certain versions of java and certain windows updates. it's a whole days work just to set it up. i don't know why but they work with alot of different applications. i will call him or email him and say he should try one more last time and delete that file. look at it first and try to delete it. boot up, reboot and see what happens. if he doesn't, i will ask him if they don't want the old one then he should bring it back so i can work on it in my spare time. i don't like to feel like a "failure" when a pc doesn't get fixed. hahahhaa

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.