BleepingComputer.com: Can malware change windows username in Vista?

Hello,

I work as a personal assistant for an older gentleman who has an HP tower he bought new from Best Buy; it's running Vista. My own pc is one I built myself; it runs XP and I am very well acquainted with that OS, but I have no experience with Vista at all. Here's the situation:

He tells me that as he was leaving the house the other day, he noticed a great deal of activity on his HD (via the HD light) but didn't stop to check it. Later that day, I showed up for work there and while downloading a small file for him (32 MB), I noticed our download rate was 3kb per second. That's just ridiculous. (He has broadband.)

In the course of investigating the problem, we discovered that the name on his administrative account had been changed from "(boss' name)" to "(boss' name)/rachel." He assures me that he bought the machine new with the OS pre-installed, and that the admin account did not use to be appended with "/rachel." I am aware that he should not be surfing with his admin account at all, but tell me please --- is it possible that some form of malware could actually change the name on the account?

There are certain odd elements to the situation which lead me to suspect a possible botnet infection; but surely no botherder would be dumb/sloppy enough to make an obvious change like that?

This whole thing is made much more difficult by the fact that everything in Vista has been moved around and there are innumerable seemingly pointless changes to the GUI -- for instance, it is very complicated just trying to make sense of the event viewer.

Also, there are so very many new services in Vista that it's hard for me to get a feel for what isn't right in the brief time I spend on his pc.

Would someone kindly advise me:
1. What are the most likely things to look for to confirm a botnet infection in Vista? and,
2. How do I go about removing permissions for /rachel without deleting the (boss' name) profile/account?

Thanks!

Quote

Why yes, they could very well be just that dumb and sloppy. Most people would not even notice.

Quote

The 3 kb download speed and renamed account are a pretty good indicator that the system has been compromised in some way.

Quote

The same as you would in XP.

Vista's event log viewer is much improved over previous incarnations. Perhaps this will help?
http://www.petri.co.il/vista-event-viewer.htm

I have not heard of any malware that renames accounts because as you said, that would just be stupid. The event viewer can be filtered to figure out when the account was renamed.

BlackViper's List of services would be a good place to start. Of course there is no way possible that a list can be all inclusive, but it will give you a starting point.

Thank you, groovicus! (cool name)

Looking over my post after I've had some sleep, I see that I have been guilty of poor wording. If the rachel account were entirely separate, I could do it; but because the owner/admin account has been changed to boss-slash-rachel, I am uncertain how to proceed. My first attempt to do so nearly eradicated his own personal documents. I'm afraid I don't know how to excise permissions for an appendage from a standing account.

But wait -- on another site's page concerning how to change permissions on/ take ownership of a given file, I see reference to changing ownership to one's own name from that of "Trusted Installer." This suggests to me that when an OEM or resale agent installs bundled software onto a Vista machine prior to selling it, the OS may require that someone be listed as the software's owner. Since they don't know who's going to buy the pc, perhaps the installer simply uses their own name. Is it possible that this is the case? But if so, would that result in said installer having their own user profile? (Or their name being appended to the owner's?)

Thanks for the link to the services list, it's quite helpful. I appreciate your assistance.