Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Huweishen-MySql Login Account Added to Windows 7 !??


  • Please log in to reply
11 replies to this topic

#1 meeshu

meeshu

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 09 July 2017 - 10:25 PM

When booting up Windows 7 32bit SP1, I now have an extra Windows login account named "Huweishen-MySql" in addition to the existing "Mine" and "Administrator" accounts.

 

This "Huweishen-MySql" account just appeared yesterday after rebooting my computer. This is an unintentional and unwanted item!

 

Tried running several programs in an attempt to locate and remove this login, but they all failed.

 

Ran - SUPERAntispyware, AdwCleaner, and Junkware Removal Tool (JRT).

 

Suspected it might be some sort of malware, but anti-malware scans did not seem to detect this issue (FRST, and ComboFix).

 

How can this "Huweishen-MySql" login be removed from Windows 7 login, please?


Edited by hamluis, 11 July 2017 - 01:02 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 10 July 2017 - 12:41 AM

Huweishen is a legitimate company.

 

Have you downloaded and installed any software recently?



#3 meeshu

meeshu
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 10 July 2017 - 03:43 AM

No programs have been installed since last week. And those installed programs had nothing to do with Huweishen.

 

This "Huweishen-MySql" account only appeared yesterday for whatever reason(s)!?

 

It is suspected malware may have had something to do with this, as there were some traces apparently left as late as yesterday, I think. I've never had an account added to Windows before out of "nowhere".

 

Regardless, this account has now been removed via Control Panel (Control Panel\User Accounts and Family Safety\User Accounts\Manage Accounts), and the account folder deleted from C:\Users, where the other two accounts are (Mine and Administrator).



#4 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 10 July 2017 - 02:09 PM

Do the following malware checks and post the logs...

Download and run AdwCleaner -

https://www.bleepingcomputer.com/download/adwcleaner/

Download and run Malwarebytes Anti-Malware -

https://www.malwarebytes.org/antimalware/

Download and run the portable version of Zemana Anti-Malware

https://www.zemana.com/en-US/Download

Download and run Junkware Removal Tool -

https://www.bleepingcomputer.com/download/junkware-removal-tool/

Create a System Restore point first.
 



#5 meeshu

meeshu
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 10 July 2017 - 08:02 PM

As mentioned in my initial post, I've already run AdwCleaner and Junkware Removal Tool, and SAS (SUPERAntispyware) was run as well.

Zemana was just run moments ago with no issues.

 

Unfortunately MBAM (MalwareBytes Anti-Malware) will not run anymore. It ran a scan over a week ago, but will no longer run now (for whatever reason(s))!? Tried uninstalling, reinstalling and installing later version but continue to get error message "Unable to start" and "Unable to connect the service"!?

 

Anyway, there has been no detection of 'malware' (so far).



#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,900 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:29 AM

Posted 11 July 2017 - 01:10 PM

https://translate.googleusercontent.com/translate_c?depth=1&hl=en&prev=search&rurl=translate.google.com&sl=zh-CN&sp=nmt4&u=https://www.huweishen.com/soft/php/&usg=ALkJrhitu1uQ_X2ioX3IKOJRvkf-0nO9Mg

 

Louis



#7 meeshu

meeshu
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 11 July 2017 - 09:10 PM

Thanks for the link.

 

I've never visited this site before. And it is still unknown how and why the Huweishen-MySql account was added to my Windows 7 login!??



#8 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 11 July 2017 - 09:33 PM

You may have a hole somewhere in your security.

 

Start with your router and ports...

 

Router security checklist -

http://routersecurity.org/checklist.php


Test for open ports -

Shields UP! -

https://grc.com/x/ne.dll?bh0bkyd2

SG Security Scan -

http://www.speedguide.net/scan.php
 



#9 hamluis

hamluis

    Moderator


  • Moderator
  • 55,900 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:29 AM

Posted 12 July 2017 - 10:31 AM

Is My SQL installed on your system?

 

Any version of SQL?

 

Louis



#10 meeshu

meeshu
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 17 July 2017 - 11:11 PM

Comments noted. Thanks.

 

I don't have anything like My SQL in my system. The nearest is the ".sql" extension for Net FrameWork files.



#11 My-Dear-Friend

My-Dear-Friend

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 29 July 2017 - 01:00 AM

This account is undoubtedly created by a virus. I have the same problem, currently trying to figure it out. On my system it appears that the virus hijacked svchost, system, and some other core windows processes and through them it tries to download some malware on my computer.

So far I blocked system with a firewall and it apparently stopped the attack.

I recommend you to delete the account. You can do it from an elevated Command Prompt, using the command:
net user Huweishen-MySql /DELETE



#12 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,612 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:09:29 AM

Posted 29 July 2017 - 10:47 AM

Some malware can effect the use of antimalware products like Malwarebytes.  To get around this you should run RKill.
 
RKill attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections.  RKill will not remove malware, the scans you run after setting up RKill will find and remove those infections.

These settings will remain until the computer is rebooted, for this reason you must run your security applications before the computer is rebooted.  

Please download RKill from the Bleeping Computer option and install it.
                              
Attention:  While running RKill you may see a message stating that the program could not be run because it is a virus or is infected.  This is the malware trying to protect itself.  Two methods that you can try to get past this and allow RKill to run are:

1)  Rename Rkill so that it has a .com extension.

2)  Download a version that is already renamed as files that are commonly white-listed by malware. The main Rkill download page contains individual links to renamed versions. 

When RKill has finished running a log will be displayed showing all of the processes that were terminated by RKill.

AttentionAt this time you need to run your security applications listed below.  Do not restart the computer until all of the requested scans have been run and the logs posted in your topic.

After the security scan have been run successfully you should reboot the computer to restore the processes and Windows Registry entries.

 
 
Please run TDSSKiller.
 
Please download TDSSKiller from here and save it to your Desktop.

The log for the TDSSKiller can be very long.  If you go to the bottom of the log to where you find Scan finished you will see the results of the scan.  If it shows Detected object count: 0 and Actual detected object count: 0, this means that nothing malicious was found and you will not need to post the log.
 
1.  Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
 
2.  Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system.
 
If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
 
3.  Click Start Scan and allow the scan process to run.
 
4.  If threats are detected select Cure (if available) for all of them unless otherwise instructed.
 
***Do NOT select Delete!

Click on Continue.
 
5.  Click on Reboot computer.
 
Please copy the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) and paste it into your next reply.

Note:  The log may be very long.  You may need to break it into parts to post the whole log.

Post this in your topic.


Please run the ESET OnlineScan

This scan takes quite a long time to run, so be prepared to allow this to run
till it is completed.

***Please note. If you run this scan using Internet Explorer you won't need
to download the Eset Smartinstaller.***

ESET Online Scanner

  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that
    here
    .
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • If threats are found click on Save to text file in Documents.
  • Open Documents, find the report, copy and paste it in your topic.

Edited by dc3, 29 July 2017 - 10:47 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users