PDA

View Full Version : Lost user profile, winlogon value changed


mriggins
2008-06-22, 17:50
I recently updated spybot sd and my fiance's user profile was completely wiped out. Her files are no longer there (though I was able to recover them) and all of her preferences are lost.

Also, I restarted the computer and got a popup from spybot sd that reads:
Category: Winlogon
Change: Value Changed
Entry: Default User Name
Old Data: <my profile name>
New Data: <my fiance's profile name>

Is this a result of spybot or a virus? Any help would be appreciated.
md usa spybot fan
2008-06-22, 18:11
mriggins:


I recently updated spybot sd and my fiance's user profile was completely wiped out. Her files are no longer there (though I was able to recover them) and all of her preferences are lost. ...
There is a problem with Spybot and corrupted user profiles. According to Patrick Kolla the problem only occurs under a very limited set of circumstances.
If you had rebooted the system at this point everything most likely would have returned to normal. See:
Spybot Corrupting user profiles
http://forums.spybot.info/showthread.php?t=25448

There is an issue when you kill the Spybot-S&D process and then switch users, or switch users while it is still running, since it's trying to scan those and locking them. After a reboot (or closing Spybot-S&D) it'll be ok again.

That has nothing to do with uninstalling (except that uninstalling will terminate a running Spybot-S&D as well of course).

See also:
Fast User Switching during a scan (http://forums.spybot.info/project.php?issueid=201)
Terminal Services & user profiles (http://forums.spybot.info/project.php?issueid=200)
In other words when running a scan or if you have aborted a scan don't log onto another user.

__________


... Also, I restarted the computer and got a popup from spybot sd that reads:
Category: Winlogon
Change: Value Changed
Entry: Default User Name
Old Data: <my profile name>
New Data: <my fiance's profile name>

Is this a result of spybot or a virus? Any help would be appreciated.
In a multiple users system Windows changes the DefaultUserName in the following registry key when you log off of one account and log onto another.


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
As long as both names are actual usernames on the system, particularly the "New data" name, just allow the registry change.

I don't know the intent of having TeaTimer monitor this particular registry key unless it is to alert you that someone else has logged onto the system since your last logon.