What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Skype & Technology » Skype & Live Messenger » Strange MSN Profile on my PC

Strange MSN Profile on my PC
Author: Message:
castreyboy
New Member
*


Posts: 1
Joined: Dec 2010
O.P. Strange MSN Profile on my PC
I have noticed a strange profile on my PC when I try to login to either hotmail or Windows Live Messenger. Although the address appears there I have looked in the following directory and it does not appear there:


Users/[PCNAME]/AppData/Local/Microsoft/Messenger

Under this folder i have a folder with my own email address  for hotmail and Messenger-

Users/[PCUSER]/AppData/Local/Microsoft/Messenger/xyz@hotmail.com

I have checked the registry and the unusual address does come up in registry search.

The question is: does someone have to be physcially logging into my PC for this profile to appear or could it have happened remotely such as a hacker?

Any answers appreciated. Also is there any way to establish the date and time when this user created this profile on my PC?

Regards
12-21-2010 09:26 AM
Profile E-Mail PM Find Quote Report
mynetx
Skinning Contest Winner
*****

Avatar
Microsoft insider

Posts: 1175
Reputation: 33
37 / Male / Flag
Joined: Jul 2007
RE: Strange MSN Profile on my PC
Hello castreyboy,

The profile you found was created when somebody with physical access to your computer had used Messenger. It might also be a remainder of the previous owner of the computer, in case you did not reinstall Windows, or might have been included in a full computer restore you performed. The least possibility is that the strange profile is part of your OEM PC manufacturer's preinstalled Windows CD.

Please right-click the Users/[PCUSER]/AppData/Local/Microsoft/Messenger/xyz@hotmail.com folder to see its filesystem creation date. :)
mynetx - Microsoft, enhanced.

You have a problem or issue with Windows, Internet
Explorer or Office?
Send a tweet!
12-30-2010 06:38 PM
Profile E-Mail PM Web Find Quote Report
CookieRevised
Elite Member
*****

Avatar

Posts: 15517
Reputation: 173
– / Male / Flag
Joined: Jul 2003
Status: Away
RE: Strange MSN Profile on my PC
quote:
Originally posted by mynetx
Please right-click the Users/[PCUSER]/AppData/Local/Microsoft/Messenger/xyz@hotmail.com folder to see its filesystem creation date. :)
quote:
Originally posted by castreyboy
....I have looked in the following directory and it does not appear there
The address is apparently only found in the registry, not anywhere else. So, unfortunatly, there isn't an easy way anymore to detect the creation date.







castreyboy,

It might be a leftover from someone who had physical access to your PC (and who removed the directories afterwards to cover his tracks) or whatever like mynetx said. But another possebility is that this address has been added to the registry by some program you've used (since it only exist in the registry).

Does that address appear to be a legit normal address (eg: it contains a name or other recognizable words) or is it very cryptic (eg: number and letters)?

-----------------

Anyways, if you're lucky you can check in the registry for some leftover data to check when it was used.

1) Calculate the ID-Hash of the Windows Live ID.
    You can do this using this online calculator

2) Open your registry editor and navigate to:
    HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\PerPassportSettings\the_ID-Hash_from_step_1

3) Find the DateOfLastHighlightLaunch setting.

This is a hexadecimal number representing a date. To convert this to a decimal number:

4) Open up your Windows Calculator and switch it to 'Scientic Mode'.
    (second menu > Scientific Mode)

5) Click on the 'Hex' button to switch to hexadecimal notation.
    Now enter that hexadecimal number you've found in step 3.
    But enter the bytes backwards!
    eg: if the number is '12 34 56', you enter '563412'
    Click on the 'Dec' button to switch to decimal notation.

Now you have a decimal number representing a date. To convert it to a date:

6) Open up the Command Prompt (Start menu > Run > cmd) and enter the following command:
    w32tm  /ntte  the_decimal_number_from_step_5

What you see now is a date in your local time zone.

-----------------

Another registry setting you can check is:

7) Find the UTT setting. This is an unicode string.
8) Double click on it to see ascii values of the string.

You can also see a date here.

-----------------

[Image: attachment.php?pid=1005287]

Both dates can give you an idea when that Windows Live Id was used to log into Messenger.
They are not realy sign in dates though. But they can give you an idea around what period of time it was used.

.png File Attachment: dates.png (24.94 KB)
This file has been downloaded 319 time(s).

This post was edited on 12-30-2010 at 10:41 PM by CookieRevised.
.-= A 'frrrrrrrituurrr' for Wacky =-.
12-30-2010 10:37 PM
Profile PM Find Quote Report
« Next Oldest Return to Top Next Newest »


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts
HTML is Off
myCode is On
Smilies are On
[img] Code is On