Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Under C:I deleted"ALL USERS" w it returning


  • Please log in to reply
20 replies to this topic

#1 Lyn

Lyn

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:Sleepless in NY
  • Local time:02:27 AM

Posted 05 May 2005 - 03:02 AM

The list of users were put thedre by themselves.
The user uncer C:Persario is;
- - folder 677a2250bafd2dld3ebld5cd9072a
folder > spl qfe >msmsgs.exe
folder >update >branches.inf,eula.txt,KB887472.CAT,spcustom.dll,
update.exe,update.ver,update_SP1QFE.inf,updatebr.inf,updspapi.dll
--Documents andSetings
+ folder Administrator
+ Administrator1
+Administrator.CUDDLES
+All Users
+Corey
+Cuddles
+Default User
+LocalService
+NetworkService
- eab37e3165a9f97f0472b4
+ folder >spl qfe;msmsgs.exe
folder >update;branches.inf,eula.txt,KB887472.CAT,spcustom.dll,
update.exe,update.ver,update_SP1QFE.inf,updatebr.inf,updspapi.dll
- ecc2516e6dd7eaf03cbf0d85
folder >sp qfe;msmsgs.exe
folder >update; branches.inf,eula.txt,KB887472.CAT,spcustom.dll,
update.exe,update.ver,update_SP1QFE.inf,updatebr.inf,updspapi.dll

These folders with long numbers came from msn messanger asking me many times n tries to update before I can log on. It will not take NO for an answer.
Windows update doesnt recognize my updated files. It says its looking for past updates but nothing. HOW CAN I GET MY HOST RECOGNIZED????
Please help me stop messenger needing to update.
AND;;;;;

I wanted all these extra Users delted. They are just taking up disk space. But how do I remove all but Cuddles and Corey. I deleted in safe mode, AdministorMINE; AND IT REPLACED IT with Administrator.CUDDLES. I removed All Users and its back.
Whats the secret to keeping it down to TWO USERS. For the two peple who use this messed up computer;
Administrator- needed when I use safe mode.
Corey
Cuddles

Please help me, since everywhere,
Lyn

Edited by Lyn, 05 May 2005 - 03:08 AM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 AM

Posted 06 May 2005 - 02:52 PM

Delete the user accounts and then delete the corresponding folders. You should not be deleting those folders like how you are

#3 Lyn

Lyn
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:Sleepless in NY
  • Local time:02:27 AM

Posted 09 May 2005 - 08:04 PM

If you mean delete "Users" in control panel, the the ONLY accounts listed in control panel IS--- >"Corey" & "Cuddles"
If the are Not listed in USERS ACCOUNTS, what would be the best way to delete anoymous users?
Lyn

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 AM

Posted 09 May 2005 - 10:02 PM

Create a directory on your hardrive, to save HijackThis.exe, called c:\hijackthis. This is a mandatory step, for the backup and restore functions, of HijackThis, to be able to work.

Download the latest version, from here.

Read the pinned post in the HJT forum, here

Then, run a log, and post it in the HJT forum. Do not fix anything, yet.
A member, of the HJT Team, will help you out.
Please, be patient, these people are volunteers. They will help you out, as soon as possible.

#5 Lyn

Lyn
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:Sleepless in NY
  • Local time:02:27 AM

Posted 09 May 2005 - 11:24 PM

Hi Grinnler,
Is this the right forum to paste my HJT Log. Id imagine theyd also need my first post which decribes my problem.
Or if I post my HJTLog here will someone trasfer it to the HJT forum.
Willing to follow your rules
Lyn

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 AM

Posted 10 May 2005 - 07:33 PM

Post your log in this topic so I can continue working with you.

#7 Lyn

Lyn
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:Sleepless in NY
  • Local time:02:27 AM

Posted 11 May 2005 - 05:14 AM

Hi Grinler,
I copied this HJT Log in the SAFE MODE. However, I could not turn off my Restore Pont because I may need it to uninstall my new ZoneAlarm which isnt compatible with my Avast. At this time I m not sure which to uninstall ZoneAlarm or Avast. But anyway thats not topic of my problem. My problem is deleting anoymous users which are NOT LISTED UNDER "Users Accounts" in control panel.
I hope this helps,
Lyn

Logfile of HijackThis v1.99.1
Scan saved at 5:57:21 AM, on 5/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEHlprObjClass - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Kensington\MouseWorks\IE_SPY.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/40/install/gtdownls.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 AM

Posted 11 May 2005 - 04:29 PM

This is a clean log.

Your log shows that you are seriously behind on windows updates. It is essential that you update your windows before we continue to help you as the infections could reoccur. Go to http://www.windowsupdate.com and if it asks to install software, let it. Then click on the Scan link and let it do its thing. When its done you will see on your left a section called critical updates. Click on that section and install everything that you can. When it prompts you to reboot, do so. Then repeat this process again until there are no more critical updates listed. Then post a new log.

#9 Lyn

Lyn
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:Sleepless in NY
  • Local time:02:27 AM

Posted 12 May 2005 - 10:43 PM

Hi Grinler,
My Microsoft Updater hasnt worked in months. Someone told me I had a host problem. I did manange to find and download IE Service Pack 1, there were updates but Im not certain if they are the same or new additions. There wasnt any popups guiding me in the right direction. I even tried downloading SP2 but it brought me to the same "update page' where its supposed to show me the updates I need, instead it does nothing and no errors either.
Well I seem to have update IE because it says in help "SP1"
I installed a new firewall tonight, I heard from members on here that Sygate and AVG are compatible.

Well heres my HJT Log in regular mode;

Logfile of HijackThis v1.99.1
Scan saved at 11:41:00 PM, on 5/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo.com/forum/index.php?s...st=90&p=101803&
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = yes
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/40/install/gtdownls.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Thank you for your time and help,
Lyn

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 AM

Posted 13 May 2005 - 08:26 AM

Download XP Sp 2 from here:

http://www.microsoft.com/downloads/details...&displaylang=en

and save it to your desktop. Then double-click on the file when it is done downloading and let it install. Also delete c:\windows\system32\drivers\etc\hosts

#11 Lyn

Lyn
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:Sleepless in NY
  • Local time:02:27 AM

Posted 16 May 2005 - 07:56 PM

Dear Grinler,
What would be the proper way to delete in you lastest post...
windows/................driver../host?

Before installing SP2, doesn't my Stgate firewall have to deleted?

Another qustion is; if SP2 leaves me stuck and UNable to get online, can you tell me how get back to my lastest registry. Since my "Retsore program" is very unpredictable if and when it works.
Lyn

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 AM

Posted 16 May 2005 - 10:22 PM

Download the Hoster from http://www.funkytoad.com/download/hoster.zip . Run it and Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

System restore will be your best bet in this situation. Just make sure its enabled

As for sygate, after you finish installing SP2. GO into your network connections control panel, right click on local area connection, and go into properties. Then click advanced and turn off the firewall as you will be using the sygate one instead

#13 Lyn

Lyn
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:Sleepless in NY
  • Local time:02:27 AM

Posted 17 May 2005 - 01:26 AM

I downloaded Orginal Host. The "Restoring Orginal host button" wouldnt work. I tried closing and rebooted but still no luck.
Grinler, Im really sorry, you have helped me all this time without suceeding. I can not imagine what caused my isp to not be recognized.

Im not sure if this is important but while I was in the Restore Host, I read my host was only readable.

Again if you still want me to still delete the path line ---->
windows.....drivers...host. Please inform me the correct way of deleting this
path.
Your Student,
Lyn

#14 Lyn

Lyn
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:Sleepless in NY
  • Local time:02:27 AM

Posted 17 May 2005 - 04:39 AM

Grinler I went in the safe mode to delete this path--->
c:\windows\system32\drivers\etc\hosts

To my surprise I found FOUR listed under this path;
All four had different numbers and under properties tab-securites they listed identical users.
I copied what it said, thinking it might help to see the Users multiplying.

Here is what I found;

hosts--- "Everyone", Properties\Security tab permission for everyone, Full Control-blank,Modify-allow,Read & Execute-allow, Read-allow, Write-allow,Special permision dimmed but ALLOW

hosts --2005-03-01-09-06-47 properties tab
Administrators(CUDDLES\Administrators)
Cuddles (CUDDLES\Cuddles)
SYSTEM
security ---everything wasAllowed but Special Permission.

hosts-- 2005-03-05-01-02-08 Properties
Administrators(CUDDLES\Administrators)
Cuddles (CUDDLES\Cuddles)
SYSTEM
Security tab-- same as the two hosts ubove

hosts--2005-03-05-01-09-45 Properties
Administrators(CUDDLES\Administrators)
Cuddles (CUDDLES\Cuddles)
SYSTEM
Security tab---Allow everything except Special Permission

Imhosts.sam (no idea what IMhost is? ) Properties
Administrators(CUDDLES\Administrators)
Cuddles (CUDDLES\Cuddles)
SYSTEM
Security tab all allowed except Special Permission

Dear Ginler, I was affraid to delete one of them and leave the rest. Or delete all except the (Imhost.sam) which you did not mention. I thought if I delted all of the host that I would lose my destktop and all files with it.
And not to forget;
677a2250b2afd2d1d3deb1d5cd9072a
properties = Administrators(CUDDLES\Administatorss)
Cuddles (CUDDLES\Cuddles)
tab Security --only Special Permission was checked

eab37e3165a9f97f0472b4
Properties= Administrators(CUDDLES\Administatorss)
Cuddles (CUDDLES\Cuddles)

ecc2516e626dd7eaf03cbf0d85
Properties=
Administrators(CUDDLES\Administatorss)
Cuddles (CUDDLES\Cuddles)

I think I know where the users with numbers before them came from, For some rean my MSN Messanger stopped recognizing me and would do an new download befor I was able to logon.

But I havent a clue why cuddles is multiplying. I thought Id wait for your thoughts about which to delete and wait befor installing SP2 y the way successfully downloaded onto my desktop.
Shal I keep the change I made in "Restore Original Host" and keep my host "editable"?

I hpe It help giving the big picture of so many host users,
Lyn

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 AM

Posted 17 May 2005 - 12:27 PM

Just select restore original host. You can keep it editable. Now instal Sp2.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users