This computer is sick questolo

[guestolo]

I've removed firefox in this manner and have NEVER experienced what you did
I don't think you followed the instructions
or I'm not sure what your saying
There should be no if'sand's or but's, if you ONLY deleted the Firefox folder the user account should NOT be gone

Then I deleted firefox again (add and remove) The only other folder I found was C:\Program Files\Mozilla Firefox <-folder

Is Windows set to show hidden files/folders??, I would guess not after a system restore

I would Print the instructions I posted

I posted this earlier
Navigate to the following folder
C:\Documents and Settings\Matt Erjavec\Application Data\Mozilla\Firefox\Profiles\xxxxxxx.default
Find bookmarks.html
Copy>>paste it too desktop
You said

? bookmarks.html On desk top ?

I assumed Matt's profile was the one we're working with
It's the one your logged into when posting the Hijackthis log

You again, didn't answer another question
Was that the ONLY user profile on the computer

NOTE: any fixes we did AFTER that restore point time may have to ALL be redone
You will have to start back at POST #9

So back to deleting Matt

Please just don't delete Matt's folder, his profile must be removed!!!

[Mr Bell]

Ok went back to show all hidden folders. Done

I found bookmarks and it on desk top. I just wanted to know what you wanted me to do with it???

Only Alex and Pat should be Admin's. If I go to C:\Documents and Settings I see folders >All users >default user >Guest > Matt Erjavec > Patrick

I don't see Alex listed except at the atart up window for windows. What's up with that?

None of the folders you had me navigate through had firefox at the end. None of them. This is the only one I found (C:\Documents and Settings\Matt Erjavec\Application Data\Mozilla\Firefox\Profiles\xxxxxxx.default) Found bookmarks.html and pasted it on desk top.

The new firefox is working from what i can see so far.

[guestolo]

Only Alex and Pat should be Admin's. If I go to C:\Documents and Settings I see folders >All users >default user >Guest > Matt Erjavec > Patrick

Just on my way to work, in the meantime
I take it that Matt's login username probably got changed to Alex
That won't change the folder name, to change the folder name you must do some registry editing

Can I just check on something
Download SIDList.vbs and save to desktop
Double click on Sidlist.vbs
A notepad file will open, copy>>paste back here the contents

Also, are you logged into Alex's profile right now?
If you are, can you run Hijackthis from her login user name and post it's log, I want to see if there is any change

[Mr Bell]

Good Morning

Ok I think I set Alex up as Admin correctly. Maybe we can start over with removing Matt. After restore no real changes took place so we are good there.


You posted while I was typing this. I will get on it right now and post. Have a good day @ work and ttyl

[Mr Bell]

Your correct. She did just change loin name.
*************************************************************
Lists all the user accounts, their SIDs and Profile paths.
SIDList.vbs - Copyright © 2005-2006, Ramesh Srinivasan
WWW: http://windowsxp.mvps.org & http://www.winhelponline.com
*************************************************************

Username      : Administrator
SID          : S-1-5-21-776561741-1202660629-839522115-500
Profile dir     :

Username      : ASPNET
SID          : S-1-5-21-776561741-1202660629-839522115-1005
Profile dir     :

Username      : Guest
SID          : S-1-5-21-776561741-1202660629-839522115-501
Profile dir     : C:\Documents and Settings\Guest

Username      : Matt Erjavec
SID          : S-1-5-21-776561741-1202660629-839522115-1003
Profile dir     : C:\Documents and Settings\Matt Erjavec

Username      : Patrick
SID          : S-1-5-21-776561741-1202660629-839522115-1004
Profile dir     : C:\Documents and Settings\Patrick

*************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 10:08:34 AM, on 1/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Matt Erjavec\Desktop\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\1138158998\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1138158998\ee\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Matt Erjavec\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138158998\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Weather.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AirXpert Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Matt Erjavec\Desktop\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[guestolo]

Is this the same computer you have Spyhunter installed on?
Let's not go any further till you get rid of it, sorry, but that is my stand on it

[Mr Bell]

No I have both computers sitting side by side. This is my computer and yes I removed that spyhunter program from this one. Wonder how many people have dl that program.

I use this one when I read instructions while working on the Alex's lap top so we are all good to GO. My post #24 was the info you requested. Can you look at the hijackthis log and as you can see all Alex did was change the user name to her. So we are still dealing with that issue as well.

[guestolo]

I see you online right now, so let me ask a quick question
Taken from the SID list you include
From what I understand

You want
Username : Matt Erjavec
which is now Alex's login name

Totally renamed to Alex (or whatever)

Matt's (Alex's) account is now set as Admin, correct?
Also, Patricks' account is also Admin, is that correct?

Do you have access to Patrick's account?

[Mr Bell]

I have access to all accounts. However at windows start up I see only Alex and Pat now. I took off the guest.

And yes I would like to remove this Matt character/whoever off the computer completely.

[Mr Bell]

bump

[guestolo]

Hi again, have you done any further steps yet?

We could edit the registry, but this can cause a few problems
Or we can create a new user account and remove the old one

I prefer the latter method, it will involve a few steps, but it really doesn't take that long

Let's make sure I have this right>>You have Alex and Pat as Administrators on login

Alex's login name is actually Matt's old user profile

So I take it Alex has been using this old profile and would like to save most of the settings of this account

I'll give you the steps I would do to create a new profile, transfer files, and remove old profile
Let me know and I'll supply complete instructions and links to Microsoft for assistance

[Mr Bell]

Well, in retrospect we really don't have to do anything either. The computer is hers and everything seems to be running fine. Windows updates and all. So rather then take up your time with this trivial issue it would be better spent if you focus on those that need help removing spyware and such.

I guess my next step will be doing a little more cleaning and create a new restore point correct? Her computer and IE browser is fully restored so all is good. So unless you would like to have me do anything else we can go ahead and conclude this session.

Thanks for your help.

[guestolo]

Ok then, I'll lock this topic as problems appear resolved
Take care Mr.Bell  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />