Safe To Delete Multiple User Accounts?

[Sheryl]

Update:

I always did have it set to view hidden and system files

Various programs and command text provided here I haven't tried yet as look a bit time consuming and (as always happens when the computer is acting up!) I am working flat out on a tight deadline. Hope to get to it over the weekend. Likewise am saving the "remove antivirus and install others" option for last as very time-consuming to do. But it may come to that.

All the comments about my hard drive being so small led me to wonder why: the computer isn't that old and I bought what I was assurred had abundant space. And indeed, it was nowhere near full until over the past few months when it began to fill up for no apparent reason, exactly as one poster described a virus/worm as doing. First I knew was about 3 months when I started to get warnings that the Lenovo "Rescue and Recovery" program couldn't work because it required there to be at least 15% free space on the hard drive. Checked then and to my amazement there was only abouyt 10%. Did what I could to free up space but a month or so later, same thing, and now a few weeks ago I began the get warnings that te hard drive was totally full. Again for no apparent reason.

30 Gb was what it shows under "properties" for drive C. I don;t have the users manual etc with me now but checked online; this model comes with 80 GB.

It's a Lenovo so there is I think some type of partition in which the "Rescue and Recovery" program sits and that doesn't shopw un der Explorer or "My Computer". But it can hardly be using up all of the missing 50 Gb. So, I think a virus has made off with at least my hard drive space.

Turned off system restore, ran Ksepersky in safe mode, everything seemed OK for a few days but now back to getting virus detected on drives not in use at the time of the scan...now not only H:/ but also E:/. Maybe I'm reinfecting the drive with a USB stick? Scans of the memory stick in several different programs show nothing but in my experience for some reason anti-virus programs don't work well on flash drives. (Even during the interval when Kaspersky wasn't finding anything the missing space stayed gone).

Kaspersky log shows virus Worm.W32.VB.aih on many files (all files I can't locate anywhere, on drives not in use during the scan) plus Virus Net-Worm.Win32 (ditto)and one one file Trojan-Downloader.Win32.Agent.ckhe. :annoyed:

Now I know Kaspersky can have false positives, but the files reported as being infected don't seem to exist on my computer and the drives were not in use during the scan. How would Kaspersky detect non-existant files? On non-existant drives? So seems to me that indeed a virus has made an invisible partition or two onto my hard drive and that's where all my drive space has gone...and where the infected files are hiding :annoyed: :annoyed:

[siamect]

30 Gb was what it shows under "properties" for drive C. I don;t have the users manual etc with me now but checked online; this model comes with 80 GB.

There should be a d: partition if this is a windows machine with default partitioning... ?

[Supernova]

<snip>

30 Gb was what it shows under "properties" for drive C. I don;t have the users manual etc with me now but checked online; this model comes with 80 GB.

It's a Lenovo so there is I think some type of partition in which the "Rescue and Recovery" program sits and that doesn't shopw un der Explorer or "My Computer". But it can hardly be using up all of the missing 50 Gb. So, I think a virus has made off with at least my hard drive space.

Rescue and Recovery programs provided by computer manufacturers usually reside on a small hidden partition on the hard disk. They have no drive letter assigned, therefore cannot be seen in Windows Explorer. Use the Disk Management snap-in tool to manage your hard disk and the partitions or volumes that they contain.

BTW, it's very unlikely malware/virus will consume up to 50 gigs of space.

Turned off system restore, ran Ksepersky in safe mode, everything seemed OK for a few days but now back to getting virus detected on drives not in use at the time of the scan...now not only H:/ but also E:/. Maybe I'm reinfecting the drive with a USB stick?

You need to disable Autorun. As long as it's enabled, the infections will keep recurring.

[Sheryl]

By disable autorun, are you referring to something on the USB? Doesn't seem to be an autorun file there.

Ran disk management. It shows:

IBM Preload C:

30 Gb FAT32

Healthy (system)

39.23 Gb

Unallocated

Service V001

5.30 GB FAT 32

Healthy (EISA Configuration)

There is only 5% free space in C, 25% in "Service V001" and then, apparently , 39.23 Gb of space that is either unusued or used for soemthing that does nto show up in Disk Management. Would Rescuer & Recovery do that?

How do I get this 39 GB alloacted to my C drive?

[BB1950]

Use a partition manager such as this:

http://www.partition...on-manager.html

That partition appears to be hidden. Probably part of your recovery system.

The partition manager allows you do delete or resize partitions.

Edited October 2, 2010 by BB1950

[Supernova]

Ran disk management. It shows:

IBM Preload C:

30 Gb FAT32

Healthy (system)

39.23 Gb

Unallocated

Service V001

5.30 GB FAT 32

Healthy (EISA Configuration)

There is only 5% free space in C, 25% in "Service V001" and then, apparently , 39.23 Gb of space that is either unusued or used for soemthing that does nto show up in Disk Management. Would Rescuer & Recovery do that?

How do I get this 39 GB alloacted to my C drive?

Service V001, I assume is a Rescue partition; whereas Unallocated = free space. The Disk Management tool in Windows XP cannot be used to resize partitions. It can only create and delete partitions. This leaves you with two options:

1. Use a third-party application to manage your partitions.

EASEUS Partition Master

Gnome Partition Editor (aka: GParted)

- OR -

2. Create a logical partition (D:) using the Disk Management tool.

Edited October 2, 2010 by Supernova

[modafinil]

Supernova is right.

WARNING - before you start tinkering with partitions, make sure you have backed up all your data! Also make sure you have a copy of Windows XP, along with all the drivers that you would need to reinstall Windows.

WARNING - if you have not done so already, follow the documentation provided with your laptop and burn a recovery CD/DVD - these files should be sat inside the Service V001 Partition. This will allow you to restore your laptop to the factory state, assuming the files are all working properly.

OK.

Run disc management again.

google create logical partition xp, and follow the advice from Microsoft's website.

You now have 39 Gigs free on drive (presumably) D, as well as whatever is left on the C drive. If you would like all the drive space to appear in the same drive C, you will have to run third-party software as Supernova said.

Edited October 2, 2010 by modafinil

[Sheryl]

Thanks. I have now gotten as far as creating the additional formatted drive and downloading Partition Master and backing up all my files.

I don't have the XP installation CD (came pre-installed). Could take the computer to a shop to do this for me. Or maybe I'll risk doing it myself and take it to shop if it screws up requiring a Windows re-intstall.

if I'm not seen on line again for a few days you'll all know why.....

[Sheryl]

Worked like a charm!!

I now have plenty of unused space on the HD.

Many, many thanks to all and especially thanks to Supernova :jap: :jap: :jap: :jap:

I also ran the script you provided, it asked me a few questions to which I answered yes (assume that's right)

One q tho: will this prevent me from booting from the CD-ROM? As there are times/situations when I need to do that.

Thanks again

Sheryl

[thaimite]

Worked like a charm!!

I now have plenty of unused space on the HD.

Many, many thanks to all and especially thanks to Supernova :jap: :jap: :jap: :jap:

I also ran the script you provided, it asked me a few questions to which I answered yes (assume that's right)

One q tho: will this prevent me from booting from the CD-ROM? As there are times/situations when I need to do that.

Thanks again

Sheryl

Congratulations

Now while you are feeling brave may I suggest you use these instructions from Microsoft to move your "My Documents folder to the new D Drive. Having your own data ad program files on different drives has many advantages especially as far as backups are concerned

To answer your question about autorun, it should not be affected. The only possible problem you may run in to is if you have any games or other copy protected software that requires the original CD to be in the drive before they will run these may not work unless re-installed or a registry hack is used to tell the program of the new CD ROM location.

[modafinil]

It doesn't matter now because you have plenty of file space, but it is possible that Lenovo's "Rescue and Recovery" might have been the cause of your Hard Drive issues. It works a bit like "System Restore", making backups of all your data - possibly it was shoving all the backups in the "unallocated" partition that you have now recovered.

Try Googling rescue and recovery delete backups, many other people seem to have encountered problems similar to yours,

If you don't have an XP disc, you may be able to use "Rescue and Recovery" to burn a copy of your operating system to CD/DVD, just in case you suffer a hard drive failure.

Googling rescue and recovery backup lenovo xp tells you how to do this on Lenovo's website.

Glad you've got everything sorted now

[bangkokcitylimits]

If on the e-drive there is still plenty of space, you can make this one smaller, then make the c-drive bigger. This takes less then 5 minutes with this excellent free tool Easeus Partition Master , no back-ups needed. After installing the tool, just use the horizontal sliders to set the new partition (slide the e-drive smaller, then slide the c-drive bigger, there must be no space in between), click 'apply' and let the system do it's work: it closes, starts up again and the changes will be implemented. If you chose the right partition, you can uninstall the tool again, because you probably won't use it again.

:jap:

[Supernova]

I also ran the script you provided, it asked me a few questions to which I answered yes (assume that's right)

One q tho: will this prevent me from booting from the CD-ROM? As there are times/situations when I need to do that.

Disabling Autorun won't affect your ability to boot from optical media. They are two very different things; the latter being controlled by your computer's BIOS. The only time you would boot from CD/DVD is if installing an operating system or booting a Live CD such as GParted. Autorun on the other hand, is nothing more than a "convenience" feature in Windows. This Wiki article describes how it works.

BTW, you can always re-enable Autorun by running the same script you used to disable it. Answer 'n' to the first question and restart the computer for the changes to take effect.

The only possible problem you may run in to is if you have any games or other copy protected software that requires the original CD to be in the drive before they will run these may not work unless re-installed or a registry hack is used to tell the program of the new CD ROM location.

Games and other copy protected software don't require Autorun/Autoplay to function.

[thaimite]

I also ran the script you provided, it asked me a few questions to which I answered yes (assume that's right)

One q tho: will this prevent me from booting from the CD-ROM? As there are times/situations when I need to do that.

Disabling Autorun won't affect your ability to boot from optical media. They are two very different things; the latter being controlled by your computer's BIOS. The only time you would boot from CD/DVD is if installing an operating system or booting a Live CD such as GParted. Autorun on the other hand, is nothing more than a "convenience" feature in Windows. This Wiki article describes how it works.

BTW, you can always re-enable Autorun by running the same script you used to disable it. Answer 'n' to the first question and restart the computer for the changes to take effect.

The only possible problem you may run in to is if you have any games or other copy protected software that requires the original CD to be in the drive before they will run these may not work unless re-installed or a registry hack is used to tell the program of the new CD ROM location.

Games and other copy protected software don't require Autorun/Autoplay to function.

Nobopdy said games or anything else needed autorun. The point was that now there is a D patrition on the hard disk, copy protected software that looks for a master CD will no longer find it in drive D, but will have to be told that the CD ROM is now drive E.

This issue can also be sloved by using the XP manage (right click on my computer) - Disk management, to reassign the drive letters.

[Supernova]

^ Sorry, my mistake -- it seems I misunderstood your initial post. My brain isn't exactly firing on all cylinders today; it's Monday after all...

Thanks for pointing this out.

Edited October 4, 2010 by Supernova

[thaimite]

^ Sorry, my mistake -- it seems I misunderstood your initial post. My brain isn't exactly firing on all cylinders today; it's Monday after all...

Thanks for pointing this out.

no problem

Edited October 4, 2010 by thaimite

[howto]

Mega Congrats on getting your system back.

bangkokcitylimits...

If on the e-drive there is still plenty of space, you can make this one smaller, then make the c-drive bigger.

etc...

If you note Sheryl's post #34 you will see the C: is a FAT32 30GB partition which will have 16KB clusters.

Max size of a FAT32 vol is 32GB, so not much to expand, not worth the risk for so little gain.

It is worthwhile to convert C: to NTFS.

XP can do that with the command line convert.exe util...

1 Click Start -> Run

2 Enter "cmd" into the text field labeled "Open".

3 Click OK button

4 If you want to convert drive C:, enter the command "vol c:" in the command window,

to find the volume label for the C: partition

5 Then enter the command "convert C: /FS:NTFS /V"

to convert the C: partition from FAT32 to NTFS.

6 When prompted, enter the "volume label" for the partition from step 4.

If the volume is in use,

you may be prompted to perform conversion after reboot, choose Yes.

Easeus PM can do the conversion also.

However neither util can re-size those existing C: 16K clusters down to 4K,

either during or after conversion. Unfortunate.

I assume Sheryl formatted the new D: to NTFS, else there would be 7GB unallocated.

If D: is NTFS, cluster size will be 4KB, and it has a lot of space at 40GB.

What I would do is,

convert C: to NTFS, reboot,

shrink D: to make 5 GB unallocated space next to Lenovo, reboot,

grow the Lenovo partition to 10GB, reboot.

Shrink D: away from C: by 10GB (D: would now be 30GB), reboot,

Grow C: to 40GB.

Seems that would be a good balance of space usage.

(I don't trust these apps to do more than 1 operation at a time)

Last Thursday I was prepping to suggest a scenario similar to the above,

convert C: to NTFS, expand C:, create D:, however lost the adsl and phone till today.

I fail to understand why Sheryl needs a copy of XP, per her post #38.

Nothing has been said about re-formatting C:, requiring a reinstall of XP.

Did I miss something? Can someone enlighten me?

What happened to the virus issue previously discussed?

Cheers

[modafinil]

Thanks. I have now gotten as far as creating the additional formatted drive and downloading Partition Master and backing up all my files.

Worked like a charm!!

I now have plenty of unused space on the HD.

Some of the above posts are assuming that Sheryl created a seperate C and D drive, but if she used Partition Master, she probably opted to make one big C drive instead.

[howto]

Thanks. I have now gotten as far as creating the additional formatted drive and downloading Partition Master and backing up all my files.

Worked like a charm!!

I now have plenty of unused space on the HD.

Some of the above posts are assuming that Sheryl created a seperate C and D drive, but if she used Partition Master, she probably opted to make one big C drive instead.

She did say "additional formatted drive" and "backing up all my files" and "plenty of unused space on the HD".

Key words are:

- additional drive

- backing up infers to the additional drive

- unused space, not unallocated space, Sheryl knows the difference

- HD, which is Hard Disk, not drive, She knows the difference.

She could not have expanded C: without converting to NTFS (FAT32 limitation).

Sheryl asked (post #34) "How do I get this 39 GB alloacted to my C drive?"

I think she asked that question because she did not realize she could just create another drive.

Then Supernova (post 36) suggested

"2. Create a logical partition (D:) using the Disk Management tool.".

Then you supported Supernova (post 37)

Run disc management again.

google create logical partition xp, and follow the advice from Microsoft's website.

You now have 39 Gigs free on drive (presumably) D, as well as whatever is left on the C drive.

If you would like all the drive space to appear in the same drive C,

you will have to run third-party software as Supernova said.

I think she did use disc management to create a new primary partition D:.

Because the "event sequence" of Sheryl's next reply (post #38) infers it...

"I have now gotten as far as creating the additional formatted drive and downloading Partition Master and backing up all my files".

XP defaults to "use all unallocated space" and "Format as NTFS".

So it would have been very, very fast and easy.

XP would also have created that Primary Partition as D:, kicking the CDROM off D: to E:

In Windows systems drive assignments, Primary Partitions are given precedence over Logical Drives in Extended Partitions and Removable Media.

There can be up to a max of 4 Primary Partitions on a Windows system (and only 1 active at any time).

She did a great job for being a non-geek.

She learned much from this experience and it will benefit her later.

So yes I do believe she created a new drive, as a Primary Partition.

Although my belief is based on a lot of circumstantial evidence.

Perhaps she will grace us with a reply.

Cheers

[Sheryl]

I did indeed expand the C drive, not create an additional drive. Formatted the unallocated space first then used Easus Partition Manager to allocate it to C.

Reason I did not make it a separate drive is that, aside from the hassle of knowing which settings to change so that the OS and all programs know where to access files, didn't think 30 Gb was really large enough even for just Windows especially with their interminable updates. So I would have had to move space around anyhow and it just seemed simpler to me to have only 1 drive.

I have an external HD, that is where I did the back-up to.

Was advised by several people that Windows might get corrupted in the process of the resize of the C drive, that's why the reference to XP disk.

Which leads me to the next chapter:

Shortly after my last post (made after allocating the unused space to C:\ and also running the script provided by Supernova to turn off autorun), my computer crashed. Screen just froze and wouldn't do anything, couldn't even reboot. Turning power off and then on didn't help.

So I used Wininternals to go in an do a system restore. That got everything back OK except for my antivirus program (Kaspersky) which was hopelessly corrupted. Repair attempts failed so ended up doing a complete remove and reinstall.

Since that, everything seems to be working OK. And, thus far, repeat scans no longer show any worms/trojans or mention of non-existant drives.

Questions:

1. Do I need to be alarmed about the crash or is it just a common casualty of the resizing of the drive Windows is on?

2. I don't know the how or why of it, but seemingly the script to turn off autorun and/or the system restore has put an end to the virus, if I had one? Or is it likely to be lurking somewhere?

I've run Dr Web Cure It! with negative results.

[Supernova]

Shortly after my last post (made after allocating the unused space to C:\ and also running the script provided by Supernova to turn off autorun), my computer crashed. Screen just froze and wouldn't do anything, couldn't even reboot. Turning power off and then on didn't help.

Not at all surprising. This also confirms the presence of an infection. Though I must admit, whatever is on there has done a good job of masking its presence since it didn't show up in the HJT log. Let's go back to your HJT log for a minute....

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

Malware and viruses often use the AppInit_DLLs registry key to preload itself into memory during Windows startup. The files shown above are legitimate Kaspersky startup files. However, if a virus or worm had attached itself to Kaspersky (effectively corrupting it in the process), disabling Autorun could have easily led to a system crash -- especially if the malicious code depended on it. This behavior is nothing new as I've seen it happen before to other AV programs.

1. Do I need to be alarmed about the crash or is it just a common casualty of the resizing of the drive Windows is on?

2. I don't know the how or why of it, but seemingly the script to turn off autorun and/or the system restore has put an end to the virus, if I had one? Or is it likely to be lurking somewhere?

#1: Not at all. Resizing partitions shouldn't cause your computer to crash unless the partition table was corrupted to begin with.

#2: Not sure how to answer this one, but removing Kaspersky seems to have fixed a lot of things. Leave Autorun disabled. In fact, it would be wise to disable this feature on ALL your machines. The extra layer of security afforded by doing so is definitely worth it.

Edited October 6, 2010 by Supernova

[Sheryl]

Shortly after my last post (made after allocating the unused space to C:\ and also running the script provided by Supernova to turn off autorun), my computer crashed. Screen just froze and wouldn't do anything, couldn't even reboot. Turning power off and then on didn't help.

Not at all surprising. This also confirms the presence of an infection. Though I must admit, whatever is on there has done a good job of masking its presence since it didn't show up in the HJT log. Let's go back to your HJT log for a minute....

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

Malware and viruses often use the AppInit_DLLs registry key to preload itself into memory during Windows startup. The files shown above are legitimate Kaspersky startup files. However, if a virus or worm had attached itself to Kaspersky (effectively corrupting it in the process), disabling Autorun could have easily led to a system crash -- especially if the malicious code depended on it.

Brilliant, I think that is exactly what happened. Question now is whether or not the infection is still in there and likely to cause more problems. I have all the Kaspersky settings on maximum. While it is nto identifyinmg any infections, its detauiled reports show the following that might be suspicious:

Under both start-up object scan and critical area scan:

“Object: C:\WINDOWS\SYSTEM32\DRIVERS\USBSTOR.SYS

Result: Packed: PE_Patch “

Under Kaspersky File Anti-virus:

“Application: Generic Host Process for Win32 Services

Object: C:\WINDOWS\SYSTEM32\drivers\intelppm.sys

Result: Packed: PE_Patch”

In addition, under Kaspersky Application Control it showed "br_funcs" as being executed. Initially noted it as "Heuristically calculated threat rating" but put it in Low restricted (without any promot to me) and subsequently allowed it to "access critical system objects", "use program interfaces of other processes" and "set debug privileges", following which Kaspersky assigned it to the trusted group (again no prompt to me) with "Reason: Listed in the database of known software"

I know that br_funcs is an applications associated with the Lenovo rescue & recovery application, however, I think it should run only when that program is running? and there was no back-up scheduled or performed at this time.

I did a search for the br_funcs.exe file and found 2: one in the Lenovo R&R folder where I would expect it to be, unmodified since initial in stallation 2 years ago, but another one in the file C:\Windows\Prefetch created today.

Am I right in suspecting these two things (PE Patch and the br_funcs.exe in the Windows folder) are infections?

[Supernova]

Under both start-up object scan and critical area scan:

“Object: C:\WINDOWS\SYSTEM32\DRIVERS\USBSTOR.SYS

Result: Packed: PE_Patch “

Under Kaspersky File Anti-virus:

“Application: Generic Host Process for Win32 Services

Object: C:\WINDOWS\SYSTEM32\drivers\intelppm.sys

Result: Packed: PE_Patch”

<snip>

Am I right in suspecting these two things (PE Patch and the br_funcs.exe in the Windows folder) are infections?

Both usbstor.sys and intelppm.sys are Windows system files. Packed: PE_Patch simply means the file has been packed using a "runtime packer". Although packers are sometimes used by malware writers to package their handy work, having files flagged as PE_Patch or UPX doesn't mean it's a virus. There are many legitimate uses for runtime packers. If you have doubts, use the System File Checker to verify the integrity of system files.

Start menu >> Run, type: sfc /scannow, press OK to initiate scan.

I did a search for the br_funcs.exe file and found 2: one in the Lenovo R&R folder where I would expect it to be, unmodified since initial in stallation 2 years ago, but another one in the file C:\Windows\Prefetch created today.

C:\Windows\Prefetch stores trace files used by the Prefetcher. The contents of this folder are harmless.

Edited October 7, 2010 by Supernova

[Sheryl]

OK thanks, that is very reassurring. I have really learned a lot from you!

Can't run the Sfc as it asks for the XP disk, which I don't have (came pre-installed). But from what you say there doesn't seem to be much reason to worry.

I assume that whatever infection there was, had attached somehow to something in Kaspersky and has been removed via the disabling of autorun and removal/reinstall of Kaspersky.