Solved

Sharing violation on NTUSER.DAT (LoadProfile)

Posted on 2006-11-07
5
996 Views
Last Modified: 2008-01-09
Sharing violation on NTUSER.DAT (LoadProfile)      11/07/2006 09:32:45.439      thread:2364      [d:\xpsprtm\admin\wmi\wbem\providers\win32provider\common\userhive.cpp.640

The above message (multiple instances) occured in my .Net Framework log this AM during the same time as some sort of 'wierd' "restore" action was occurring, somehow related to ASPNET.  Overall; I believe this is possibly related to a hack I've been analyzing/attempting to block.  It was too late to determine the thread source by the time I discovered the log entry.

Anyone able to tell me what I might glean from the message beyond the obvious?  Any other logs etc I might peruse to tie things down more specifically?  

I'm not a .Net expert.  This message is new to me and I can't find any information about it.  And what is the "d:\......" indicative of.  It's not my CD ("D") drive (which currently isn't working due to another manifestation of the hack) but I've seen it in relation to some other messages that seem to be related to the problem I'm working on.

Please don't suggest scans etcetera.  Been there done that.  Essentially, since my own systems 'tools' etcetera are being used against me the scans aren't really finding anything.  There's a backdoor (somewhere) on my system that I've been unable to locate.

Thanks.  Note: My access to internet/mail is severely limited due to the problem but I WILL check back.

J
 
0
Comment
Question by:jrs_50
  • 3
5 Comments
 
LVL 2

Accepted Solution

by:
smurteira earned 300 total points
ID: 17892680
Have you tried the user profile hive cleanup service from microsoft.  

http://www.microsoft.com/downloads/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&DisplayLang=en

Might be worth a try.
0
 
LVL 4

Author Comment

by:jrs_50
ID: 17892908
I run with uphclean and have for weeks.

Does not, however, address this issue.  I'd still like to find out WHAT created the sharing violation.  It's a more distinct error than the previous sporadic occurances of "Impersonation failed".  I'd like to tie it with the apparent access to virutally every system32 file that occurred at the same time.

Thanks for the info anyway.  I like uphclean.

J
0
 
LVL 7

Assisted Solution

by:dlangr
dlangr earned 200 total points
ID: 17893780
If you are hacked, forget about fixing the problems. Back up your data and then reinstall the system cause you are just never sure when it is really clean. Things might be left behind wich you are not aware of.
0
 
LVL 4

Author Comment

by:jrs_50
ID: 17898005
It is not a matter of 'if' and I am well aware that a reinstall will be required.  However, the previous reinstall did not resolve the issue.  I have another day, or so, to attempt to narrow things down a bit and perhaps prevent reoccurrence before engaging in the lengthy process of rebuilding the system from scratch and associated other steps that apparently will need to be taken.  The message posted appears to bear some relation to the overall 'problem'.

I'm still hoping that someone more familiar with the .Net framework can provide further info regarding how I might better 'interpret' the message with regard to determining a 'cause'.  I have been unable to find any more specific information regarding the potential/likely cause of the 'error'.  I am also limited regarding the ability to stay on the internet for any prolonged periods and hoping someone who has more time might be able to find what I can't. Anyone?

Thanks,
J

0
 
LVL 4

Author Comment

by:jrs_50
ID: 18014619
I forgot I had this open.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

I was recently sitting at a desk at work with one of my colleagues and needed some information on my home computer. He watched as I turned on my home computer, established a remote session into it, got the information I needed and then shut it down …
What is IRC? IRC (Internet Relay Chat) is a form of communication between multiple users. It is available freely to anyone with inernet access. IRC is a great way to communicate with others e.g. There is an IRC channel for Ubuntu Linux, which is fo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now