Solved

User Profiles Not Loading / NTUSER.DAT Files

Posted on 2008-06-13
15
1,088 Views
Last Modified: 2013-11-21
User profiles not loading.  In trying to rename or delete NTUSER.DAT files to effectively reset a profile, I find that it is locked by SYSTEM.  I have tried to unlock it using Unlocker, Killbox, and similar utilities; nothing will unlock the files.  The only thing that resolves it is a reboot, and with 20-25 users, that is not practical to do in the middle of the work day.  Users not being able to use their established profile effects a range of areas including mapped drives, added printers, Outlook configuration, and many other factors.  This machine is NOT the DC.

Some background;  A couple days ago, I found a virus on my Terminal Server (the one I'm referring to above) called Smitfraud.c.  I've been trying to work through eliminating it following various instructions, but can't use Safe Mode as I too work remotely.  Could this virus be related to the user profile issue?

Let me know what other history/information might be relevant to solving this.
0
Comment
Question by:redall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
15 Comments
 

Author Comment

by:redall
ID: 21778299
A little more, the renaming/deleting of the NTUSER.DAT file is not the solution I'm looking for, it's the cause/solution of the user profiles locking up.  The renaming of the DAT file is simply a temporary fix (or has been in the past) for getting a user back up and running.
0
 
LVL 14

Assisted Solution

by:Craig Roberds
Craig Roberds earned 250 total points
ID: 21780108
The smitfraud is a nasty nasty trojan and I am sure that is causing your pain.  I have been lucky to not have it on a server.  Were you able to get it removed without having to use safemode?  

If it were me with 25 users, I would find a way to get them off and be 100% sure the virus is removed by having someone who is available onsite to get that off of there in safe mode.

If this is not possible, then you could rename or move all of the profiles somewhere (they have to log out), let them login, and then copy their  My Documents and their settings inside the Application Folder and Local Settings folder over to their profile.  You will still probably have to set some things up like Outlook.  Then until you can get it fixed I would have them disconnect (click the X at the top) instead of logging off, and have their next login take over their old session.  This is helpful if for some reason their profile is not loading everytime they logoff and now you won't have to setup their Outlook and copy all of the files over again.
0
 

Author Comment

by:redall
ID: 21780200
Safe mode is a possibility over the phone, after hours, and being that it's Friday, may be the best time to do it.  I have manually removed everything that shows up in the SmitFraudFix scan rapport.txt, including reg entries.  The 2 evidential entries in the hosts file have returned after manually removing them (legal-at-spybot.info) , so I set extremely limited permissions to the hosts file, mostly read and execute only, and I removed SYSTEM from having any access to it.  I'll see what happens on the next reboot, but in the mean time, these profile issues are  making me go grey then bald.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Assisted Solution

by:Craig Roberds
Craig Roberds earned 250 total points
ID: 21780245
Are the profiles not loading when they login now?  Are they not able to get in at all?  Or do they get in but it creates a new profile like username.domain.000?
0
 

Author Comment

by:redall
ID: 21780415
Yes, they are able to login, but are indeed given a temp profile and a message tells them that their profile cannot be loaded.  I'm seeing entries in the registry also that I have never seen before...maybe I've never looked in HKU very closely before, but they start with PD_C_[username].  I've always seen those listed as SIDs only, NEVER seen a username in a registry entry like that.  
0
 

Author Comment

by:redall
ID: 21780421
Make that :

PE_C_[username]
0
 
LVL 14

Assisted Solution

by:Craig Roberds
Craig Roberds earned 250 total points
ID: 21780628
I think those PE_C_ have to do with spybot, but not exactly sure.  I did a quick search and noticed this topic in the S & D forums.

I am wondering if Spybot S & D is what is causing your user problems, maybe uninstall it.
0
 
LVL 14

Accepted Solution

by:
Craig Roberds earned 250 total points
ID: 21780644
Look here:  http://forums.spybot.info/archive/index.php/t-25740.html

Says you need to reboot to make them go away.
0
 

Author Comment

by:redall
ID: 21780658
I think I had also just found the exact same forum entry you're referring to :D .  I have indeed had spybot running all the while people are logging in and out today.  It just found Smitfraud stuff again in one user's PE_C reg entry, but I killed it.  Let's see what happens after reboot.
0
 

Author Comment

by:redall
ID: 21780814
So now I need to figure out a way to run in safe mode over an RDP connection to get rid of smitty ;)
0
 
LVL 14

Assisted Solution

by:Craig Roberds
Craig Roberds earned 250 total points
ID: 21780892
I have been able to use gotomeeting in safe mode when you run safe mode with networking.  If you don't have it you can get a 30 day trial by signing up.  You just need a user there to get to the initial website and then you can take over.  Better than walking a non computer person through running dos and registry commands.
0
 

Author Comment

by:redall
ID: 21780905
Suppose I could VNC to the machine under those same circumstances.  Thanks for all your help.  Points coming.
0
 

Author Closing Comment

by:redall
ID: 31466912
For my first experience on EE, I'm fairly satisfied with the results, and the timeliness.  For years I have seen EE at the top of google searches, always wished I could see the solution (often times the only solution).  
0
 
LVL 14

Expert Comment

by:Craig Roberds
ID: 21781288
Glad you got it working.  Good luck with that smitfraud trojan.  I have had a few run-ins with that on some workstations it can be a bit of a pain.
0
 

Author Comment

by:redall
ID: 21877143
Well, unfortunately, this problem is not entirely resolved.  I still have user profile issues.  Today and earlier this week, I had two users whose passwords were expiring, and when they went to change them at login, they were stuck in a never ending "Loading profile" universe.  No Spybot running now.  Profile files are locked.  Can't even rename them or anything.  Unlocker does not work.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Learn about cloud computing and its benefits for small business owners.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question