Solved

User Profiles Not Loading / NTUSER.DAT Files

Posted on 2008-06-13
15
1,080 Views
Last Modified: 2013-11-21
User profiles not loading.  In trying to rename or delete NTUSER.DAT files to effectively reset a profile, I find that it is locked by SYSTEM.  I have tried to unlock it using Unlocker, Killbox, and similar utilities; nothing will unlock the files.  The only thing that resolves it is a reboot, and with 20-25 users, that is not practical to do in the middle of the work day.  Users not being able to use their established profile effects a range of areas including mapped drives, added printers, Outlook configuration, and many other factors.  This machine is NOT the DC.

Some background;  A couple days ago, I found a virus on my Terminal Server (the one I'm referring to above) called Smitfraud.c.  I've been trying to work through eliminating it following various instructions, but can't use Safe Mode as I too work remotely.  Could this virus be related to the user profile issue?

Let me know what other history/information might be relevant to solving this.
0
Comment
Question by:redall
  • 9
  • 6
15 Comments
 

Author Comment

by:redall
Comment Utility
A little more, the renaming/deleting of the NTUSER.DAT file is not the solution I'm looking for, it's the cause/solution of the user profiles locking up.  The renaming of the DAT file is simply a temporary fix (or has been in the past) for getting a user back up and running.
0
 
LVL 14

Assisted Solution

by:croberds
croberds earned 250 total points
Comment Utility
The smitfraud is a nasty nasty trojan and I am sure that is causing your pain.  I have been lucky to not have it on a server.  Were you able to get it removed without having to use safemode?  

If it were me with 25 users, I would find a way to get them off and be 100% sure the virus is removed by having someone who is available onsite to get that off of there in safe mode.

If this is not possible, then you could rename or move all of the profiles somewhere (they have to log out), let them login, and then copy their  My Documents and their settings inside the Application Folder and Local Settings folder over to their profile.  You will still probably have to set some things up like Outlook.  Then until you can get it fixed I would have them disconnect (click the X at the top) instead of logging off, and have their next login take over their old session.  This is helpful if for some reason their profile is not loading everytime they logoff and now you won't have to setup their Outlook and copy all of the files over again.
0
 

Author Comment

by:redall
Comment Utility
Safe mode is a possibility over the phone, after hours, and being that it's Friday, may be the best time to do it.  I have manually removed everything that shows up in the SmitFraudFix scan rapport.txt, including reg entries.  The 2 evidential entries in the hosts file have returned after manually removing them (legal-at-spybot.info) , so I set extremely limited permissions to the hosts file, mostly read and execute only, and I removed SYSTEM from having any access to it.  I'll see what happens on the next reboot, but in the mean time, these profile issues are  making me go grey then bald.
0
 
LVL 14

Assisted Solution

by:croberds
croberds earned 250 total points
Comment Utility
Are the profiles not loading when they login now?  Are they not able to get in at all?  Or do they get in but it creates a new profile like username.domain.000?
0
 

Author Comment

by:redall
Comment Utility
Yes, they are able to login, but are indeed given a temp profile and a message tells them that their profile cannot be loaded.  I'm seeing entries in the registry also that I have never seen before...maybe I've never looked in HKU very closely before, but they start with PD_C_[username].  I've always seen those listed as SIDs only, NEVER seen a username in a registry entry like that.  
0
 

Author Comment

by:redall
Comment Utility
Make that :

PE_C_[username]
0
 
LVL 14

Assisted Solution

by:croberds
croberds earned 250 total points
Comment Utility
I think those PE_C_ have to do with spybot, but not exactly sure.  I did a quick search and noticed this topic in the S & D forums.

I am wondering if Spybot S & D is what is causing your user problems, maybe uninstall it.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 14

Accepted Solution

by:
croberds earned 250 total points
Comment Utility
Look here:  http://forums.spybot.info/archive/index.php/t-25740.html

Says you need to reboot to make them go away.
0
 

Author Comment

by:redall
Comment Utility
I think I had also just found the exact same forum entry you're referring to :D .  I have indeed had spybot running all the while people are logging in and out today.  It just found Smitfraud stuff again in one user's PE_C reg entry, but I killed it.  Let's see what happens after reboot.
0
 

Author Comment

by:redall
Comment Utility
So now I need to figure out a way to run in safe mode over an RDP connection to get rid of smitty ;)
0
 
LVL 14

Assisted Solution

by:croberds
croberds earned 250 total points
Comment Utility
I have been able to use gotomeeting in safe mode when you run safe mode with networking.  If you don't have it you can get a 30 day trial by signing up.  You just need a user there to get to the initial website and then you can take over.  Better than walking a non computer person through running dos and registry commands.
0
 

Author Comment

by:redall
Comment Utility
Suppose I could VNC to the machine under those same circumstances.  Thanks for all your help.  Points coming.
0
 

Author Closing Comment

by:redall
Comment Utility
For my first experience on EE, I'm fairly satisfied with the results, and the timeliness.  For years I have seen EE at the top of google searches, always wished I could see the solution (often times the only solution).  
0
 
LVL 14

Expert Comment

by:croberds
Comment Utility
Glad you got it working.  Good luck with that smitfraud trojan.  I have had a few run-ins with that on some workstations it can be a bit of a pain.
0
 

Author Comment

by:redall
Comment Utility
Well, unfortunately, this problem is not entirely resolved.  I still have user profile issues.  Today and earlier this week, I had two users whose passwords were expiring, and when they went to change them at login, they were stuck in a never ending "Loading profile" universe.  No Spybot running now.  Profile files are locked.  Can't even rename them or anything.  Unlocker does not work.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Suggested Solutions

Having worked on larger scale sites, we found out that you are bound to look at more scalable solutions to integrating widgets, code snippets or complete applications and mesh them into functional sites, in any given composition. To share some of…
This article discusses the difference between strict equality operator and equality operator in JavaScript. The Need: Because JavaScript performs an implicit type conversion when performing comparisons, we have to take this into account when wri…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now