Link to home
Start Free TrialLog in
Avatar of redall
redall

asked on

User Profiles Not Loading / NTUSER.DAT Files

User profiles not loading.  In trying to rename or delete NTUSER.DAT files to effectively reset a profile, I find that it is locked by SYSTEM.  I have tried to unlock it using Unlocker, Killbox, and similar utilities; nothing will unlock the files.  The only thing that resolves it is a reboot, and with 20-25 users, that is not practical to do in the middle of the work day.  Users not being able to use their established profile effects a range of areas including mapped drives, added printers, Outlook configuration, and many other factors.  This machine is NOT the DC.

Some background;  A couple days ago, I found a virus on my Terminal Server (the one I'm referring to above) called Smitfraud.c.  I've been trying to work through eliminating it following various instructions, but can't use Safe Mode as I too work remotely.  Could this virus be related to the user profile issue?

Let me know what other history/information might be relevant to solving this.
Avatar of redall
redall

ASKER

A little more, the renaming/deleting of the NTUSER.DAT file is not the solution I'm looking for, it's the cause/solution of the user profiles locking up.  The renaming of the DAT file is simply a temporary fix (or has been in the past) for getting a user back up and running.
SOLUTION
Avatar of Craig Roberds
Craig Roberds
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of redall
redall

ASKER

Safe mode is a possibility over the phone, after hours, and being that it's Friday, may be the best time to do it.  I have manually removed everything that shows up in the SmitFraudFix scan rapport.txt, including reg entries.  The 2 evidential entries in the hosts file have returned after manually removing them (legal-at-spybot.info) , so I set extremely limited permissions to the hosts file, mostly read and execute only, and I removed SYSTEM from having any access to it.  I'll see what happens on the next reboot, but in the mean time, these profile issues are  making me go grey then bald.
SOLUTION
Avatar of Craig Roberds
Craig Roberds
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of redall
redall

ASKER

Yes, they are able to login, but are indeed given a temp profile and a message tells them that their profile cannot be loaded.  I'm seeing entries in the registry also that I have never seen before...maybe I've never looked in HKU very closely before, but they start with PD_C_[username].  I've always seen those listed as SIDs only, NEVER seen a username in a registry entry like that.  
Avatar of redall
redall

ASKER

Make that :

PE_C_[username]
SOLUTION
Avatar of Craig Roberds
Craig Roberds
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of Craig Roberds
Craig Roberds
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of redall
redall

ASKER

I think I had also just found the exact same forum entry you're referring to :D .  I have indeed had spybot running all the while people are logging in and out today.  It just found Smitfraud stuff again in one user's PE_C reg entry, but I killed it.  Let's see what happens after reboot.
Avatar of redall
redall

ASKER

So now I need to figure out a way to run in safe mode over an RDP connection to get rid of smitty ;)
SOLUTION
Avatar of Craig Roberds
Craig Roberds
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of redall
redall

ASKER

Suppose I could VNC to the machine under those same circumstances.  Thanks for all your help.  Points coming.
Avatar of redall
redall

ASKER

For my first experience on EE, I'm fairly satisfied with the results, and the timeliness.  For years I have seen EE at the top of google searches, always wished I could see the solution (often times the only solution).  
Avatar of Craig Roberds
Craig Roberds
Flag of United States of America image
Glad you got it working.  Good luck with that smitfraud trojan.  I have had a few run-ins with that on some workstations it can be a bit of a pain.
Avatar of redall
redall

ASKER

Well, unfortunately, this problem is not entirely resolved.  I still have user profile issues.  Today and earlier this week, I had two users whose passwords were expiring, and when they went to change them at login, they were stuck in a never ending "Loading profile" universe.  No Spybot running now.  Profile files are locked.  Can't even rename them or anything.  Unlocker does not work.