Win 7 user profile login - possible virus
Have a Win 7 PC that won't logon to machine (not network logon). Gets error "the user profile service service (yes repeated) failed the logon 2nd line: user profile cannot be loaded.
The following makes me think its a virus:
This is mission critical - this office needs to get contracts out of PC and its the only one they have.
If I need to reinstalled Win 7 then I would - not my first choice. Would minimum like to find and copy the stuff in my docs.
Thanks
David
Last know config doesn't work
got in via safe mode and tried to copy profile to desktop to make sure the settings were saved and without warning deleted profile and not in trash
can't create new account - admin or other - to be able to delete the corrupt account
AV wasn't listed in programs list - thankfully had shortcut on desktop. When ran in command line mode (in safe mode uses command line) after each test ran says "not tested" as if that test was stopped and not completed although did seem to run through each vs stop in seconds
The following makes me think its a virus:
windows updated turned off - this client doesn't know how to do it and even if someone in office knew how to they wouldn't or told me if they had problems with it
AV wasn't listed in programs - used existing desktop shortcut
IE wasn't listed in program list or in Add/Remove programs - needed to use command in the Start->run line
cannot find My docs - not even navigate through explorer
This is mission critical - this office needs to get contracts out of PC and its the only one they have.
If I need to reinstalled Win 7 then I would - not my first choice. Would minimum like to find and copy the stuff in my docs.
Thanks
David
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Backup everything first (use an UBUNTU boot disk). Then use chameleon by Malwarebytes. Www.malwarebytes.org/products/chameleon. You will probs have to do this in safe mode. Check out this post: bit.ly/MBAM_cham - it's for a different problem but should work for you.
Since the system is down anyway, I would pop the drive out and plug it into an External Enclosure. I would then make sure the other PC I am using has its AntiVirus Updated and well as any Spyware Scanning Software (SuperAntiSpyware, Malware Bytes, etc).
I would then Connect the External Drive to the system and Immediately do a Full Drive Scan on it followed by a Full AntiSpyware scan on it.
Once these are done you should be able to copy the information to a jump drive for the user to use.
I would then follow this up by running a CHKDSK /r /f on the drive to verify that it is not getting Bad Sectors and that it was fixable. If it still shows a lot of errors, you can get a new drive and Image it over to a new one.
I have seen several viruses creating Junctions to the Anti-Virus Directory of some PCs. You can check this by using the command prompt, traverse to the directory and do a dir. If any of the files/folders have been affected, they will usually show up with <Junction> or <SymLink>. This Link or Junction can be removed by Typing the followind:
fsutil reparsepoint delete [name of file/folder affected]
This will remove the junction and set the file/folder back to normal.
If everything gets cleaned off (You can go in and delete Temporary Files and Internet Files) and is working well and the drive is good, you can then put it back in the machine and get them back up and running.
Let us know how it works out!
D-Tech
I would then Connect the External Drive to the system and Immediately do a Full Drive Scan on it followed by a Full AntiSpyware scan on it.
Once these are done you should be able to copy the information to a jump drive for the user to use.
I would then follow this up by running a CHKDSK /r /f on the drive to verify that it is not getting Bad Sectors and that it was fixable. If it still shows a lot of errors, you can get a new drive and Image it over to a new one.
I have seen several viruses creating Junctions to the Anti-Virus Directory of some PCs. You can check this by using the command prompt, traverse to the directory and do a dir. If any of the files/folders have been affected, they will usually show up with <Junction> or <SymLink>. This Link or Junction can be removed by Typing the followind:
fsutil reparsepoint delete [name of file/folder affected]
This will remove the junction and set the file/folder back to normal.
If everything gets cleaned off (You can go in and delete Temporary Files and Internet Files) and is working well and the drive is good, you can then put it back in the machine and get them back up and running.
Let us know how it works out!
D-Tech
ASKER
I needed to recreate a new profile - combinations of above worked - points to be awarded. The prob is I cannot find my old contacts - they are not in Windows.old under that user - that contacts folder is blank. The freakiest is that there are no files from early June on - like the past 4 months didn't happen. I found the folders, etc that had the docs - some files are just gone.... that's the most perplexing.
Thoughts?
Thanks
David
Thoughts?
Thanks
David
Unless you took my advice and made a complete backup first, you may have a problem. What program created the contacts? If you have exchange then no problem. If you are using local Outlook that's another story. The local .pst file is kept in the profile by default.
ASKER
Found the outlook pst - still missing contacts - contacts folder is empty. This is a local outlook file, not exchange.
The biggest issue is the missing files for the last 3 months. I found the my docs folder no prob just poof - gone... now have backup service so it won't happen again, however really need these files!!!!!!!!!!!
Is there somewhere else they may be if not in Windows.old?
Thanks
David
The biggest issue is the missing files for the last 3 months. I found the my docs folder no prob just poof - gone... now have backup service so it won't happen again, however really need these files!!!!!!!!!!!
Is there somewhere else they may be if not in Windows.old?
Thanks
David
Oy, you might be in for a bit of pain without that backup.
perhaps http://support.microsoft.com/kb/932912
though I prefer to do it myself, and rarely use the automated "fix it for me' tools. Win7 should follow the same convention as Vista, user information under users. Good luck.
perhaps http://support.microsoft.com/kb/932912
though I prefer to do it myself, and rarely use the automated "fix it for me' tools. Win7 should follow the same convention as Vista, user information under users. Good luck.
http://www.pstfilehelp.com/download.php tty tge scanpst.exe file referenced above.
If you need to get your files back, I would probably use something like Recuva to help:
http://recuva.soft32.com/free-download/?lp=adwords&tg=us&kw=Recouva&mt=p&ad=27539414478&pl=&ds=s&gclid=CKjCtMLwmLoCFc-Y4AodGRsAdA
This can allow you to scan your drive and attempt to recover files that were deleted. It would be best, if possible, to save these files to an external source so you don't damage any of the locations that the files are currently in. Usually I'd try to use an outside in way to get files back so I'm not using the live disk, but I don't know what you have access to.
Thanks,
D-Tech
http://recuva.soft32.com/free-download/?lp=adwords&tg=us&kw=Recouva&mt=p&ad=27539414478&pl=&ds=s&gclid=CKjCtMLwmLoCFc-Y4AodGRsAdA
This can allow you to scan your drive and attempt to recover files that were deleted. It would be best, if possible, to save these files to an external source so you don't damage any of the locations that the files are currently in. Usually I'd try to use an outside in way to get files back so I'm not using the live disk, but I don't know what you have access to.
Thanks,
D-Tech
I agree that recuva is an excellent tool - I use it quite a bit myself. But be forewarned that first you should be using it from a thumbdrive or usb drive so as not to overwrite files by trying to install. Also recuva will tend to find everything that has been deleted which means on a large drive you will have literally thousands of files to sift through. Look at the setting carefully before launching it, I believe you can set it to look for only certain types of files.
ASKER
tzucker, CSD-Tech and tsaico - thanks - all noted... will be remoting in for some of this and going to location for others. Will keep you posted
David
David
Thanks for the update.
If it doesn't work, you could try other solutions; but it's worth a try.