Win 7 user profile login - possible virus

Have a Win 7 PC that won't logon to machine (not network logon).  Gets error "the user profile service service (yes repeated) failed the logon 2nd line: user profile cannot be loaded.

Last know config doesn't work
got in via safe mode and tried to copy profile to desktop to make sure the settings were saved and without warning deleted profile and not in trash
can't create new account - admin or other - to be able to delete the corrupt account
AV wasn't listed in programs list - thankfully had shortcut on desktop.  When ran in command line mode (in safe mode uses command line) after each test ran says "not tested" as if that test was stopped and not completed although did seem to run through each vs stop in seconds

The following makes me think its a virus:
windows updated turned off - this client doesn't know how to do it and even if someone in office knew how to they wouldn't or told me if they had problems with it
AV wasn't listed in programs - used existing desktop shortcut
IE wasn't listed in program list or in Add/Remove programs - needed to use command in the Start->run line
cannot find My docs - not even navigate through explorer


This is mission critical - this office needs to get contracts out of PC and its the only one they have.

If I need to reinstalled Win 7 then I would - not my first choice.  Would minimum like to find and copy the stuff in my docs.


Thanks
David
David627Asked:
Who is Participating?
 
tsaicoConnect With a Mentor Commented:
It also could be something like a corrupt user profile.
http://support.microsoft.com/kb/947215

I had come across this one time when a user tried to install some additional random AV and after reboot, started getting this.

Method 1 fixed it for me.

Though as a side note, Malware/virus activity can also cause corrupted profiles.  OS watch out, even if you can still boot in.  I would still just make a new profile and migrate out of the origional.
0
 
Nick RhodeConnect With a Mentor IT DirectorCommented:
For virus removal I do the following (dont forget to like if it resolves your issue)

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Desktop_Anti-Virus/A_12285-Virus-Removal-Methods.html
0
 
aadihCommented:
Try restoring the PC to an earlier time (from command prompt, rstrui.exe ).

If it doesn't work, you could try other solutions; but it's worth a try.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Thomas Zucker-ScharffSystems AnalystCommented:
Backup everything first (use an UBUNTU boot disk).  Then use chameleon by Malwarebytes. Www.malwarebytes.org/products/chameleon. You will probs have to do this in safe mode. Check out this post: bit.ly/MBAM_cham - it's for a different problem but should work for you.
0
 
CSD-TechComputer TechnicianCommented:
Since the system is down anyway, I would pop the drive out and plug it into an External Enclosure. I would then make sure the other PC I am using has its AntiVirus Updated and well as any Spyware Scanning Software (SuperAntiSpyware, Malware Bytes, etc).

I would then Connect the External Drive to the system and Immediately do a Full Drive Scan on it followed by a Full AntiSpyware scan on it.

Once these are done you should be able to copy the information to a jump drive for the user to use.

I would then follow this up by running a CHKDSK /r /f  on the drive to verify that it is not getting Bad Sectors and that it was fixable. If it still shows a lot of errors, you can get a new drive and Image it over to a new one.

I have seen several viruses creating Junctions to the Anti-Virus Directory of some PCs. You can check this by using the command prompt, traverse to the directory and do a dir. If any of the files/folders have been affected, they will usually show up with <Junction> or <SymLink>. This Link or Junction can be removed by Typing the followind:

fsutil reparsepoint delete [name of file/folder affected]

This will remove the junction and set the file/folder back to normal.

If everything gets cleaned off (You can go in and delete Temporary Files and Internet Files) and is working well and the drive is good, you can then put it back in the machine and get them back up and running.

Let us know how it works out!

D-Tech
0
 
David627Author Commented:
I needed to recreate a new profile - combinations of above worked - points to be awarded.  The prob is I cannot find my old contacts - they are not in Windows.old under that user - that contacts folder is blank.  The freakiest is that there are no files from early June on - like the past 4 months didn't happen.  I found the folders, etc that had the docs - some files are just gone.... that's the most perplexing.

Thoughts?

Thanks
David
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Unless you took my advice and made a complete backup first, you may have a problem.  What program created the contacts? If you have exchange then no problem.  If you are using local Outlook that's another story.  The local .pst file is kept in the profile by default.
0
 
David627Author Commented:
Found the outlook pst - still missing contacts - contacts folder is empty.  This is a local outlook file, not exchange.  

The biggest issue is the missing files for the last 3 months.  I found the my docs folder no prob just poof - gone... now have backup service so it won't happen again, however really need these files!!!!!!!!!!!

Is there somewhere else they may be if not in Windows.old?

Thanks
David
0
 
tsaicoCommented:
Oy, you might be in for a bit of pain without that backup.
perhaps http://support.microsoft.com/kb/932912

though I prefer to do it myself, and rarely use the automated "fix it for me' tools.  Win7 should follow the same convention as Vista, user information under users.  Good luck.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
http://www.pstfilehelp.com/download.php tty tge scanpst.exe file referenced above.
0
 
CSD-TechComputer TechnicianCommented:
If you need to get your files back, I would probably use something like Recuva to help:

http://recuva.soft32.com/free-download/?lp=adwords&tg=us&kw=Recouva&mt=p&ad=27539414478&pl=&ds=s&gclid=CKjCtMLwmLoCFc-Y4AodGRsAdA

This can allow you to scan your drive and attempt to recover files that were deleted. It would be best, if possible, to save these files to an external source so you don't damage any of the locations that the files are currently in. Usually I'd try to use an outside in way to get files back so I'm not using the live disk, but I don't know what you have access to.

Thanks,
D-Tech
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
I agree that recuva is an excellent tool - I use it quite a bit myself.  But be forewarned that first you should be using it from a thumbdrive or usb drive so as not to overwrite files by trying to install.  Also recuva will tend to find everything that has been deleted which means on a large drive you will have literally thousands of files to sift through.  Look at the setting carefully before launching it, I believe you can set it to look for only certain types of files.
0
 
David627Author Commented:
tzucker, CSD-Tech and tsaico - thanks - all noted... will be remoting in for some of this and going to location for others.  Will keep you posted

David
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Thanks for the update.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.