Thanks for your attention. Do you think it is cause of any virus?
Yes,I didn't install any antivirus program yet. It's a new workstation and would not be installed much software except one special purpose system. So we don't plan for antivirus program.
I can't find files of NTUSER.DAT/NTUSER.DAT.LOG/ntuser.ini on local machine,but only '~' file. When and where should OS load them or some normal Startup file just be hooked with them?
I think they are there becouse no antivirus is installed, please do install something asap
If a pc connects to the internet or another pc i needs a antivirus program.
Have hijackthis fix these if still there
O4 - Startup: NTUSER.DAT
O4 - Startup: NTUSER.DAT.LOG
O4 - Startup: ntuser.ini
O4 - Startup: ~
O4 - Global Startup: NTUSER.DAT
O4 - Global Startup: NTUSER.DAT.LOG
then restart the PC
Do not attempt to manualy delete those files
To be honest im unsure what they are, not a good sign though.
Thanks for your advice.
You're quite right it's not a good sign.
HJT cann't delete it but only show information below :
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O4 - Startup: NTUSER.DAT)
Error #76 - 未找到路径 // not find path, remarked by me
Please email me at , reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HijackThis version: 1.97.2
This message has been copied to your clipboard.
Unable to delete the file
04 - Startup: NTUSER.DAT
The file may be in use. Use Task Manager to shutdown the program and run Hijackthis again to delete the file.
None of them can be fixed!
It's my mistake the machine was installed an antivirus at the time of setup windows. But it does't work now, maybe attacker damages it. I'm suspicious of something infected this machine when all descriptions of log files' event became invisible. I find a strange SID the past few days. So I figure out maybe a cracker succeed in login this machine. Now i am only interested in what he/she did on log files and how i can read them again. Just like a game!
well if the antivirus wont work reinstall it, or another program altogether asap.
open an explorer and navigate to this folder
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
and remove the dat and log file
C:\Documents and Settings\your name/account\Start Menu\Programs\Startup
and remove if there.
NTUSER.DAT, NTUSER.DAT.LOG, ntuser.ini, and > ~
You will need to Set windows to show hidden extensions, file's, folder's. http://www.xtra.co.nz/help/0,,4155-1916458,00.html
I found those files in system and location in every user's directorys.Maybe they are profiles of NT DOMAIN USER? I'm not sure because this machine only a part of a workgroup. I check this with the tab of 'computer name' in 'system' applet and believe it never join a NT DOMAIN by self-determination. The situation of LAN is there are NT SERVERS providing SQL database service. But servers management random by IT department and no information to me about this system accredited by a NT DOMAIN even I asked IT department for this.
I find many login fail in security event, but no description can be visible instead of showing the meaning of 'the object without attribute'. Maybe the description of event be define to other machine?