Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ntuser.pol


  • Please log in to reply
4 replies to this topic

#1 kelloggfan

kelloggfan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 07 March 2016 - 10:03 AM

We have a number of laptops throughout the organization that when scanned with combofix, the DELETED Files/Folders is C:\Programdata\ntuser.pol and C:\Programdata\Roaming.   There is no indication of malware or virus - no name or type.  After looking through the log file, I have yet to pinpoint what the issue is.  Could it be a rogue policy being pushed by the server that causes this?
 
On most of the machines, it tags the ntuser.pol.vir and quarantines it as well as the roaming folder which is empty.
 
any insight would be appreciated.

Edited by Queen-Evie, 07 March 2016 - 10:17 AM.
moved from Windows 7 to the appropriate forum


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 07 March 2016 - 11:55 AM

Hi kelloggfan :)

ComboFix is a very powerful reporting and scripting tool that was developped by sUBs, used by members of the malware removal team here on BleepingComputer (and also on other forums). This tool can easily break a Windows installation if poorly and/or wrongly used. It can make the whole system unbootable and also delete everything present on your drives (leaving you with close to no chance of recovery) or damage your Windows installation so badly that you would be forced to reinstall it. Therefore, you should not be using ComboFix unless you are in one of the two situation listed below:
  • You have been trained in an online malware removal forum to use ComboFix;
  • You are using it under the supervision and instructions of a trained malware removal professional on BleepingComputer or another recognized malware removal forum (UNITE forums for example);
If you already ran ComboFix on your system and need assistance with the log, you will have to post a thread in the Virus, Trojan, Spyware, and Malware Removal Logs section of BleepingComputer, where a trained helper will assist you.

If you have any questions or concerns about ComboFix, quietman7 wrote a FAQ on it and you'll find all your answers in it.

ComboFix usage, Questions, Help? - Look here

Also be aware that BleepingComputer doesn't provide any advice on how to use ComboFix on your own, due to the nature of the tool and how dangerous it can be when used without supervision or proper training.

In my opinion, the ntuser.pol file isn't something you find often on home user computers. If you do, it's because policies are set and since this is rare, ComboFix might consider it as malicious and decided to quarantine the file to remediate to this situation. ComboFix isn't meant to be used in a company environment, even less by non-trained users, so it's understandable.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 kelloggfan

kelloggfan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 07 March 2016 - 12:10 PM

I have used Combofix for years and have never run into any problems.  It has always been the "GO TO" software when all others fail.  I've been in the IT field for 20 years...Combofix works in a network environment as well and I have NEVER run into any issues that you are talking about.  Thanks for the input.


Edited by kelloggfan, 07 March 2016 - 12:11 PM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 07 March 2016 - 12:15 PM

Even if it works, it doesn't mean that it's either supported, nor compatible at 100%. Hence why we do not suggest using it in that type of environment, or on your own.

And no problem, you're welcome!

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:41 AM

Posted 07 March 2016 - 02:30 PM

I will add that since ComboFix does not support Windows 10 and most likely never will, it no longer is the tool of choice by our experts. Instead, it essentially has been replaced with FRST
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users