How did you finally get rid of it? ----- Original Message ----- From: Ray To: NT System Admin Issues Sent: Thursday, September 24, 2009 12:31 PM Subject: RE: Roaming profiles???
Ours didn't even clean it for days. The online scanner detected it but didn't clean it. The Full Scan didn't even detect it. It never stopped the spread. When we finally knocked it down, it came back a few weeks later (I'll assume a variant). From: David W. McSpadden [mailto:dav...@imcu.com] Sent: Thursday, September 24, 2009 9:18 AM To: NT System Admin Issues Subject: Re: Roaming profiles??? Not really. ----- Original Message ----- From: Ray To: NT System Admin Issues Sent: Thursday, September 24, 2009 12:14 PM Subject: RE: Roaming profiles??? Your AV is doing better than ours did. From: David W. McSpadden [mailto:dav...@imcu.com] Sent: Thursday, September 24, 2009 7:41 AM To: NT System Admin Issues Subject: Re: Roaming profiles??? app data is always where it is finding the iloma and clamp but it is 'cleaning' them.... Once I get into the machine I find 0 files in the app data folder.. ----- Original Message ----- From: Ray To: NT System Admin Issues Sent: Thursday, September 24, 2009 10:35 AM Subject: RE: Roaming profiles??? Run Malwarebytes on your machines. This was how a major virus outbreak started on our network, and we're still not completely done with it. ILOMA,B and I think Clamp. McAfee started finding it as a "Buffer Overflow" but woudn't fix it. We spend days trying to get them to get us a DAT that would find it. Still not 100% sure they can stop it from spreading. PSEXEC is supposedly how it spreads. You'll probably find several .exe's in the documents & settings/usename/application data . From: David W. McSpadden [mailto:dav...@imcu.com] Sent: Thursday, September 24, 2009 6:48 AM To: NT System Admin Issues Subject: Re: Roaming profiles??? These are local local on the user profile page. They are showing up as if they logged into my machine. ----- Original Message ----- From: Richard Stovall To: NT System Admin Issues Sent: Tuesday, September 22, 2009 3:14 PM Subject: RE: Roaming profiles??? Just out of curiosity, are the affected machines the same ones on which you see the PsExec log entries? From: David W. McSpadden [mailto:dav...@imcu.com] Sent: Tuesday, September 22, 2009 2:52 PM To: NT System Admin Issues Subject: Re: Roaming profiles??? domain user accounts. just pass/fail on user accounts. None of them signed on to the network or my machine at the time 'their' profile was updated on my pc today. The best they could come up with was they might have had their screensaver up and it is password enforced... ----- Original Message ----- From: Richard Stovall To: NT System Admin Issues Sent: Tuesday, September 22, 2009 2:48 PM Subject: RE: Roaming profiles??? Are these profile directories of domain user accounts or local accounts? Are you auditing account logon events and logon events in the appropriate places? From: David W. McSpadden [mailto:dav...@imcu.com] Sent: Tuesday, September 22, 2009 2:41 PM To: NT System Admin Issues Subject: Re: Roaming profiles??? These are Windows 2000 Server, Windows 2003 Server, and Windows XP Pro machines. It is not domain wide yet but I see almost all 10 on most all machines. Even machines that haven't rebooted in months.... So I am confused. ----- Original Message ----- From: Andrew S. Baker To: NT System Admin Issues Sent: Tuesday, September 22, 2009 2:36 PM Subject: Re: Roaming profiles??? What kinds of servers are these? Are these users using Citrix or Remote Desktop to access these servers? Are there any scheduled jobs running under these user accounts? -ASB: http://xeesm.com/AndrewBaker Providing Competitive Advantage through Effective IT Leadership On Tue, Sep 22, 2009 at 2:12 PM, David W. McSpadden <dav...@imcu.com> wrote: I have like 10 user accounts I am seeing in Documents and settings on like 4 machines now. That would make sense if they logged into these 4 machines but they are physically not here. So, are they some weird form of roaming profiles or what? How do I check them out to see?? No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.13.112/2391 - Release Date: 09/23/09 18:00:00 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.13.112/2391 - Release Date: 09/23/09 18:00:00 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.13.112/2391 - Release Date: 09/24/09 05:52:00 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
