That's where I am heading. We have a touch of CLAMPI.V and ILOMO running around but it keeps getting 'Cleaned' by Trend and Spybot and MalwareBytes don't see anything afterwards.
?? ----- Original Message ----- From: [email protected] To: NT System Admin Issues Sent: Tuesday, September 22, 2009 2:49 PM Subject: Re: Roaming profiles??? Well, I hate to say it, but you're right to be concerned... I don't remember the details, but a few months ago we got hit by a mail bomb. The "From:" was a real domain user / Lotus Notes account. However, the "To:" field was also to just one specific user (also a real Notes account). We all got it. It had a nasty attachment... Despite my warnings, it got clicked a couple of times (so said my anti-malware console). My anti-malware (SB's VIPRE) detected it in the local profile settings of a number of users (really, only about 4-5). These were folks I really thought knew better than to click such things. Checking the schedules and other records, none of these users were present when the attachment got clicked. The bomb was placing its payload in a random user profile. Nasty! -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA® 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 [email protected] P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. "David W. McSpadden" <[email protected]> wrote on 09/22/2009 01:42:42 PM: > If a pc is infected could it create a Windows Profile on other machines?? > I am seeing like 10 profiles created on random workstations and > servers through out my network. > These machines scan clean but I have a user profile on a machine > where he has never logged into it? > This concerns me. > ----- Original Message ----- > From: Andrew S. Baker > To: NT System Admin Issues > Sent: Tuesday, September 22, 2009 2:36 PM > Subject: Re: Roaming profiles??? > > What kinds of servers are these? > > Are these users using Citrix or Remote Desktop to access these servers? > > Are there any scheduled jobs running under these user accounts? > > -ASB: http://xeesm.com/AndrewBaker > Providing Competitive Advantage through Effective IT Leadership > > > On Tue, Sep 22, 2009 at 2:12 PM, David W. McSpadden <[email protected]> wrote: > I have like 10 user accounts I am seeing in Documents and settings > on like 4 machines now. > That would make sense if they logged into these 4 machines but they > are physically not here. > So, are they some weird form of roaming profiles or what? > How do I check them out to see?? > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
