Run Malwarebytes on your machines. This was how a major virus outbreak started on our network, and we're still not completely done with it. ILOMA,B and I think Clamp. McAfee started finding it as a "Buffer Overflow" but woudn't fix it. We spend days trying to get them to get us a DAT that would find it. Still not 100% sure they can stop it from spreading.
PSEXEC is supposedly how it spreads. You'll probably find several .exe's in the documents & settings/usename/application data . From: David W. McSpadden [mailto:[email protected]] Sent: Thursday, September 24, 2009 6:48 AM To: NT System Admin Issues Subject: Re: Roaming profiles??? These are local local on the user profile page. They are showing up as if they logged into my machine. ----- Original Message ----- From: Richard Stovall <mailto:[email protected]> To: NT System Admin Issues <mailto:[email protected]> Sent: Tuesday, September 22, 2009 3:14 PM Subject: RE: Roaming profiles??? Just out of curiosity, are the affected machines the same ones on which you see the PsExec log entries? From: David W. McSpadden [mailto:[email protected]] Sent: Tuesday, September 22, 2009 2:52 PM To: NT System Admin Issues Subject: Re: Roaming profiles??? domain user accounts. just pass/fail on user accounts. None of them signed on to the network or my machine at the time 'their' profile was updated on my pc today. The best they could come up with was they might have had their screensaver up and it is password enforced... ----- Original Message ----- From: Richard Stovall <mailto:[email protected]> To: NT System Admin Issues <mailto:[email protected]> Sent: Tuesday, September 22, 2009 2:48 PM Subject: RE: Roaming profiles??? Are these profile directories of domain user accounts or local accounts? Are you auditing account logon events and logon events in the appropriate places? From: David W. McSpadden [mailto:[email protected]] Sent: Tuesday, September 22, 2009 2:41 PM To: NT System Admin Issues Subject: Re: Roaming profiles??? These are Windows 2000 Server, Windows 2003 Server, and Windows XP Pro machines. It is not domain wide yet but I see almost all 10 on most all machines. Even machines that haven't rebooted in months.... So I am confused. ----- Original Message ----- From: Andrew S. Baker <mailto:[email protected]> To: NT System Admin Issues <mailto:[email protected]> Sent: Tuesday, September 22, 2009 2:36 PM Subject: Re: Roaming profiles??? What kinds of servers are these? Are these users using Citrix or Remote Desktop to access these servers? Are there any scheduled jobs running under these user accounts? -ASB: http://xeesm.com/AndrewBaker Providing Competitive Advantage through Effective IT Leadership On Tue, Sep 22, 2009 at 2:12 PM, David W. McSpadden <[email protected]> wrote: I have like 10 user accounts I am seeing in Documents and settings on like 4 machines now. That would make sense if they logged into these 4 machines but they are physically not here. So, are they some weird form of roaming profiles or what? How do I check them out to see?? No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.13.112/2391 - Release Date: 09/23/09 18:00:00 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
