Well, everyone who responded, thanks for your assistance. considering what was going on with svchost trying to write to index.dat, it stunk of some kind of malware....so I decided to run MalwareBytes myself.....
Rule #1 - end users LIE! End of discussion (even if they are engineers whom you would otherwise trust implicitly) Rule #2 - in case you decide to believe an end user when they tell you that they ran a complete scan of their system with the tools you recommended, see rule #1 VIPRE Rescue had NOT been run by the end user (though I ran it myself and it did not find anything other than Cain, which is legit for this end user.) MalwareBytes had been run by the end user, however the database was *more than 140 days out of date*........so, I updated the database, ran complete scan, and found Trojan-Agent.gen in a couple of dll files, which you guessed it....removing that threat solved my problem. HEAD --> DESK HEAD --> DESK HEAD --> DESK HEAD --> DESK *sigh* Jonathan On Tue, May 10, 2011 at 1:13 PM, Jonathan <[email protected]> wrote: > Thanks Joe, > > all 42 lines have this for the command line: > > c:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted > > The very first one has a result of PATH NOT FOUND for path > %USERPROFILE%\AppData\Local\Temp\Temporary Internet Files\Index.dat > > I'm at a loss. > > Jonathan > > On Tue, May 10, 2011 at 12:49 PM, Joe Tinney <[email protected]> wrote: > >> In ProcMon, view the Properties of the process and flip to the Process >> tab. There is a command line field that shows the full command used to start >> SVCHOST. You may be able to discern which service SVCHOST was acting on >> behalf of to do that work just by looking >> >> >> >> A quick PowerShell line can help you find the service(s) that use(s) that >> command to launch if you need it: >> >> >> >> gwmi win32_service | fl Name,PathName >> >> >> >> Good luck, >> >> Joe >> >> >> >> *From:* Jonathan [mailto:[email protected]] >> *Sent:* Tuesday, May 10, 2011 12:24 PM >> >> *To:* NT System Admin Issues >> *Subject:* Re: Win 7 IE Temp Environment variable woes "Outlook cannot >> create the work file" >> >> >> >> Clearing out all temp files and folders didn't do it. I even deleted >> everything in %USERPROFILE%\AppData\Local\Temp (which included a folder >> called Temporary Internet Files, which is where the setting in IE said it >> was pointing). I moved the folder to the correct location under IE, >> (%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files) and >> it had me log off... >> >> >> >> So I launched ProcMon set it to log on reboot, filtered for anything >> containing %USERPROFILE%\AppData\Local\Temp\Temporary Internet Files.... >> >> >> >> >> >> WHY the HECK does ipoint.exe feel the need to monkey with my Temporary >> Internet Files?!?!?!?!?!?!?!? >> >> >> >> grrrrrr..... >> >> >> >> I launched AppWiz.cpl, and it was there, plain as day - Microsoft >> Intelipoint 8.0 >> >> >> >> so I uninstalled Intellipoint, rebooted, (setting ProcMon to log) and the >> setting reverted AGAIN. >> >> >> >> This time Sidebar.exe is listed, then further down the line, Pandora is >> listed.... >> >> >> >> grrrrrrrrrrrrr......... >> >> >> >> So, I stopped sidebar from running....changed the IE setting....set >> ProcMon to log on boot.... >> >> >> >> booted.....Pandora still writes to that location, however the setting >> remained as I set it in IE....but I still got the error in Word stating that >> it could not create the work file. "Changed" it in IE, logged off, logged >> on... Word launched with no issue. Removed Pandora, set Proc Mon to log, >> rebooted.... >> >> >> >> the setting changed, and I have 42 entries in ProcMon on bootup, all point >> to the undesired path, and are under svchost.exe, with the operation of >> createfile, and result of path not found. Trying to create files in the >> content.ie5 folder of the undesired path. >> >> >> >> Any more thoughts on what would be causing this? >> >> >> >> Jonathan >> >> >> >> >> >> On Tue, May 10, 2011 at 9:26 AM, Jonathan <[email protected]> wrote: >> >> There are only two user profiles on the machine, one of which was >> originally setup as an alternate Admin account and theoretically had not >> been used since it was setup.....until yesterday. >> >> >> >> It does happen for both of the existing accounts. >> >> >> >> I suspect the *possibility* of a migration related issue, but the issue >> did not present itself until several weeks ago, and the user started using >> this machine in October/November of last year. I had the user change the IE >> setting manually and it seemed to be fine for a while (days, a >> week?)....then reared its ugly head again, this time resetting itself on >> every reboot. >> >> >> >> I've scanned with VIPRE, and found nothing, except for Cain, which they >> use in their normal job function (Wireless and security). >> >> >> >> I've started playing with process monitor, but can't reboot the users >> machine at the moment because they are backing up their system.....in >> preparation for a wipe. :-( >> >> >> >> I did clean out at least one of the Temp folders, but I'll attempt to >> clean them all out. Curious - how would this impact the IE Temp file >> location? >> >> >> >> Thanks, >> >> >> >> Jonathan >> >> >> >> >> >> On Tue, May 10, 2011 at 9:08 AM, Andrew S. Baker <[email protected]> >> wrote: >> >> Also, does this problem happen for every user profile on the machine? >> >> >> >> If you suspect a migration issue, what did the user have before the >> migration? >> >> >> >> >> *ASB *(Professional Bio <http://about.me/Andrew.S.Baker/bio>) >> *Harnessing the Advantages of Technology for the SMB market...** >> * >> * * >> >> >> >> On Tue, May 10, 2011 at 9:06 AM, Andrew S. Baker <[email protected]> >> wrote: >> >> In addition to what Richard suggested, try cleaning out the temp >> folders... >> >> >> >> >> *ASB *(Professional Bio <http://about.me/Andrew.S.Baker/bio>) >> *Harnessing the Advantages of Technology for the SMB market...** >> * >> * * >> >> >> >> On Mon, May 9, 2011 at 7:11 PM, Jonathan <[email protected]> wrote: >> >> Any help here would be appreciated. I'm trying to avoid another engineer >> having to format and reinstall. I've googled and kb's until I've no other >> ideas... >> >> >> >> When launching Word or Outlook (both 2010 - fresh install, >> albeit likely done via Easy Transfer), the user gets, "Word (or Outlook) >> could not create the work file. Check the temp environment." >> >> >> >> In IE (Presently IE8, but had the same issue before removing IE9), the >> "current location" is listed as %USERPROFILE%\AppData\Local\Temp\Temporary >> Internet Files\, yet when you click on "View Files" it opens the folder >> defined by this registry key: >> >> >> >> HKCU\Software\Microsoft\windows\CurrentVersion\Explorer\User Shell Folders >> : Cache >> >> >> >> I can change the setting in IE, reboot, and all is well. I've also tried >> this: http://support.microsoft.com/kb/2027053 >> >> >> >> If I reboot again, the problem recurs. >> >> >> >> I've also tried this on another user profile on the machine, and gotten >> the same results. It works the first time, but then changes after a reboot. >> >> >> >> I'm at my wits end. >> >> >> >> Thoughts? >> >> >> -- >> Jonathan, A+, MCSA, MCSE >> >> >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> >> >> >> -- >> Jonathan, A+, MCSA, MCSE >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> >> >> >> -- >> Jonathan, A+, MCSA, MCSE >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > > > -- > Jonathan, A+, MCSA, MCSE > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > -- Jonathan, A+, MCSA, MCSE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
