Did you smack him around for wasting your time? Is he a direct report, which you can delegate "suitable" projects to in the future?
On Tue, May 10, 2011 at 2:30 PM, Jonathan <[email protected]> wrote: > Well, everyone who responded, thanks for your assistance. considering what > was going on with svchost trying to write to index.dat, it stunk of some > kind of malware....so I decided to run MalwareBytes myself..... > > Rule #1 - end users LIE! End of discussion (even if they are engineers whom > you would otherwise trust implicitly) > Rule #2 - in case you decide to believe an end user when they tell you that > they ran a complete scan of their system with the tools you recommended, see > rule #1 > > VIPRE Rescue had NOT been run by the end user (though I ran it myself and > it did not find anything other than Cain, which is legit for this end user.) > > MalwareBytes had been run by the end user, however the database was *more > than 140 days out of date*........so, I updated the database, ran complete > scan, and found Trojan-Agent.gen in a couple of dll files, which you guessed > it....removing that threat solved my problem. > > HEAD --> DESK > HEAD --> DESK > HEAD --> DESK > HEAD --> DESK > > *sigh* > > Jonathan > > > On Tue, May 10, 2011 at 1:13 PM, Jonathan <[email protected]> wrote: > >> Thanks Joe, >> >> all 42 lines have this for the command line: >> >> c:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted >> >> The very first one has a result of PATH NOT FOUND for path >> %USERPROFILE%\AppData\Local\Temp\Temporary Internet Files\Index.dat >> >> I'm at a loss. >> >> Jonathan >> >> On Tue, May 10, 2011 at 12:49 PM, Joe Tinney <[email protected]> wrote: >> >>> In ProcMon, view the Properties of the process and flip to the Process >>> tab. There is a command line field that shows the full command used to start >>> SVCHOST. You may be able to discern which service SVCHOST was acting on >>> behalf of to do that work just by looking >>> >>> >>> >>> A quick PowerShell line can help you find the service(s) that use(s) that >>> command to launch if you need it: >>> >>> >>> >>> gwmi win32_service | fl Name,PathName >>> >>> >>> >>> Good luck, >>> >>> Joe >>> >>> >>> >>> *From:* Jonathan [mailto:[email protected]] >>> *Sent:* Tuesday, May 10, 2011 12:24 PM >>> >>> *To:* NT System Admin Issues >>> *Subject:* Re: Win 7 IE Temp Environment variable woes "Outlook cannot >>> create the work file" >>> >>> >>> >>> Clearing out all temp files and folders didn't do it. I even deleted >>> everything in %USERPROFILE%\AppData\Local\Temp (which included a folder >>> called Temporary Internet Files, which is where the setting in IE said it >>> was pointing). I moved the folder to the correct location under IE, >>> (%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files) and >>> it had me log off... >>> >>> >>> >>> So I launched ProcMon set it to log on reboot, filtered for anything >>> containing %USERPROFILE%\AppData\Local\Temp\Temporary Internet Files.... >>> >>> >>> >>> >>> >>> WHY the HECK does ipoint.exe feel the need to monkey with my Temporary >>> Internet Files?!?!?!?!?!?!?!? >>> >>> >>> >>> grrrrrr..... >>> >>> >>> >>> I launched AppWiz.cpl, and it was there, plain as day - Microsoft >>> Intelipoint 8.0 >>> >>> >>> >>> so I uninstalled Intellipoint, rebooted, (setting ProcMon to log) and the >>> setting reverted AGAIN. >>> >>> >>> >>> This time Sidebar.exe is listed, then further down the line, Pandora is >>> listed.... >>> >>> >>> >>> grrrrrrrrrrrrr......... >>> >>> >>> >>> So, I stopped sidebar from running....changed the IE setting....set >>> ProcMon to log on boot.... >>> >>> >>> >>> booted.....Pandora still writes to that location, however the setting >>> remained as I set it in IE....but I still got the error in Word stating that >>> it could not create the work file. "Changed" it in IE, logged off, logged >>> on... Word launched with no issue. Removed Pandora, set Proc Mon to log, >>> rebooted.... >>> >>> >>> >>> the setting changed, and I have 42 entries in ProcMon on bootup, all >>> point to the undesired path, and are under svchost.exe, with the operation >>> of createfile, and result of path not found. Trying to create files in the >>> content.ie5 folder of the undesired path. >>> >>> >>> >>> Any more thoughts on what would be causing this? >>> >>> >>> >>> Jonathan >>> >>> >>> >>> >>> >>> On Tue, May 10, 2011 at 9:26 AM, Jonathan <[email protected]> wrote: >>> >>> There are only two user profiles on the machine, one of which was >>> originally setup as an alternate Admin account and theoretically had not >>> been used since it was setup.....until yesterday. >>> >>> >>> >>> It does happen for both of the existing accounts. >>> >>> >>> >>> I suspect the *possibility* of a migration related issue, but the issue >>> did not present itself until several weeks ago, and the user started using >>> this machine in October/November of last year. I had the user change the IE >>> setting manually and it seemed to be fine for a while (days, a >>> week?)....then reared its ugly head again, this time resetting itself on >>> every reboot. >>> >>> >>> >>> I've scanned with VIPRE, and found nothing, except for Cain, which they >>> use in their normal job function (Wireless and security). >>> >>> >>> >>> I've started playing with process monitor, but can't reboot the users >>> machine at the moment because they are backing up their system.....in >>> preparation for a wipe. :-( >>> >>> >>> >>> I did clean out at least one of the Temp folders, but I'll attempt to >>> clean them all out. Curious - how would this impact the IE Temp file >>> location? >>> >>> >>> >>> Thanks, >>> >>> >>> >>> Jonathan >>> >>> >>> >>> >>> >>> On Tue, May 10, 2011 at 9:08 AM, Andrew S. Baker <[email protected]> >>> wrote: >>> >>> Also, does this problem happen for every user profile on the machine? >>> >>> >>> >>> If you suspect a migration issue, what did the user have before the >>> migration? >>> >>> >>> >>> >>> *ASB *(Professional Bio <http://about.me/Andrew.S.Baker/bio>) >>> *Harnessing the Advantages of Technology for the SMB market...** >>> * >>> * * >>> >>> >>> >>> On Tue, May 10, 2011 at 9:06 AM, Andrew S. Baker <[email protected]> >>> wrote: >>> >>> In addition to what Richard suggested, try cleaning out the temp >>> folders... >>> >>> >>> >>> >>> *ASB *(Professional Bio <http://about.me/Andrew.S.Baker/bio>) >>> *Harnessing the Advantages of Technology for the SMB market...** >>> * >>> * * >>> >>> >>> >>> On Mon, May 9, 2011 at 7:11 PM, Jonathan <[email protected]> wrote: >>> >>> Any help here would be appreciated. I'm trying to avoid another engineer >>> having to format and reinstall. I've googled and kb's until I've no other >>> ideas... >>> >>> >>> >>> When launching Word or Outlook (both 2010 - fresh install, >>> albeit likely done via Easy Transfer), the user gets, "Word (or Outlook) >>> could not create the work file. Check the temp environment." >>> >>> >>> >>> In IE (Presently IE8, but had the same issue before removing IE9), the >>> "current location" is listed as %USERPROFILE%\AppData\Local\Temp\Temporary >>> Internet Files\, yet when you click on "View Files" it opens the folder >>> defined by this registry key: >>> >>> >>> >>> HKCU\Software\Microsoft\windows\CurrentVersion\Explorer\User Shell >>> Folders : Cache >>> >>> >>> >>> I can change the setting in IE, reboot, and all is well. I've also tried >>> this: http://support.microsoft.com/kb/2027053 >>> >>> >>> >>> If I reboot again, the problem recurs. >>> >>> >>> >>> I've also tried this on another user profile on the machine, and gotten >>> the same results. It works the first time, but then changes after a reboot. >>> >>> >>> >>> I'm at my wits end. >>> >>> >>> >>> Thoughts? >>> >>> >>> -- >>> Jonathan, A+, MCSA, MCSE >>> >>> >>> >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> >>> >>> >>> -- >>> Jonathan, A+, MCSA, MCSE >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> >>> >>> >>> -- >>> Jonathan, A+, MCSA, MCSE >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >> >> >> >> -- >> Jonathan, A+, MCSA, MCSE >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > > > -- > Jonathan, A+, MCSA, MCSE > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
