Haha, no, but I thought about it. No, he's in an entirely different engineering group than I am.
Jonathan On Tue, May 10, 2011 at 2:34 PM, Jonathan Link <[email protected]>wrote: > Did you smack him around for wasting your time? > Is he a direct report, which you can delegate "suitable" projects to in the > future? > > > > On Tue, May 10, 2011 at 2:30 PM, Jonathan <[email protected]> wrote: > >> Well, everyone who responded, thanks for your assistance. considering what >> was going on with svchost trying to write to index.dat, it stunk of some >> kind of malware....so I decided to run MalwareBytes myself..... >> >> Rule #1 - end users LIE! End of discussion (even if they are engineers >> whom you would otherwise trust implicitly) >> Rule #2 - in case you decide to believe an end user when they tell you >> that they ran a complete scan of their system with the tools you >> recommended, see rule #1 >> >> VIPRE Rescue had NOT been run by the end user (though I ran it myself and >> it did not find anything other than Cain, which is legit for this end user.) >> >> MalwareBytes had been run by the end user, however the database was *more >> than 140 days out of date*........so, I updated the database, ran >> complete scan, and found Trojan-Agent.gen in a couple of dll files, which >> you guessed it....removing that threat solved my problem. >> >> HEAD --> DESK >> HEAD --> DESK >> HEAD --> DESK >> HEAD --> DESK >> >> *sigh* >> >> Jonathan >> >> >> On Tue, May 10, 2011 at 1:13 PM, Jonathan <[email protected]> wrote: >> >>> Thanks Joe, >>> >>> all 42 lines have this for the command line: >>> >>> c:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted >>> >>> The very first one has a result of PATH NOT FOUND for path >>> %USERPROFILE%\AppData\Local\Temp\Temporary Internet Files\Index.dat >>> >>> I'm at a loss. >>> >>> Jonathan >>> >>> On Tue, May 10, 2011 at 12:49 PM, Joe Tinney <[email protected]> wrote: >>> >>>> In ProcMon, view the Properties of the process and flip to the Process >>>> tab. There is a command line field that shows the full command used to >>>> start >>>> SVCHOST. You may be able to discern which service SVCHOST was acting on >>>> behalf of to do that work just by looking >>>> >>>> >>>> >>>> A quick PowerShell line can help you find the service(s) that use(s) >>>> that command to launch if you need it: >>>> >>>> >>>> >>>> gwmi win32_service | fl Name,PathName >>>> >>>> >>>> >>>> Good luck, >>>> >>>> Joe >>>> >>>> >>>> >>>> *From:* Jonathan [mailto:[email protected]] >>>> *Sent:* Tuesday, May 10, 2011 12:24 PM >>>> >>>> *To:* NT System Admin Issues >>>> *Subject:* Re: Win 7 IE Temp Environment variable woes "Outlook cannot >>>> create the work file" >>>> >>>> >>>> >>>> Clearing out all temp files and folders didn't do it. I even deleted >>>> everything in %USERPROFILE%\AppData\Local\Temp (which included a folder >>>> called Temporary Internet Files, which is where the setting in IE said it >>>> was pointing). I moved the folder to the correct location under IE, >>>> (%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files) >>>> and >>>> it had me log off... >>>> >>>> >>>> >>>> So I launched ProcMon set it to log on reboot, filtered for anything >>>> containing %USERPROFILE%\AppData\Local\Temp\Temporary Internet Files.... >>>> >>>> >>>> >>>> >>>> >>>> WHY the HECK does ipoint.exe feel the need to monkey with my Temporary >>>> Internet Files?!?!?!?!?!?!?!? >>>> >>>> >>>> >>>> grrrrrr..... >>>> >>>> >>>> >>>> I launched AppWiz.cpl, and it was there, plain as day - Microsoft >>>> Intelipoint 8.0 >>>> >>>> >>>> >>>> so I uninstalled Intellipoint, rebooted, (setting ProcMon to log) and >>>> the setting reverted AGAIN. >>>> >>>> >>>> >>>> This time Sidebar.exe is listed, then further down the line, Pandora is >>>> listed.... >>>> >>>> >>>> >>>> grrrrrrrrrrrrr......... >>>> >>>> >>>> >>>> So, I stopped sidebar from running....changed the IE setting....set >>>> ProcMon to log on boot.... >>>> >>>> >>>> >>>> booted.....Pandora still writes to that location, however the setting >>>> remained as I set it in IE....but I still got the error in Word stating >>>> that >>>> it could not create the work file. "Changed" it in IE, logged off, logged >>>> on... Word launched with no issue. Removed Pandora, set Proc Mon to log, >>>> rebooted.... >>>> >>>> >>>> >>>> the setting changed, and I have 42 entries in ProcMon on bootup, all >>>> point to the undesired path, and are under svchost.exe, with the operation >>>> of createfile, and result of path not found. Trying to create files in the >>>> content.ie5 folder of the undesired path. >>>> >>>> >>>> >>>> Any more thoughts on what would be causing this? >>>> >>>> >>>> >>>> Jonathan >>>> >>>> >>>> >>>> >>>> >>>> On Tue, May 10, 2011 at 9:26 AM, Jonathan <[email protected]> wrote: >>>> >>>> There are only two user profiles on the machine, one of which was >>>> originally setup as an alternate Admin account and theoretically had not >>>> been used since it was setup.....until yesterday. >>>> >>>> >>>> >>>> It does happen for both of the existing accounts. >>>> >>>> >>>> >>>> I suspect the *possibility* of a migration related issue, but the issue >>>> did not present itself until several weeks ago, and the user started using >>>> this machine in October/November of last year. I had the user change the IE >>>> setting manually and it seemed to be fine for a while (days, a >>>> week?)....then reared its ugly head again, this time resetting itself on >>>> every reboot. >>>> >>>> >>>> >>>> I've scanned with VIPRE, and found nothing, except for Cain, which they >>>> use in their normal job function (Wireless and security). >>>> >>>> >>>> >>>> I've started playing with process monitor, but can't reboot the users >>>> machine at the moment because they are backing up their system.....in >>>> preparation for a wipe. :-( >>>> >>>> >>>> >>>> I did clean out at least one of the Temp folders, but I'll attempt to >>>> clean them all out. Curious - how would this impact the IE Temp file >>>> location? >>>> >>>> >>>> >>>> Thanks, >>>> >>>> >>>> >>>> Jonathan >>>> >>>> >>>> >>>> >>>> >>>> On Tue, May 10, 2011 at 9:08 AM, Andrew S. Baker <[email protected]> >>>> wrote: >>>> >>>> Also, does this problem happen for every user profile on the machine? >>>> >>>> >>>> >>>> If you suspect a migration issue, what did the user have before the >>>> migration? >>>> >>>> >>>> >>>> >>>> *ASB *(Professional Bio <http://about.me/Andrew.S.Baker/bio>) >>>> *Harnessing the Advantages of Technology for the SMB market...** >>>> * >>>> * * >>>> >>>> >>>> >>>> On Tue, May 10, 2011 at 9:06 AM, Andrew S. Baker <[email protected]> >>>> wrote: >>>> >>>> In addition to what Richard suggested, try cleaning out the temp >>>> folders... >>>> >>>> >>>> >>>> >>>> *ASB *(Professional Bio <http://about.me/Andrew.S.Baker/bio>) >>>> *Harnessing the Advantages of Technology for the SMB market...** >>>> * >>>> * * >>>> >>>> >>>> >>>> On Mon, May 9, 2011 at 7:11 PM, Jonathan <[email protected]> wrote: >>>> >>>> Any help here would be appreciated. I'm trying to avoid another engineer >>>> having to format and reinstall. I've googled and kb's until I've no other >>>> ideas... >>>> >>>> >>>> >>>> When launching Word or Outlook (both 2010 - fresh install, >>>> albeit likely done via Easy Transfer), the user gets, "Word (or Outlook) >>>> could not create the work file. Check the temp environment." >>>> >>>> >>>> >>>> In IE (Presently IE8, but had the same issue before removing IE9), the >>>> "current location" is listed as %USERPROFILE%\AppData\Local\Temp\Temporary >>>> Internet Files\, yet when you click on "View Files" it opens the folder >>>> defined by this registry key: >>>> >>>> >>>> >>>> HKCU\Software\Microsoft\windows\CurrentVersion\Explorer\User Shell >>>> Folders : Cache >>>> >>>> >>>> >>>> I can change the setting in IE, reboot, and all is well. I've also tried >>>> this: http://support.microsoft.com/kb/2027053 >>>> >>>> >>>> >>>> If I reboot again, the problem recurs. >>>> >>>> >>>> >>>> I've also tried this on another user profile on the machine, and gotten >>>> the same results. It works the first time, but then changes after a reboot. >>>> >>>> >>>> >>>> I'm at my wits end. >>>> >>>> >>>> >>>> Thoughts? >>>> >>>> >>>> -- >>>> Jonathan, A+, MCSA, MCSE >>>> >>>> >>>> >>>> >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>>> >>>> >>>> >>>> >>>> -- >>>> Jonathan, A+, MCSA, MCSE >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>>> >>>> >>>> >>>> >>>> -- >>>> Jonathan, A+, MCSA, MCSE >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>>> >>> >>> >>> >>> -- >>> Jonathan, A+, MCSA, MCSE >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >> >> >> >> -- >> Jonathan, A+, MCSA, MCSE >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > -- Jonathan, A+, MCSA, MCSE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
