Then you have an opportunity for blackmail! On Tue, May 10, 2011 at 2:40 PM, Jonathan <[email protected]> wrote:
> Haha, no, but I thought about it. > > No, he's in an entirely different engineering group than I am. > > Jonathan > > On Tue, May 10, 2011 at 2:34 PM, Jonathan Link <[email protected]>wrote: > >> Did you smack him around for wasting your time? >> Is he a direct report, which you can delegate "suitable" projects to in >> the future? >> >> >> >> On Tue, May 10, 2011 at 2:30 PM, Jonathan <[email protected]> wrote: >> >>> Well, everyone who responded, thanks for your assistance. considering >>> what was going on with svchost trying to write to index.dat, it stunk of >>> some kind of malware....so I decided to run MalwareBytes myself..... >>> >>> Rule #1 - end users LIE! End of discussion (even if they are engineers >>> whom you would otherwise trust implicitly) >>> Rule #2 - in case you decide to believe an end user when they tell you >>> that they ran a complete scan of their system with the tools you >>> recommended, see rule #1 >>> >>> VIPRE Rescue had NOT been run by the end user (though I ran it myself and >>> it did not find anything other than Cain, which is legit for this end user.) >>> >>> MalwareBytes had been run by the end user, however the database was *more >>> than 140 days out of date*........so, I updated the database, ran >>> complete scan, and found Trojan-Agent.gen in a couple of dll files, which >>> you guessed it....removing that threat solved my problem. >>> >>> HEAD --> DESK >>> HEAD --> DESK >>> HEAD --> DESK >>> HEAD --> DESK >>> >>> *sigh* >>> >>> Jonathan >>> >>> >>> On Tue, May 10, 2011 at 1:13 PM, Jonathan <[email protected]> wrote: >>> >>>> Thanks Joe, >>>> >>>> all 42 lines have this for the command line: >>>> >>>> c:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted >>>> >>>> The very first one has a result of PATH NOT FOUND for path >>>> %USERPROFILE%\AppData\Local\Temp\Temporary Internet Files\Index.dat >>>> >>>> I'm at a loss. >>>> >>>> Jonathan >>>> >>>> On Tue, May 10, 2011 at 12:49 PM, Joe Tinney <[email protected]>wrote: >>>> >>>>> In ProcMon, view the Properties of the process and flip to the >>>>> Process tab. There is a command line field that shows the full command >>>>> used >>>>> to start SVCHOST. You may be able to discern which service SVCHOST was >>>>> acting on behalf of to do that work just by looking >>>>> >>>>> >>>>> >>>>> A quick PowerShell line can help you find the service(s) that use(s) >>>>> that command to launch if you need it: >>>>> >>>>> >>>>> >>>>> gwmi win32_service | fl Name,PathName >>>>> >>>>> >>>>> >>>>> Good luck, >>>>> >>>>> Joe >>>>> >>>>> >>>>> >>>>> *From:* Jonathan [mailto:[email protected]] >>>>> *Sent:* Tuesday, May 10, 2011 12:24 PM >>>>> >>>>> *To:* NT System Admin Issues >>>>> *Subject:* Re: Win 7 IE Temp Environment variable woes "Outlook cannot >>>>> create the work file" >>>>> >>>>> >>>>> >>>>> Clearing out all temp files and folders didn't do it. I even deleted >>>>> everything in %USERPROFILE%\AppData\Local\Temp (which included a folder >>>>> called Temporary Internet Files, which is where the setting in IE said it >>>>> was pointing). I moved the folder to the correct location under IE, >>>>> (%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files) >>>>> and >>>>> it had me log off... >>>>> >>>>> >>>>> >>>>> So I launched ProcMon set it to log on reboot, filtered for anything >>>>> containing %USERPROFILE%\AppData\Local\Temp\Temporary Internet Files.... >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> WHY the HECK does ipoint.exe feel the need to monkey with my Temporary >>>>> Internet Files?!?!?!?!?!?!?!? >>>>> >>>>> >>>>> >>>>> grrrrrr..... >>>>> >>>>> >>>>> >>>>> I launched AppWiz.cpl, and it was there, plain as day - Microsoft >>>>> Intelipoint 8.0 >>>>> >>>>> >>>>> >>>>> so I uninstalled Intellipoint, rebooted, (setting ProcMon to log) and >>>>> the setting reverted AGAIN. >>>>> >>>>> >>>>> >>>>> This time Sidebar.exe is listed, then further down the line, Pandora is >>>>> listed.... >>>>> >>>>> >>>>> >>>>> grrrrrrrrrrrrr......... >>>>> >>>>> >>>>> >>>>> So, I stopped sidebar from running....changed the IE setting....set >>>>> ProcMon to log on boot.... >>>>> >>>>> >>>>> >>>>> booted.....Pandora still writes to that location, however the setting >>>>> remained as I set it in IE....but I still got the error in Word stating >>>>> that >>>>> it could not create the work file. "Changed" it in IE, logged off, logged >>>>> on... Word launched with no issue. Removed Pandora, set Proc Mon to log, >>>>> rebooted.... >>>>> >>>>> >>>>> >>>>> the setting changed, and I have 42 entries in ProcMon on bootup, all >>>>> point to the undesired path, and are under svchost.exe, with the operation >>>>> of createfile, and result of path not found. Trying to create files in the >>>>> content.ie5 folder of the undesired path. >>>>> >>>>> >>>>> >>>>> Any more thoughts on what would be causing this? >>>>> >>>>> >>>>> >>>>> Jonathan >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, May 10, 2011 at 9:26 AM, Jonathan <[email protected]> wrote: >>>>> >>>>> There are only two user profiles on the machine, one of which was >>>>> originally setup as an alternate Admin account and theoretically had not >>>>> been used since it was setup.....until yesterday. >>>>> >>>>> >>>>> >>>>> It does happen for both of the existing accounts. >>>>> >>>>> >>>>> >>>>> I suspect the *possibility* of a migration related issue, but the >>>>> issue did not present itself until several weeks ago, and the user started >>>>> using this machine in October/November of last year. I had the user change >>>>> the IE setting manually and it seemed to be fine for a while (days, a >>>>> week?)....then reared its ugly head again, this time resetting itself on >>>>> every reboot. >>>>> >>>>> >>>>> >>>>> I've scanned with VIPRE, and found nothing, except for Cain, which they >>>>> use in their normal job function (Wireless and security). >>>>> >>>>> >>>>> >>>>> I've started playing with process monitor, but can't reboot the users >>>>> machine at the moment because they are backing up their system.....in >>>>> preparation for a wipe. :-( >>>>> >>>>> >>>>> >>>>> I did clean out at least one of the Temp folders, but I'll attempt to >>>>> clean them all out. Curious - how would this impact the IE Temp file >>>>> location? >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> >>>>> >>>>> Jonathan >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, May 10, 2011 at 9:08 AM, Andrew S. Baker <[email protected]> >>>>> wrote: >>>>> >>>>> Also, does this problem happen for every user profile on the machine? >>>>> >>>>> >>>>> >>>>> If you suspect a migration issue, what did the user have before the >>>>> migration? >>>>> >>>>> >>>>> >>>>> >>>>> *ASB *(Professional Bio <http://about.me/Andrew.S.Baker/bio>) >>>>> *Harnessing the Advantages of Technology for the SMB market...** >>>>> * >>>>> * * >>>>> >>>>> >>>>> >>>>> On Tue, May 10, 2011 at 9:06 AM, Andrew S. Baker <[email protected]> >>>>> wrote: >>>>> >>>>> In addition to what Richard suggested, try cleaning out the temp >>>>> folders... >>>>> >>>>> >>>>> >>>>> >>>>> *ASB *(Professional Bio <http://about.me/Andrew.S.Baker/bio>) >>>>> *Harnessing the Advantages of Technology for the SMB market...** >>>>> * >>>>> * * >>>>> >>>>> >>>>> >>>>> On Mon, May 9, 2011 at 7:11 PM, Jonathan <[email protected]> wrote: >>>>> >>>>> Any help here would be appreciated. I'm trying to avoid another >>>>> engineer having to format and reinstall. I've googled and kb's until I've >>>>> no >>>>> other ideas... >>>>> >>>>> >>>>> >>>>> When launching Word or Outlook (both 2010 - fresh install, >>>>> albeit likely done via Easy Transfer), the user gets, "Word (or Outlook) >>>>> could not create the work file. Check the temp environment." >>>>> >>>>> >>>>> >>>>> In IE (Presently IE8, but had the same issue before removing IE9), the >>>>> "current location" is listed as %USERPROFILE%\AppData\Local\Temp\Temporary >>>>> Internet Files\, yet when you click on "View Files" it opens the folder >>>>> defined by this registry key: >>>>> >>>>> >>>>> >>>>> HKCU\Software\Microsoft\windows\CurrentVersion\Explorer\User Shell >>>>> Folders : Cache >>>>> >>>>> >>>>> >>>>> I can change the setting in IE, reboot, and all is well. I've also >>>>> tried this: http://support.microsoft.com/kb/2027053 >>>>> >>>>> >>>>> >>>>> If I reboot again, the problem recurs. >>>>> >>>>> >>>>> >>>>> I've also tried this on another user profile on the machine, and gotten >>>>> the same results. It works the first time, but then changes after a >>>>> reboot. >>>>> >>>>> >>>>> >>>>> I'm at my wits end. >>>>> >>>>> >>>>> >>>>> Thoughts? >>>>> >>>>> >>>>> -- >>>>> Jonathan, A+, MCSA, MCSE >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>>> >>>>> --- >>>>> To manage subscriptions click here: >>>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>>> or send an email to [email protected] >>>>> with the body: unsubscribe ntsysadmin >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Jonathan, A+, MCSA, MCSE >>>>> >>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>>> >>>>> --- >>>>> To manage subscriptions click here: >>>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>>> or send an email to [email protected] >>>>> with the body: unsubscribe ntsysadmin >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Jonathan, A+, MCSA, MCSE >>>>> >>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>>> >>>>> --- >>>>> To manage subscriptions click here: >>>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>>> or send an email to [email protected] >>>>> with the body: unsubscribe ntsysadmin >>>>> >>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>>> >>>>> --- >>>>> To manage subscriptions click here: >>>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>>> or send an email to [email protected] >>>>> with the body: unsubscribe ntsysadmin >>>>> >>>> >>>> >>>> >>>> -- >>>> Jonathan, A+, MCSA, MCSE >>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>>> >>>> --- >>>> To manage subscriptions click here: >>>> http://lyris.sunbelt-software.com/read/my_forums/ >>>> or send an email to [email protected] >>>> with the body: unsubscribe ntsysadmin >>>> >>> >>> >>> >>> -- >>> Jonathan, A+, MCSA, MCSE >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > > > -- > Jonathan, A+, MCSA, MCSE > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
