Re: Default User folder temp IE files
- From: "Nick Coe \(UK\)" <classicnickNOSPAMAT@xxxxxxxxxxxxxxxxxx>
- Date: Fri, 15 Aug 2008 13:27:04 +0100
Hi Al,
Looks very much as if it's actually WFilter doing the deed.
Will be contacting their support after some experimentation
this weekend when server quiet.
Have made some use of the sysinternals tools to track what's
going on, monitoring file writes.
All workstations clear of viruses and other malware.
Only user with write perm on that folder structure is
administrator (who has of course been renamed many moons
ago). Over 99 percent of the files are cookies the few
remaining are web pages.
--
Nick Coe (UK)
http://www.alphacos.co.uk/
In news:egB3LVx8IHA.3612@xxxxxxxxxxxxxxxxxxxx,
Al Williams typed:
How are the files named? Also have a look at the
permissions
as you might be able to tell who created them.
"Nick Coe (UK)" <classicnickNOSPAMAT@xxxxxxxxxxxxxxxxxx>
wrote
in message news:uEHjcQv8IHA.1592@xxxxxxxxxxxxxxxxxxxxxxx
Minor progress report.
The temp files in question all show a time attribute of
1600
hours plus or minus 1 min during summer time and 1700
hours
plus or minus 1 min during winter months - that is always
at
1700 GMT, intriguing but could be a red herring...
So I trundled through everything that could be running
(or
happening) at that time, my own log book (server with
firebrick and network have been in nearly 2 years now) -
no,
event logs - nothing, VSS - nope, backup - no chance,
software updates - no, system updates - no, AVG updates -
no. Reran virus scan - clear, ran spybot S&D - clear.
Got this feeling it could be a weird user file synch
issue or
something messing with IE somewhere on the network but no
evidence. Mustn't jump to conclusions.
Forced a full virus scan for all workstations from AVG
admin
centre. Don't plan on creating any new users in the short
term so
have renamed index.dat and sub folders in \default
user\etc
... etc\temp ie files\ and we'll see if any error msgs
pop up
anywhere. Loads of googleing and searching msft support
with
inconclusive results. Next step - go onsite make sure
virus scans run on all
workstations and ss&d them one by one.
And I've got this nagging feeling I'm missing
something...
--
Nick Coe (UK)
http://www.alphacos.co.uk/
In news:uQm8Q0p8IHA.4928@xxxxxxxxxxxxxxxxxxxx,
Al Williams typed:
Post back if you figure it out because I haven't heard
of any
recent virus that puts files in there (some back in 2006
google up, but that's all).
Good luck from Canada.
"Nick Coe (UK)" <classicnickNOSPAMAT@xxxxxxxxxxxxxxxxxx>
wrote in message
news:uj2rxJp8IHA.1200@xxxxxxxxxxxxxxxxxxxxxxx
Thanks Al.
Thats pretty much what I thought, had hoped I was wrong
as
you do.... Have now run full AVG scan of C drive with
no
negative result. Will be deploying S S & D tomorrow.
I actually suspect one of the workstations and either
some
bad setting or an infection... They'll be getting
scanned
asap. Have been very carefull about enforcing internal
network hygiene; blocking chat clients, web mail,
software
installs all the usual suspects. Be interesting to see
where I've
missed something 'cause if it's infected then I must
have by
default. --
Nick Coe (UK)
http://www.alphacos.co.uk/
In news:eKSfUal8IHA.4820@xxxxxxxxxxxxxxxxxxxx,
Al Williams typed:
The Default User folder is the template used when
creating
new users. It is essentially copied to create a new
users's folder. The folders within it should be
essentially static except for changes made to
customize it.
Files in the temp internet files inside it do not
sound
good, it sounds like virus or trojan activity to me
(there
have been some in the past that store files in there).
Hopefully I'm wrong...
"Nick Coe (UK)"
<classicnickNOSPAMAT@xxxxxxxxxxxxxxxxxx>
wrote in message
news:%23FrXlAi8IHA.1200@xxxxxxxxxxxxxxxxxxxxxxx
G'day,
SBS2k3 standard fully patched. Internally - XP Pro
workstations joined to domain plus MACS using OWA.
Externally Windows Mobile device and one XP laptop
currently both using
OWA. Questions:
Should the \Docs and Settings\Default User\.....
\temp
internet files\xxxxx\ folders on the server fill up
with
temp files? That is - where are they coming from?
What purpose does that Default User folder serve?
Context:
Backup to LTO Ultrium drive using bog standard sbs
macro
created backup routine failed on one locked file in
one of
the above folders. Found the file was locked by AVG
and
was infected. Moved to virus vault. Noticed that
there
were a lot of temp files in that folder
dating back from yesterday to about feb 07 and all
timed
within a few minutes either side of 1600 hours brit
summer
time or 1700 hours GMT. Odd - but don't want to jump
to
conclusions. Puzzled - I checked through my WFilter
logs
to see what internet activity there was about that
time -
nothing conclusive... So I double checked the
security
event log wondering if someone had used the server to
browse the web - nothing unusual there either. Double
checked the Application log - nothing unusual.
Am remotely admininistering the server.
Not sure where to fault find next, any help much
appreciated. --
Nick Coe (UK)
http://www.alphacos.co.uk/
.
- Prev by Date: RE: Issue with user profile folders and outlook
- Next by Date: Re: Removing a Client from SBS Network
- Previous by thread: Removing a Client from SBS Network
- Next by thread: RE: workstations unable to access 2003 sbs server
- Index(es):
Relevant Pages
|
