Terminal Servers with Roaming Profiles. Remove spyware and it comes back!

I am running 3 windows 2003 servers using terminal servers.  We also use roaming profiles.  We do use the uph Cleanup on the profiles.   We have had servers infected with many spyware problems, we clean them.  Users log back on and it infects it again.  Anyone have a clue to why it would keep re creating this spyware?  
NCJUAAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
optomaConnect With a Mentor Commented:
Right, run process explorer when Spy Sheriff is running

run process explorer.
In it ,hit options and select "verify image signatures"
Then hit view,select columns and check "verified signer"
Get a screen shot of process and attach images
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Once we see which processess to suspend then re run an updated Malwarebytes followed by Combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



0
 
David-HowardCommented:
Have you run your scans on the servers/clients in Safe Mode? If the issues keeps returning it sounds as if something is hiding from normal mode scans.
I'm uncertain as to what suites you are using for scanning. You might try malwarebytes (it's free and reliable).
www.malwarebytes.org
0
 
NCJUAAuthor Commented:
We purchased the viper software, but was a dead end on the roaming profiles.  ( so it seemed)  I am using spybot now -   I will try and boot in safe mode and run.  Thanks a bunch and will let you know how it turns out!
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
optomaCommented:
Also run Hitmanpro to see if it detects anything
http://www.surfright.nl/en/hitmanpro

Any name on the Malware?
Can you post scanner logfiles?
0
 
NCJUAAuthor Commented:
going to run it at lunch in safemode and will post results.   I just love yaw!
0
 
optomaCommented:
Run Hitmanpro in normal mode :)
0
 
NCJUAAuthor Commented:
I ran hitmanpro yesterday.  It  found nothing.   The next morning when users logged back on, the spysherriff appeared again.    
I also deleted all roaming profiles.
0
 
NCJUAAuthor Commented:
Here the unknown.   that program is top notch compared to task manager!  Thanks!
untitled1.bmp
0
 
optomaCommented:
Yeah, way better!

Print screen got cut off. Can you post the entire output of process explorer :)
0
 
NCJUAAuthor Commented:
There were only a few showing unable to verify -   from IBM that i think are ok and a miniwinagent.exe.    ( I am scanning a malwarebytes now)

It looks ok now, but i did clean everthing up this morning.   I just wonder what will be there on Monday.  At least witht the tool you showed me, I can pin point much better!   Thanks!
0
 
optomaCommented:
For miniwinagent.exe :
double click it in process explorer to find its path and upload it to virustotal
Post results if found as bad
http://www.virustotal.com/ :)
0
All Courses

From novice to tech pro — start learning today.