Terminal Servers with Roaming Profiles. Remove spyware and it comes back!

I am running 3 windows 2003 servers using terminal servers.  We also use roaming profiles.  We do use the uph Cleanup on the profiles.   We have had servers infected with many spyware problems, we clean them.  Users log back on and it infects it again.  Anyone have a clue to why it would keep re creating this spyware?  
NCJUAAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David-HowardCommented:
Have you run your scans on the servers/clients in Safe Mode? If the issues keeps returning it sounds as if something is hiding from normal mode scans.
I'm uncertain as to what suites you are using for scanning. You might try malwarebytes (it's free and reliable).
www.malwarebytes.org
0
NCJUAAuthor Commented:
We purchased the viper software, but was a dead end on the roaming profiles.  ( so it seemed)  I am using spybot now -   I will try and boot in safe mode and run.  Thanks a bunch and will let you know how it turns out!
0
optomaCommented:
Also run Hitmanpro to see if it detects anything
http://www.surfright.nl/en/hitmanpro

Any name on the Malware?
Can you post scanner logfiles?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

NCJUAAuthor Commented:
going to run it at lunch in safemode and will post results.   I just love yaw!
0
optomaCommented:
Run Hitmanpro in normal mode :)
0
NCJUAAuthor Commented:
I ran hitmanpro yesterday.  It  found nothing.   The next morning when users logged back on, the spysherriff appeared again.    
I also deleted all roaming profiles.
0
optomaCommented:
Right, run process explorer when Spy Sheriff is running

run process explorer.
In it ,hit options and select "verify image signatures"
Then hit view,select columns and check "verified signer"
Get a screen shot of process and attach images
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Once we see which processess to suspend then re run an updated Malwarebytes followed by Combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NCJUAAuthor Commented:
Here the unknown.   that program is top notch compared to task manager!  Thanks!
untitled1.bmp
0
optomaCommented:
Yeah, way better!

Print screen got cut off. Can you post the entire output of process explorer :)
0
NCJUAAuthor Commented:
There were only a few showing unable to verify -   from IBM that i think are ok and a miniwinagent.exe.    ( I am scanning a malwarebytes now)

It looks ok now, but i did clean everthing up this morning.   I just wonder what will be there on Monday.  At least witht the tool you showed me, I can pin point much better!   Thanks!
0
optomaCommented:
For miniwinagent.exe :
double click it in process explorer to find its path and upload it to virustotal
Post results if found as bad
http://www.virustotal.com/ :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
System Utilities

From novice to tech pro — start learning today.