username.exe Virus?

ClancyDamon · 06-15-2009, 03:04 PM

Our entire company was hit early this morning with a slew of viruses. Don't know how, I figure someone opened up one of those damn chain-mails I keep telling them to delete. Most of these things were relatively easy to deal with, but I've been killing myself trying to figure out this one in particular.

Every machine has an executable named after the default user of the machine, located in their Documents and Settings folder.

Every machine runs Win XP with SP3. We have Symantec Corporate Antivirus 10.1.

To give this more detail, let's use Mike Fistell as an example. Each user has a first initial, last name scheme for logins. Mike's login is mfistell. His directory is "C:\Documents and Settings\mfistell\". Every time we login into his profile, there is an executable in there with his user name attached - "C:\Documents and Settings\mfistell\mfistell.exe". This executable starts running right at startup (in the process list) but only if the computer is connected to the net. I made sure to disconnect everyone before cleaning these out, and everything seemed fine until I reconnected the LAN cables for some of these. Suddenly those executables start coming back and running.

I've run HijackThis, but I'm not an expert in this area (read: novice) so that hasn't solved the issue. I can't even figure out what this virus (worm? trojan?) is supposed to be. The best I've found is W32.Gavgent.A, but that that only matches the [user name].exe aspect. Nothing else matches.

I'm going insane. Can anyone help?

ClancyDamon · 06-15-2009, 05:04 PM

I found something out. If I shut down the server completely, and log into a client machine (using the domain login) then there isn't any problem. The files that I have deleted from the system stay deleted. If I turn the server back on and re-synchronize, then we still don't have any (noticeable) problems. It's only if the server is already turned on the and user logs into their profile on a client machine that we have problems.

Whatever this thing is, it's server based. In that case, I'd assume it has something to do with the Active Directory, seeing as these executables are tied to user names.

Has anyone seen anything like this before? Hell, if I just had a name of what this might be it'd help a lot.

06-15-2009, 03:04 PM	#1 (permalink)
ClancyDamon Registered User Join Date: Jun 2009 Posts: 2 OS: XP SP3	username.exe Virus? Our entire company was hit early this morning with a slew of viruses. Don't know how, I figure someone opened up one of those damn chain-mails I keep telling them to delete. Most of these things were relatively easy to deal with, but I've been killing myself trying to figure out this one in particular. Every machine has an executable named after the default user of the machine, located in their Documents and Settings folder. Every machine runs Win XP with SP3. We have Symantec Corporate Antivirus 10.1. To give this more detail, let's use Mike Fistell as an example. Each user has a first initial, last name scheme for logins. Mike's login is mfistell. His directory is "C:\Documents and Settings\mfistell\". Every time we login into his profile, there is an executable in there with his user name attached - "C:\Documents and Settings\mfistell\mfistell.exe". This executable starts running right at startup (in the process list) but only if the computer is connected to the net. I made sure to disconnect everyone before cleaning these out, and everything seemed fine until I reconnected the LAN cables for some of these. Suddenly those executables start coming back and running. I've run HijackThis, but I'm not an expert in this area (read: novice) so that hasn't solved the issue. I can't even figure out what this virus (worm? trojan?) is supposed to be. The best I've found is W32.Gavgent.A, but that that only matches the [user name].exe aspect. Nothing else matches. I'm going insane. Can anyone help?

06-15-2009, 05:04 PM	#2 (permalink)
ClancyDamon Registered User Join Date: Jun 2009 Posts: 2 OS: XP SP3	Re: username.exe Virus? I found something out. If I shut down the server completely, and log into a client machine (using the domain login) then there isn't any problem. The files that I have deleted from the system stay deleted. If I turn the server back on and re-synchronize, then we still don't have any (noticeable) problems. It's only if the server is already turned on the and user logs into their profile on a client machine that we have problems. Whatever this thing is, it's server based. In that case, I'd assume it has something to do with the Active Directory, seeing as these executables are tied to user names. Has anyone seen anything like this before? Hell, if I just had a name of what this might be it'd help a lot.