Beware of Roaming Profiles and Malware Infection

0

Most admins have certainly had to take care of their fair share of spyware and virus infections . Many times Spam/Spyware/Virus filters in an environment do not catch all variants of maware unfortunately. However, using tools readily available such as Malwarebytes, most are able to clean workstations of the infections and other problems. After the fact however, many admins have had the secondary issue of roaming profiles coming into play when it comes to reinfecting previously infected workstations. In many cases, spyware and malware infect “user” files including registry data that is synced to a server side roaming profile location during logoff of the user session. This leads to the reinfecting of the workstation files even after being cleaned, because the rogue entries/files are simply recopied back to the workstation the next time the user logs on.

Of importance to note also is that additional workstations could become infected if an infected user profile is logged on to a previously clean workstation. System administrators need to be careful to not miss this critical step in making sure they cover all the bases when cleaning up an infected environment. Spyware and malware writers are becoming increasingly savvy at making sure they protect the infection by copying it to various locations and hiding entries in subtle ways.

In dealing with Roaming profiles:

  • Scan the roaming profile location for infection and delete or quarantine infected files

If the scan does not find any infections and the variant is still present in the profile:

  • Make a copy of the local profile found at c:\\users\\%username% (Win7, Vista) or c:\\documents and settings\\%username% (Windows XP) and name it to something different for backup purposes.  Go to System properties, Advanced, and User Profiles to delete the local copy of the profile.  You will have a backup of the profile by the copy step above.  Windows will delete its cached copy of the profile.
  • Rename the server side profile location to a backed up folder name.  During the next logon Windows will recreate the roaming profile folder in the correct location.  A default profile will be created, so all user data will need to be copied over to the new location from either the roaming location or the local profile, depending on whether or not the profile has been syncing correctly.

After following the copy and rename steps above and letting Windows recreate the profile folder, you should have a clean user environment working once again.  This will allow you to completely wipe out the malware infection and make sure that the infection does not spread to other workstations/users.