|This started yesterday on our Windows Server 2003 machine running Citrix.|
When a user logs on, it opens up 2 IE windows (Internet Explorer 8). Then if the user tries to open up an Office product (Word, Excel, Outlook...version 2003), it opens up another 2 IE windows.
Today, there is a runaway virus of some kind that duplicates anything run with MGR on it as an EXE. For instance, if someone logs in and uses Adobe Reader, the system will start to propagate hundreds of files as follows: readermgr.exe, readermgrmgr.exe, readermgrmgrmgr.exe, etc. It creates these files in the starting folder, so the Windows/system32 folder gets filled with userinitmgr.exe files as well as a user's desktop with anything they run.
Currently, I have it shutdown for users to log in and am running McAfee, which is find some things (W32.Ramnit mostly) and I have run Stinger (which found Artemis) and I have run Malewarebytes.
I also could not update Malewarebytes, as it says I have the latest version. Of course if I look at the update tab on Malewarebytes, there is no version listed! I also could not install the latest version as it gave me an access denied message when it goes to register the program.
Anyone come across something like this? Logged on as the administrator, the "mgr" issue is not happening. But once I re-enable the Citrix connection and let regular users log on, it starts to create and run hundreds of those.