Showing results for 
Search instead for 
Did you mean: 

Roaming Profile Infected by a Trojan


We use VirusScan Enterprise v8.7 on all of our machines, updated by an ePO4.5 Server. An alert popped up indicating that PWS-Zbot!remnant had been found on one of the PCs. EPO stated that "file infected. Undetermined clean error, delete failed".

The user was trying to login to a call centre website and the alert popped up when she did so. Assuming it was a problem with the machine, she switched to another and got the same message. After investiagtion I was able to ascetain that if she tried to login to the website on a machine logged in under somebody else's profile there was no problem. Further, I determined that logged in under her profile, accessing the website under a different user identity threw up an alert.

Having tried to clean the infection unsuccessfully, I was left with no alternative but to delete the user's profile and then remove the roaming profile from all PCs and the Server. Having done this, I re-created the user's profile and everything returned to normal.

Now I'm left with two questions; the obvious one being how did the trojan get past our defences? (Bearing in mind that I check that DAT updates are taking place every day). The second question; the reason for using roaming profiles is so that people can jump on to any available machine, so in a case such as this I might have to deal with five machines or more. Is there no way of scanning and cleaning the trojan from romaing profiles?

Thanks in advance.


2 Replies
Level 7
Report Inappropriate Content
Message 2 of 3

Re: Roaming Profile Infected by a Trojan

Hi Robin

The main problem here is the Virus and Mcafee (and also other vendors) lack of detecting it.

As you stated, you had (or still have) PWS-Zbot. Some information about it:

This Virus gets updated nearly every day, which means it's close to impossible to catch the latest variants of it

Here some more information (and also a good program to get maybe rid of it):

As you see, this virus can/will catch all passwords, credit card numbers, lower pc security settings, and and and.

Here a site where you can see the current virus scanner detection rate of the several existing files:

But now to the question on how it got onto the pc. I fear you have on that website a new variant which wasn't or still isn't completely detected by Mcafee (the virus is made of several components with several files, if the infection is successfull). But only having it on the website isn't enough to catch it, you also seem to have an outdated plugin in that browser. So check the most dangerous plugins (flash, shockwave, pdf reader (also alternative programs, not just adobe ones) and java) first if they are up to date. If they aren't then the virus has an easy way onto the pc.

Are those up 2 date on your pc?

I hope this helps a little.


Re: Roaming Profile Infected by a Trojan

Thanks for your reply Pato, it was really helpful.

My guess is that the trojan was picked up from a different website in the first instance (before an appropriate DAT update caught it). Then, every time the user tried to login to this site (and maybe it could have been any site that required a login) the now updated DAT caught it.

You were right to question the possibility of plugins being outdated. The site in question requires Java, but when I originally installed it they had advised against using the latest version. I've now contacted them and asked why I can't use v6.20 (and told them this is for security reasons).



You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community