[pchelpers] Re: user accounts and malware removal

Hi Ekhart,

Sunday, August 28, 2005, 1:03:59 PM, you wrote:

EGlnl> I just realised i don't really know anything about user accounts in XP.
EGlnl> I had helped a family get rid of trojans and other malware, and they now
EGlnl> phoned me to say that these or other trojans etc. were still there when
EGlnl> they restarted the computer using other accounts and that they had had
EGlnl> to rerun the cleanup programs separately on all the accounts.

EGlnl> Is it normal that if one has more than one administrator account that
EGlnl> running antispyware, antivirus, antitrojan, and other cleanup programs
EGlnl> on one of these admin accounts won't search and clean the others? In
EGlnl> this case, none of the (admin) accounts had passwords.

Password shouldn't matter.


EGlnl> So, i fixed it so that this family now only has one admin account, and
EGlnl> all the accounts they normally use to access the computer no longer have
EGlnl> admin rights. Will it now be enough to run antispyware and other cleanup
EGlnl> programs on only the admin account, i.e. will this now give the cleanup
EGlnl> programs access to the entire computer?

The security level of the other accounts shouldn't matter.

I admit to being surprised that they don't fix all accounts. I can
understand if the programs don't clean out the registry data for the
individual users, but they SHOULD get all of the program files, etc.
Be sure that you're cleaning out all of the temp files, as mentioned
in my article: http://www.local.nu/HelpDesk/index.php/Windows_cleanup.

Any temp file that you leave behind is the potential source for a new
infection. An intelligently-written malware would save itself in one
or more system temp folders, and hook itself into all of the user
profiles on the system. Thus, when you log onto an acocunt that you
didn't clean up, the system gets reinfected. This is NOT difficult to
do, as I use similar techniques to update all user accounts on a
system, without having to log onto each account individually.

An intelligently-written anti-malware program should do the same; I'd
suggest that you contact the vendors to let them know about about this
loophole. I can email sample batch file code that does this.

Hmm, come to think of it, this may resolve your problem all by
itself... Give me a day or two and I'll see if I can come up with
something that may help ignorant apps clean out registries for all
users, not just the current user.

-- 
Scott.




-- 
-------list-services-below-----------
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig
Good advice is like good paint- it only works if applied.

Other related posts: