[pchelpers] Re: user accounts and malware removal

Hi Scott

> EGlnl> I just realised i don't really know anything about user accounts in XP.
> EGlnl> I had helped a family get rid of trojans and other malware, and they 
> now
> EGlnl> phoned me to say that these or other trojans etc. were still there when
> EGlnl> they restarted the computer using other accounts and that they had had
> EGlnl> to rerun the cleanup programs separately on all the accounts.

> I admit to being surprised that they don't fix all accounts. I can
> understand if the programs don't clean out the registry data for the
> individual users, but they SHOULD get all of the program files, etc.
> Be sure that you're cleaning out all of the temp files, as mentioned
> in my article: http://www.local.nu/HelpDesk/index.php/Windows_cleanup.

Yes, i didn't have time for that during my house call, but i will be 
recommending that by email. Maybe it would be best to just have them 
search through the whole computer (incl. hidden folders of course) with 
the simple search "*.tmp"? That would be much easier than trying to find 
all the temp folders mentioned in your article, which would easily 
frustrate this family and most other normal users. Maybe one of us 
should add that suggestion to the beginning of your article.

If malware leaves behind any exe or other executable files in the temp 
folders or elsewhere, i would think the antimalware programs should be 
able to find and delete them so that there hardly seems a need to make 
normal users go looking for hidden temp folders. In fact, i can't 
understand why the programs don't find malware or viable malware 
components that are disguised in tmp files. In any case, it's a complete 
mystery to me how tmp files can be used to resurrect malware automatically.

> Any temp file that you leave behind is the potential source for a new
> infection. 

Any? With what kind of file extensions?

> An intelligently-written malware would save itself in one
> or more system temp folders, and hook itself into all of the user
> profiles on the system. Thus, when you log onto an acocunt that you
> didn't clean up, the system gets reinfected. This is NOT difficult to
> do, as I use similar techniques to update all user accounts on a
> system, without having to log onto each account individually.

What (that is relevant to reinfection) exactly happens, in simple lay 
terms please, when you log onto an account?

> An intelligently-written anti-malware program should do the same; I'd
> suggest that you contact the vendors to let them know about about this
> loophole. I can email sample batch file code that does this.

I will be contacting at least Spybot's author Patrick Kolla about this, 
or better yet, first the Spybot forum 
http://forums.net-integration.net/index.php?showforum=28
as soon as i get a confirmation from the family that Spybot was one of 
the antimalware programs that discovered new stuff on new accounts.

> Hmm, come to think of it, this may resolve your problem all by
> itself... Give me a day or two and I'll see if I can come up with
> something that may help ignorant apps clean out registries for all
> users, not just the current user.

Thanks! If you sold this code to several vendors -- and your suggested 
additional code for antivirus programs that enables them to clean out 
System Restore -- you could get a lot of money!

Ekhart


-- 
-------list-services-below-----------
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig
Good advice is like good paint- it only works if applied.

Other related posts: