[pchelpers] Re: user accounts and malware removal

Hi Ekhart,

Monday, August 29, 2005, 12:18:56 AM, you wrote:

EGlnl> Yes, i didn't have time for that during my house call, but i
EGlnl> will be recommending that by email. Maybe it would be best to
EGlnl> just have them search through the whole computer (incl. hidden
EGlnl> folders of course) with the simple search "*.tmp"? That would
EGlnl> be much easier than trying to find all the temp folders
EGlnl> mentioned in your article, which would easily frustrate this
EGlnl> family and most other normal users. Maybe one of us should add
EGlnl> that suggestion to the beginning of your article.

The following will delete all files in temp folders, in WinXP:

for /F "tokens=*" %a in ('DIR /A /B "%USERPROFILE%\.."') do @del /Q /S /F 
"%USERPROFILE%\..\%~a\Local Settings\Temp"

for /F "tokens=*" %a in ('DIR /A /B "%USERPROFILE%\.."') do @del /Q /S /F 
"%USERPROFILE%\..\%~a\Local Settings\Temporary Internet Files"

del /Q /S /F "%SYSTEMROOT%\Temp"

del /Q /S /F "%SYSTEMROOT%\System32\Temp"

del /Q /S /F "%SYSTEMROOT%\system32\config\systemprofile\Local Setting\Temp"

del /Q /S /F "%SYSTEMROOT%\system32\config\systemprofile\Local 
Setting\Temporary Internet Files"


EGlnl> If malware leaves behind any exe or other executable files in
EGlnl> the temp folders or elsewhere, i would think the antimalware
EGlnl> programs should be able to find and delete them so that there
EGlnl> hardly seems a need to make normal users go looking for hidden
EGlnl> temp folders. In fact, i can't understand why the programs
EGlnl> don't find malware or viable malware components that are
EGlnl> disguised in tmp files. In any case, it's a complete mystery to
EGlnl> me how tmp files can be used to resurrect malware
EGlnl> automatically.

Clearly, SOMETHING is wrong, else you woudn't need to run under each
user.


>> Any temp file that you leave behind is the potential source for a
>> new infection.

EGlnl> Any? With what kind of file extensions?

I've seen programs running with .TMP extensions... which is "'nuff
said" as far as I'm concerned.

>> An intelligently-written malware would save itself in one or more
>> system temp folders, and hook itself into all of the user profiles
>> on the system. Thus, when you log onto an acocunt that you didn't
>> clean up, the system gets reinfected. This is NOT difficult to do,
>> as I use similar techniques to update all user accounts on a
>> system, without having to log onto each account individually.

EGlnl> What (that is relevant to reinfection) exactly happens, in
EGlnl> simple lay terms please, when you log onto an account?

When you log on, a number of programs run, including any per-user RUN or
RUNONCE registry entries.  Also anything in the All Users startup
folder.  Among other things that may not show up in normal
startup-control programs...


EGlnl> I will be contacting at least Spybot's author Patrick Kolla
EGlnl> about this, or better yet, first the Spybot forum
EGlnl> http://forums.net-integration.net/index.php?showforum=28 as
EGlnl> soon as i get a confirmation from the family that Spybot was
EGlnl> one of the antimalware programs that discovered new stuff on
EGlnl> new accounts.

>> Hmm, come to think of it, this may resolve your problem all by
>> itself... Give me a day or two and I'll see if I can come up with
>> something that may help ignorant apps clean out registries for all
>> users, not just the current user.

EGlnl> Thanks! If you sold this code to several vendors -- and your
EGlnl> suggested additional code for antivirus programs that enables
EGlnl> them to clean out System Restore -- you could get a lot of
EGlnl> money!

If the programmers working for those vendors can't figure out how to
get into the System Restore folder and the registry entries of other
users, then they have a serious problem... :)

-- 
Scott.




-- 
-------list-services-below-----------
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig
Good advice is like good paint- it only works if applied.

Other related posts: