6 replies to this topic

[keith2468]

Hi -

I maintain this FAQ in BroadBandReports on cleaning computers I think my computer is infected or hijacked. What should I do?

A question has been raised on whether our instructions for running Ad-aware, Spybot S&D and CWShredder are too incomplete: The FAQ and User Accounts

On a computer with multiple user accounts, is scanning with multiple user accounts ever supposed to be necessary?

Or is scanning from one administrator account supposed to be enough to check the entire computer?

We have one contributor, TerryMiller, an IT professional, who gets different results depending on which account he scans with.

(As a stop-gap, for the time being I've revised the FAQ to tell readers to run scans from an administrator account, and if they have continuing problems with a particular user account, to run the scans again using that account.)

Thanks.

- Keith

[canoeingkidd]

I remember reading somewhere that it depended on how the particular spyware worked

Edited by canoeingkidd, 24 July 2004 - 03:10 PM.

[canoeingkidd]

Found it!!!

It was asked:

Sometimes I encounter infected computers with several user accounts. Which one should I clean from? At first i thought administrator, but then I realized all the processes that need to be removed might not run under the Admin account, especially if the infection first occured in a user account. What do you think? Should I clean each account seperately?

And Budfred answered:

Generally it is a good idea to start in the user account that was infected, but some things may not be cleanable until you use the Admin account. Some infections will transfer across accounts and some will not, so you need to at least check each one... If it won't clean up, it will probably have to be addressed in the Admin account.... Bottom line: you have to play it by ear.....

Hope this helps

Edited by canoeingkidd, 24 July 2004 - 03:20 PM.

[keith2468]

It is one thing to run a removal tool from each account, that isn't so time consuming, but I am hoping to avoid having people run Ad-aware, Spybot and CWShredder scans from each account.

It would mean so much duplication of effort, so much elapsed time. Some families may have 4 or 5 or more accounts on a computer.

And anti-virus companies don't seem to require this duplication.

[dave38]

And anti-virus companies don't seem to require this duplication.

No, but removing a virus is simple compared with some of these crapwares!

AdAware/Spybot should not need to be run from every account.
It can be a good idea to check each account using Hijack this, just as a check that removal has worked.

[TerryMiller]

Tracking cookies for limited user accounts were not being detected from the admin account, or an account with administrator privileges.

[Misereor]

Tracking cookies for limited user accounts were not being detected from the admin account, or an account with administrator privileges.

Sounds funny. (I'm assuming you are talking about winxp or 2k)
Per default, cookies are saved under <drive>:\documents and settings\<username>\cookies

The local administrator (and by extension the domain admin, if the machine is member of such) have access to all the required libraries. If there are any libraries they don't have access to, they can claim ownership of said libraries, thereby gaining access.

So that leaves three possibilities.

1. The cookies are not in the default folder.
and/or
2. Access to the relevant folder has changed.
and/or
3. Your particular brand of antispyware does not search in all the locations it should. (the most likely scenario.)

If you still have one of the cookies, try logging on with admin rights and find the location of one of these cookies.

This may simply be a case of an asw vendor limiting the potential for a well-meaning admin to delete the users' cookies. In such a case you either need to figure out how to modify search locations...

...or to log on as all users and run separate scans...

Until we see any further information, I would go with your stop-gap measure.