
Scanning Multiple Accounts
#1
Posted 24 July 2004 - 02:54 PM
I maintain this FAQ in BroadBandReports on cleaning computers I think my computer is infected or hijacked. What should I do?
A question has been raised on whether our instructions for running Ad-aware, Spybot S&D and CWShredder are too incomplete: The FAQ and User Accounts
On a computer with multiple user accounts, is scanning with multiple user accounts ever supposed to be necessary?
Or is scanning from one administrator account supposed to be enough to check the entire computer?
We have one contributor, TerryMiller, an IT professional, who gets different results depending on which account he scans with.
(As a stop-gap, for the time being I've revised the FAQ to tell readers to run scans from an administrator account, and if they have continuing problems with a particular user account, to run the scans again using that account.)
Thanks.
- Keith
Spybot S&D + Ad-aware + Trend Micro HouseCall + HijackThis + CWShredder + Peper Trojan Uninstaller + KillBox + Kaspersky ScanOneFile
Blocking Tools
ZoneAlarm + Spyware Blaster + Spyware Guard + IE-SpyAd
#2
Posted 24 July 2004 - 03:10 PM

Edited by canoeingkidd, 24 July 2004 - 03:10 PM.
#3
Posted 24 July 2004 - 03:19 PM
It was asked:
Sometimes I encounter infected computers with several user accounts. Which one should I clean from? At first i thought administrator, but then I realized all the processes that need to be removed might not run under the Admin account, especially if the infection first occured in a user account. What do you think? Should I clean each account seperately?
And Budfred answered:
Generally it is a good idea to start in the user account that was infected, but some things may not be cleanable until you use the Admin account. Some infections will transfer across accounts and some will not, so you need to at least check each one... If it won't clean up, it will probably have to be addressed in the Admin account.... Bottom line: you have to play it by ear.....
Hope this helps

Edited by canoeingkidd, 24 July 2004 - 03:20 PM.
#4
Posted 24 July 2004 - 03:48 PM
It would mean so much duplication of effort, so much elapsed time. Some families may have 4 or 5 or more accounts on a computer.
And anti-virus companies don't seem to require this duplication.
Spybot S&D + Ad-aware + Trend Micro HouseCall + HijackThis + CWShredder + Peper Trojan Uninstaller + KillBox + Kaspersky ScanOneFile
Blocking Tools
ZoneAlarm + Spyware Blaster + Spyware Guard + IE-SpyAd
#5
Posted 24 July 2004 - 04:18 PM
No, but removing a virus is simple compared with some of these crapwares!And anti-virus companies don't seem to require this duplication.
AdAware/Spybot should not need to be run from every account.
It can be a good idea to check each account using Hijack this, just as a check that removal has worked.
Please support SWI forum
#6
Posted 25 July 2004 - 04:48 PM
#7
Posted 26 July 2004 - 06:11 AM
Tracking cookies for limited user accounts were not being detected from the admin account, or an account with administrator privileges.
Sounds funny. (I'm assuming you are talking about winxp or 2k)
Per default, cookies are saved under <drive>:\documents and settings\<username>\cookies
The local administrator (and by extension the domain admin, if the machine is member of such) have access to all the required libraries. If there are any libraries they don't have access to, they can claim ownership of said libraries, thereby gaining access.
So that leaves three possibilities.
1. The cookies are not in the default folder.
and/or
2. Access to the relevant folder has changed.
and/or
3. Your particular brand of antispyware does not search in all the locations it should. (the most likely scenario.)
If you still have one of the cookies, try logging on with admin rights and find the location of one of these cookies.
This may simply be a case of an asw vendor limiting the potential for a well-meaning admin to delete the users' cookies. In such a case you either need to figure out how to modify search locations...
...or to log on as all users and run separate scans...
Until we see any further information, I would go with your stop-gap measure.
