Delete limited account, get clean or ?

Discussion in 'other security issues & news' started by CloneRanger, Apr 25, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Saw these -

    SpyEye steals your data. Even in a limited account

    http://www.prevx.com/blog/149/SpyEye-steals-your-data-Even-in-a-limited-account.html

    And also related comments in here

    http://www.prevx.com/blog/147/Antimalware-software-is-not-all-that-useless.html

    Based on reading the above, i was wondering if someones user/limited account was infected/compromised etc, would deleting that account eliminate ALL the malware associated with it, and/or would/could there be other nasties lurking elsewhere in the system associated with it as well ?

    Obviously a replacement user/limited account would have to be created.

    I'm thinking that, it might be similar to only deleting a file to the recycle bin, and gets over written as and when. Therefore it could be possible for nasties to still infect.
     
  2. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Deleting the infected account will kill the active malware - processes, injected libraries, such things. But depending on where in the filesystem the malicious files are saved, they may remain even after deleting the account - it's just that they won't be doing anything, since there's nothing left to execute them (well, except for a terminally foolish user that notices a strange file in a strange place and, brilliantly, decides to execute it). In the case of the SpyEye malware mentioned by Prevx's blog, the C:\cleansweep.exe\ folder would remain on the hard drive even after deleting the account. But the malware wouldn't be running. Wisest policy would be to just delete such leftovers.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Windchild

    Interesting, i wasn't sure that's why i asked. Thanks :thumb:
     
  4. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    Oh dear me. :eek:

    C:\cleansweep.exe\cleanwseep.exe

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run]
    [cleansweep.exe][C:\cleansweep.exe\cleanwseep.exe]


    Successfully blocked with proper security configuration and without the need for Prevx. ;)
     
Loading...
Thread Status:
Not open for further replies.