C
ChriRobe
I'm not clear on if the MSAS scan is parsing the HKUsers
(AllUsers) Registry Hive or just HKCU (Current User).
Additionally, it is worth noting that the hive of a user
_not_ logged in will _not_ be included in the scan.
Windows (2K,XP) has no reason for these hive to be loaded.
I'm looking into how "Fast User Swithing" impacts the
registry structure and thus what really gets looked at.
Once, after being hit by spyware, I restarted in safe mode
and did cleanup (Ad-Aware, SpyBot S&D). After declaring
clean, I restarted and logged into my `working user`
account only to be hit again! During the second round, I
loaded the working user hive into the registry by hand
before doing cleanup. Much more was found and removed!
(AllUsers) Registry Hive or just HKCU (Current User).
Additionally, it is worth noting that the hive of a user
_not_ logged in will _not_ be included in the scan.
Windows (2K,XP) has no reason for these hive to be loaded.
I'm looking into how "Fast User Swithing" impacts the
registry structure and thus what really gets looked at.
Once, after being hit by spyware, I restarted in safe mode
and did cleanup (Ad-Aware, SpyBot S&D). After declaring
clean, I restarted and logged into my `working user`
account only to be hit again! During the second round, I
loaded the working user hive into the registry by hand
before doing cleanup. Much more was found and removed!