Anti-malware on Win2K: Run as administrator or user

  • Thread starter Thread starter Dubious Dude
  • Start date Start date
D

Dubious Dude

I am using Windows 2000, and I scan my PC with McAfee antivirus,
SpyBot Search&Destroy, and LavaSoft Ad-Aware. I sometimes do it from
the administrator account, and sometimes from the user account. I am
most often using the user account. I haven't noticed any difference
between using the 2 accounts. Is there a best practice? Thanks.
 
From: "Dubious Dude" <[email protected]>

| I am using Windows 2000, and I scan my PC with McAfee antivirus,
| SpyBot Search&Destroy, and LavaSoft Ad-Aware. I sometimes do it from
| the administrator account, and sometimes from the user account. I am
| most often using the user account. I haven't noticed any difference
| between using the 2 accounts. Is there a best practice? Thanks.

To remove from the OS, you need to run with administrative rights.
More often than not, malware will modify the Useer registry (Hive: HKEY_CURRENT_USER )
therefore you will often have to run anti malware routines as the user such that the User
Registry will be corrected as well.
 
Yes ,PA Bear ,who is asking or talking about MS Antispyware ???
If you was absent ,here is the OP again:



Panda_man
 
Hi Dude - The short answer is yes. From my Blog, Defending Your Machine,
addy below in my Signature:


#########IMPORTANT#########

Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
running these tools, be sure to clear all Temp files and your Temporary
Internet Files (TIF) (including offline content.) Reboot and test if the
malware is fixed after using each tool.

HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

Clean Boot - General Win2k/XP procedure, but see below for links for other
OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):

1. StartRun enter msconfig.

2. On the General tab, click Selective Startup, and then clear the 'Process
System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
boxes. Leave the 'boot.ini' boxes however they are currently set.

3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button. If you use a third party firewall
then re-check (enable) it. For example, if you use Zone Alarm, re-check the
True Vector Internet Monitor service (and you may also want to re-check
(enable) the zlclient on the Startup tab.) Equivalent services exist for
other third party firewalls. An alternative to this for XP users is to
enable at this time the XP native firewall (Internet Connection Firewall -
ICF). Be sure to turn it back off when you re-enable your non-MS services
and Startup tab programs and restore your normal msconfig configuration
after cleaning your machine.

4. Click OK and then reboot.

For additional information about how to clean boot your operating system,
click the following article links to view the articles in the Microsoft
Knowledge Base:

310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
 
David said:
From: "Dubious Dude" <[email protected]>

| I am using Windows 2000, and I scan my PC with McAfee antivirus,
| SpyBot Search&Destroy, and LavaSoft Ad-Aware. I sometimes do it from
| the administrator account, and sometimes from the user account. I am
| most often using the user account. I haven't noticed any difference
| between using the 2 accounts. Is there a best practice? Thanks.

To remove from the OS, you need to run with administrative rights.
More often than not, malware will modify the Useer registry (Hive: HKEY_CURRENT_USER )
therefore you will often have to run anti malware routines as the user such that the User
Registry will be corrected as well.
Click to expand...

Thanks, Dave. I will likely alternate between running as user and admin
in a quasi-random fashion, then. Since I'm usually using the user account,
I launch the scanners using Run-As.

I was wondering if you could clarify what you meant by "To remove from the OS"?
 
Thanks for your feedback, Jim. I'll alternate between user & admin
in successive scans. I might forgo doing it from safe mode, though,
since I often work on the computer as the scan is done. In fact, I
often don't log off simply to retain the state of my work. This
probably isn't as good as your procedure, but it is a trade-off
between convenience and thoroughness. If I had to scan from safe-mode
all the time, I probably would scan very rarely.
 
From: "Dubious Dude" <[email protected]>


| Thanks, Dave. I will likely alternate between running as user and admin
| in a quasi-random fashion, then. Since I'm usually using the user account,
| I launch the scanners using Run-As.
|
| I was wondering if you could clarify what you meant by "To remove from the OS"?

Files, EXE and DLLs.
 
Hi Dude - Well, obviously your choice, of course. Just note that it isn't
quite the scan that's at issue usually (although a 'CleanBoot' or Safe mode
also can help with that in the case of some malware), as much as the ability
to remove malefactors when they're found. DO, however, be sure to do the
other things such as Showing Hidden Files, and cleaning out your TIF and
Temp files, and I _strongly_ recommend, _again_, that you run as Admin.
There really are good technical reasons behind each of those recommendations
(and everything else there, BTW :) ) in the Blog. Good luck.
 
David said:
From: "Dubious Dude" <[email protected]>
| Thanks, Dave. I will likely alternate between running as user and admin
| in a quasi-random fashion, then. Since I'm usually using the user account,
| I launch the scanners using Run-As.
|
| I was wondering if you could clarify what you meant by "To remove from the OS"?

Files, EXE and DLLs.
Click to expand...

OK, I think you mean removing malware as opposed to scanning for detection.

If I was simply scanning for detection (ie. routine diligence), is it your
opinion that this should be done from both admin & user accounts as well?
 
Jim said:
Hi Dude - Well, obviously your choice, of course. Just note that it isn't
quite the scan that's at issue usually (although a 'CleanBoot' or Safe mode
also can help with that in the case of some malware), as much as the ability
to remove malefactors when they're found. DO, however, be sure to do the
other things such as Showing Hidden Files, and cleaning out your TIF and
Temp files, and I _strongly_ recommend, _again_, that you run as Admin.
There really are good technical reasons behind each of those recommendations
(and everything else there, BTW :) ) in the Blog. Good luck.
Click to expand...

Point noted. I believe that there are reasons for the details in the
blog. And it does make sense that if malware is detected, the removal
should be done with all stops pulled (safe mode, as both admin & user, etc.).
For scanning, though, it happens regularly enough that if it impeded too much
on normal work habits, I would simply end up forgoing them.

Regarding cleaning up temporary files, I do that before a defrag, so there
shouldn't be too many. I have hidden files displayed by default. And I will
alternate accounts from which the scan done. I believe my situation is simplified
in that I'm mostly using the user account, so the opportunity for things to get
infected at the admin level is limited. Granted, all the installation takes
place at the admin level, though I scan anything I install, and only install
the boring useful stuff rather than ritzy entertaining things. (Subjective
thought that may be!)

Cheers.
 
From: "Dubious Dude" <[email protected]>


|
| OK, I think you mean removing malware as opposed to scanning for detection.
|
| If I was simply scanning for detection (ie. routine diligence), is it your
| opinion that this should be done from both admin & user accounts as well?


Merely scanning for detection ?
I guess a normal account is OK.
 
David said:
| OK, I think you mean removing malware as opposed to scanning for detection.
|
| If I was simply scanning for detection (ie. routine diligence), is it your
| opinion that this should be done from both admin & user accounts as well?

Merely scanning for detection ?
I guess a normal account is OK.
Click to expand...

That's good news. I'll simply alternate accounts from which the scans are
done, but not necessarily do them from both accounts. (That's 3 scanning
tools, so doing them from both accounts means 6 scans...ugh.). Thanks again
for your perspective on it.
 
Dubious said:
That's good news. I'll simply alternate accounts from which the scans are
done, but not necessarily do them from both accounts. (That's 3 scanning
tools, so doing them from both accounts means 6 scans...ugh.). Thanks again
for your perspective on it.
Click to expand...

You could always do your scans from the user account. If the
Antispyware isn't able to remove the file, then either use "Run As..."
(which is the recommended method, IMHO) or switch to your Administrative
account. Since using "Run As..." runs the program in the context of the
account you are running as (an administrative in this case) and not the
context of the account you are in.
 
Patrick said:
You could always do your scans from the user account. If the
Antispyware isn't able to remove the file, then either use "Run As..."
(which is the recommended method, IMHO) or switch to your Administrative
account. Since using "Run As..." runs the program in the context of the
account you are running as (an administrative in this case) and not the
context of the account you are in.
Click to expand...

Frankly, that's what it's been boiling down to. Who's got time to
shut down all apps and login as admin. I don't think I've ever
scanned and found any malware, so the approach of switching to admin
only for mal-ware that doesn't dislodge from a user account seems to
be a good balance. Since I spend hardly any time on that account,
the risk is lower; however, since admin activities are typically
more sensitive to infection (since I'm installing things and messing
around with things that require privileges), that might boost the risk
up a bit. As well, I've done some global registry mutilation which
opens up permissions that normally restrict things to admin only
(this was following HP tech support in trying to get a driver working,
after a week of bashing antlers with the installer) the risk might be
greater yet. So I will occassionally run the scans as admin.
 
Back
Top