Yowzers! My dad's infection hell.

My dad is 76 and not completely computer savvy. He was having some problems and asked me to take a look. He was trying to download an update from the Microsoft website and ended up installing Windows Live on his pc. So I uninstalled that and still it was treacle slow. Ran ccleaner and it cleared 70mb of cookies(well virtually!). Still no better. He has something called NTLGuard running realtime which is a security suite provided free of charge by his service provider NTL.

So I had previousy installed SAS and decided to update it and give it a run. Only as a precaution as I didn't think there would be any infections with him running real time protection. Holy cow! How wrong could I be! Get this. 775 infection's. My eyes popped out of my head. It wasn't the number he had that amazed me, it was how crap this NTLGuard must be. Anyway, after a couple of tries SAS successfully cleaned it. SAS crashed first time it tried.

So I uninstalled NTLGuard, downloaded and installed AVG free. Scanned the full system and bam! clean as a whistle!!!

Just how good is SAS. I keep telling people and I think they are starting to believe me.

Next thing to do is take my USB stick around there and grab a copy of the log file from SAS for close analysis. Need to get a grip on just how bad those critters were. Incidently, SAS didn't ask for a reboot to complete the clean up. That impressed me.

 

I'm glad the system is doing better. And, yes, Super Antispyware is a good product. But it is not intended to be an all-in-one scanner, so I suggest you scan with a few other just to be safe; namely Prevx Edge, AVP Tool, and CureIT. I don't trust AVG as much as the ones I listed.

 

yeh i think there are others than avg to use especially when cleaning up because there could be rootkits, but all is good.

 

I can say straight away that I wouldn't trust AVG either - I do on the other hand have a thought out, automatic setup for PCs (or average Joe's if you wish to call it that - I personally like the same operation as "they" do; only alert me if really necessary, so, well...), which is the following, taken from a list of my own that I update when making changes to my preferred setup:

Microsoft Security Essentials
MVPS HOSTS File
Opera
OpenDNS

- at a minimum, but just fine at that level. That would be only one security program running in tray. I personally have one program total in tray full-time - pretty awesome actually. Drivers for my graphics card and sound card didn't need its "services", so I could turn those off as well. I installed that setup above on my brother's PC not long ago - think it was yesterday? He has two non-Windows things in tray total - MSE included (Microsoft Security Essentials). Have Hitman Pro on there to do manual scans when I wish.

And BTW... Hitman Pro is also what I would've used to begin with, cleaning your father's PC.

 

I agree with Raven,
It would have been interesting to see what Hitman Pro would have initially found on that infected pc.

 

The number is quite amazing. Looks like NTLGuard was asleep on duty.

To be honest, this is a system that I wouldn't trust again no matter how many scanners you run over it. If you dad has any personal data that he values or does online banking or online purchases, I would format the drive and start over.

Since you say your dad is not too computer-saavy, why not set him up with a limited user account? I'd be willing to bet that 99% of that crap wouldn't have had a chance if he wasn't running as admin. As an additional benefit it costs nothing and uses no resources.

 

Very, very good point - LUA for those who aren't computer savvy (FTW ).

 

Yes, only geniuses run as admin.

 

Not really, they usually just hit OK to get rid of the popup!

 

If you install Returnil or Shadow Defender, he can activate after he boots up and it will delete everything he does when he shuts down. I had a similar situation with my Grand Daughters computer, where they picked up all kinds of malware including the vundo trojan. I installed Returnil and taught them to activate it every time they went on line. All's quiet ever since.

 

Some bozo in the office installed that on all of our work computers and it wiped out my settings everyday for like a week. If I decided that I would create a folder and save some batch script, or information that I would later use in my job, the next day it would be gone. Needless to say, we uninstalled it within a week. The rascal who did it remains anonymous!

You know they say that 70% of all malware infections are due to user error. Why not just educate him a bit?

 

Techman, That experience must have been terrible for you. In this case however, we are referring to a senior citizen who apparently is the only person using the computer. I agree that educating him would be the best course of action. Doing that would depend on who you are trying to educate too. Sometimes it's easier to teach a ten year old, than it is to teach someone who has been analog all his life.

 

Which popup are you referring to? I don't get that one, I'm a little slow this morning.

 

I was about to post about the same thing - but I think he means UAC and not the "real" LUA.

 

I agree about the first part.

LUA is probably not the best idea.
There is no substitute for some basic computer security education. Like, don't click on ads, don't reply to spam/phishing, check if some program is safe before downloading, install patches.
Complement it with a good security suite ? That's probably the most simple solution.

 

NTLGuard was replaced by PCGuard a long time ago, that could explain the infections as the updates stopped.

http://help2.virginmedia.com/help/getContent.jspx?page=ser_pcguard_total

On my Dad's old (256mb) laptop I installed:

Kerio 2.x
Peerguardian with DShield, Hijacked, Spyware lists
Avira personal with all threat categories enabled
SetSafer
Sandboxie

No infections or problems in over 3 years.

 

Sure, but LUA and a security app. with hardening around it on a clean system (reformat) would IMHO be a lot more secure.

 

This is my advice as well. When a system is seriously infected, it's always safer to research what the infection was and then flatten and reinstall. It's 100 % certain that no AV will detect all malware in the world and even all the AVs in the world combined won't do that, and that means that just running AV scans cannot ensure the system is really clean and trustworthy.

More good advice. Most current malware fails when executed by a limited user. And even the malware that doesn't fail is limited in what it can do, and can't create a system wide infection and install the really evil stuff like kernel mode rookits.

Yeah, that's what I was thinking, too. If you're really LUA, you can't just click OK on something and get admin privileges or give admin privileges to some software. At the very least you have to give the admin password. And as for UAC? You can just use group policy to set that to automatically fail elevation without prompting the user so that when you run something that wants admin rights it just fails without asking you for anything. Personally, I find that "Joe Average" who uses their computer pretty much as a browser, email client, and a video or audio player and perhaps for playing a game or two can happily run all of the time logged in as LUA and almost never need to log in as admin. So, therefore, you can just tell them to never give the admin password to anything or anyone, with only one exception - when they themselves boot the system and log in as admin to run some software's update checker, and then immediately log out after that is done.

Why is LUA not "the best idea"? What is wrong with the concept, especially for a Joe Average type user who doesn't run his computer just so he can play with anti-rootkits or hack the registry all day long (which would require admin rights)?

There is certainly no substitute for user education. But there is no substitute for the principle of least privilege, either. There's no reason why you can't do both. But there's a lot of reason why you should do both. And if you then run some decently coded security software on top of that, you're certainly much better off than just running as admin with the same security software, user education or no.

 

Windchild, since you're mentioning some things about updates and so on...

1. Am I able to do Windows Updates as a LUA (e.g. through Automatic Updates)?

2. If not, can I do it manually by running the shortcut to Windows Update through IE as an Admin through SuRun?

3. Is most, if not all security software today (e.g. NAV2010 since that's what I at least currently run...) able to update in an LUA account? That question would be REALLY important to me at least since it would definitely get really frustrating if things are otherwise...


Think there was something else, but I'll get back to you when/if I remember it.

 

These two statements are contradictory. LUA *is* basic computer security. I don't understand the resistance to it by members of a so-called security forum. It uses no resources, doesn't have to be updated and will still stop the vast majority of malware without any interaction on the part of the user. People like Mark Russinovich and Aaron Margosis just might know what they are talking about when they recommend not running as admin.

That's advisable no matter what type of account it is. You didn't mention drive-by downloads, which in almost all cases are dependent on admin rights. If the AV doesn't happen to have a signature for that particular malware, you're screwed. With a limited user account almost all of this crap is not able to install.

That's debatable. With all of the popups from firewalls and behaviour blockers, a lot of these users are overwhelmed and start clicking things away just to avoid the annoyance.

I've set up computers for inexperienced people with LUAs and they have no problem with it. Installing SuRun simplifies the matter even more.

 

1. Yes. Automatic Updates works with LUA. Updates can automatically download and install.

2. As far as I know, explorer.exe needs to be running as admin for Windows/Microsoft Update to work, so just plain Run As from a limited user account wouldn't work, since it would only give the IE process admin privileges and leave explorer.exe running with limited privileges. I don't know about SuRun, but my guess is that it doesn't, either, due to the same reason.

3. Depends on the security software. Any decently coded software should be able to successfully update even when the user is logged in as a limited user. (The important parts of the security software should be running with higher privileges anyway, to be able to clobber any malware, and the updater can run with the same privileges, enabling automatic updates regardless of who is logged in.) I have never used NAV 2010, so I don't know how it works, but my guess is that it can update just fine in a limited user account - anything else would be really poor coding from Symantec. Three ways to find out: Google, asking Symantec support and testing it yourself.

 

Thank you, Windchild.

 

OK, that makes some sense now.

Regarding your post to Windchild, yes, Windows automatic updates work with LUA. Windows Update is a system-level service and has the necessary privileges.

Updating manually with IE started as admin using SuRun is another story. Windows update recognizes that you have a limited account and says no dice. You can just log off and login to the admin account and run it, then switch back. This is seldom necessary, though. You really only need it if you want to check the optional updates.

I installed a trial of Norton 2009 a while back to see if it really isn't a resource hog anymore. It worked fine, it updated, I could run scans, etc. Only problem is if you want to change the configuration. You have to login as admin to do that, which is probably a Good Thing (tm). The changes carry over to the LUA no problem. I would imagine that this hasn't changed for the 2010 version.

 

Get him WOT and have it set to block. That should help. Tell him about the traffic light style rating and he should get it.

 

Seems I was the slow one here, I read UAC instead of LUA by accident.