Struck by Live Security platinum

Borg 386 · 15 Aug 2012

masplin said:

I have run Malware, Rootkiller, Windows Defender offline (which found some things to remove).

Do you remember the name of these items it found? The name of these viruses will be a deciding factor in what actions you should take.

Some viruses do remove restore points or deny access to them. And they also like to embed themselves in restore points, usually the first one. If you can access a restore point after an infection, it's best to go back 2 or 3 points. Unfortunately, some viruses corrupt the entirety of restore points.

You could try the restore point in Feb, but that does seem odd there are no others, since you've no doubt had updates from MS and they, by default, make a restore point before installing.

Layback Bear · 15 Aug 2012

Personally I would not use any restore point because they can be infected. I also would not use any back ups that where made any where the time of the found infection. Infection can be installed with a time delay or a action related start. Example: When and if you hit the Windows Flag Key you could activate the infection. It could be anything along that line.

Borg 386 · 15 Aug 2012

Good point Layback. This is why when I make system images, I keep the last 4 of them on file so that if I do inadvertently make a backup with a virus, I can go back even farther.

When was this system image made? Was it made before or after the infection?

Being that the only restore point you have is Feb, it's a good chance your restore points are infected.

masplin · 15 Aug 2012

Unfortunately I didnt write down the files Windows Defender found. Would they be logged somewhere if I restart it?

The image is July 9th so fairly recent in that there wont be many changes, but before the infection which was 2 days ago. However I only take a system image of my C drive that is on an SSD and contains just OS and programs. I moved the user files to a seperate HD in a "U" partition partly becuase of space and partly I was advised by this forum it was good practice. The "U" drive gets backed up daily with windows backup to another HD. I saw some of the virus files had paths on this U drive so wondering if just restoring my C drive with the image is going to be sufficient?

I'm not sure if I delete my wife's the user account and recreate it could I then restore her user files from the day before infection?

Thanks Mike

masplin · 15 Aug 2012

Hmm oddly I can now access files on 2 of the other 4 pcs so maybe this isn't an issue caused by the virus. I'm not quite clear where the Diagnostic policy server comes into it...is it just for diagnosis when it doesn't work?

sounds liek the advice is to do the systme image restore anyway to be on the safe side.

Jacee · 15 Aug 2012

Open an elevated command prompt, then type or copy/paste:

net localgroup Administrators /add networkservice
press enter
then type:
net localgroup Administrators /add localservice
press enter
then type:
exit

press enter and restart your computer

Open services and make sure the service is started.

shawn77 · 16 Aug 2012

please download Downloading Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Borg 386 · 16 Aug 2012

It might be wise to re-run Windows Defender Offline, just to verify that nothings left on your system. If it finds anything, write the name down.

WDO is good at getting a lot of things, however it can not remove certain items, including some rootkits. If you've been infected by the Sirefef rootkit, MS is recommending a clean install as this alters some of the OS files & leaves them in a irreparable state.

masplin · 16 Aug 2012

Think i was getting my knickers in a twist with network access as sorted out by rebooting the other machine. So currently it al lseems happy. I'll rerun WDO and assume if there are any outstanding issues it will at least find them even if it cant remove them?

masplin · 16 Aug 2012

Slightly related. My wife was running MSE. I have Kapersky as had a 3 year licence which is just coming to expiry. i was going to let it expiry and just run MSE unless Kapersky is any better at stopping this sort of thing? I was under the impression MSE was as good as any of the paid solutions.