Struck by Live Security platinum

[masplin]

My wife was browsing and got struck by this thing. hopefully I can remove it with Superantispyware free version that seems to have detected it.

my question is to understand how it got on givne I think I'm reasonably security conscious. This is the 2nd time as one of my daughters had simialr a few months ago. Both were runnig MSE and spybot teatimer. Both are set up as non-adminstrative users to stop things installing themselves. so 2 questions:

1. do any anti-virus or anti-spyware programs prevent these types of programs infecting you?
2. how has it managed to install when you need an administrators password to change anything else critical on the system?

thanks for some education

Mike

 

[C-11]

I'd follow the instructions here.

Remove Live Security Platinum (Uninstall Guide)

 

[shawn77]

Platinum rogue usually comes with Zero access.This instruction may not be sufficient to eradicate malware.

 

[masplin]

Well Superantispyware seems to have done the job and don't seem to have any issues

i was more interested in why it happens and how to prevent it as it quite irritating?

 

[Borg 386]

Viruses generally have a bad habit of introducing more viruses to your system. In addition to keeping a close watch on your PC's behavior, you should also run the following scanners to make sure it is indeed "all clean."

http://www.sevenforums.com/tutorials/166445-windows-defender-offline.html?filter

Malwarebytes : Malwarebytes Anti-Malware PRO removes malware including viruses, spyware, worms and trojans, plus it protects your computer

Anti-rootkit utility TDSSKiller.

No AV gets every virus, so when a new variant comes out, it slips under the radar. One of the more common ways a virus is caught is called "drive-by", you visit a web page that has malicious code embedded, it silently loads into your PC and installs itself without your knowledge. Some viruses will circumvent the safety systems and install, regardless of what your setup is.

If you are using Firefox, there is a plug in called NoScript, this stops most malicious code from running in the background of a compromised web page.

https://addons.mozilla.org/en-US/firefox/addon/noscript/?src=search

 

[masplin]

perfect thanks for the advice.

 

[Borg 386]

Something else you should consider, make a system image. This can be invaluable when something really bad happens. If you get a rootkit, the best/safest course is a clean reinstall. This will save you a lot of time. Here is a link to the tutorial. This forum also has many excellent tutorials on securing/setting up your system.

http://www.sevenforums.com/tutorials/663-backup-complete-computer-create-image-backup.html

Tutorials - Windows 7 Forums

 

[chris1neji]

That's the whole point of viruses and malware. They go around all security measures or attemp to anyways. The only thing we can do is be ready.
Obviously the likehood of getting a virus is reduced substantially with the aid of anti virus and anti malware protectiong to help defend against malicious coding.

Spybot in my opinion has slowed down and is not as reliable as it once was a long time ago. I would recommend Malwarebytes.
User Account Control enabled with IE8 or 9 works well too, this enables IE protected mode.
All you can do is have a real time anti virus, firewall, and spyware protection and hope for the best. The sites you visit also increase/decrease the likelyhood of getting an infection. Now that you mention it it's been almost 3 years since i gotten a single infection.

 

[masplin]

I do have a system image and take them every month and daily overnight backups so should be prepared ofr the worst!!!

 

[masplin]

So maybe not so good. I can access the internet but can no longer access any other pc on the network. Error is diagnostic Policy Server not running. If I go to services it is set to automatic but stopped. If I try start it it tries to and then stops again saying "some servcies stop if not in use by other services or programs"

I have run Malware, Rootkiller, Windows Defender offline (which found some things to remove). I have also run sfc /scannow and checked msconfig set to normal as saw that on another post about Diagnostic server. I have rebooted.

I went to system restore and oddly the last restore point is the night after I got infected. Previous to that there is one in Feb. Not sure if that lack of restore points is related. I have a system image of my C drive (all user profiles are on a partitioned U drive) from 9th July.

Before doing something as drastic as an image restore are there any other steps I can take as seems a bit odd I can access the internet but not my network as same adapter.

Thanks Mike

 

[Borg 386]

I have run Malware, Rootkiller, Windows Defender offline (which found some things to remove).

Do you remember the name of these items it found? The name of these viruses will be a deciding factor in what actions you should take.

Some viruses do remove restore points or deny access to them. And they also like to embed themselves in restore points, usually the first one. If you can access a restore point after an infection, it's best to go back 2 or 3 points. Unfortunately, some viruses corrupt the entirety of restore points.

You could try the restore point in Feb, but that does seem odd there are no others, since you've no doubt had updates from MS and they, by default, make a restore point before installing.

 

[Layback Bear]

Personally I would not use any restore point because they can be infected. I also would not use any back ups that where made any where the time of the found infection. Infection can be installed with a time delay or a action related start. Example: When and if you hit the Windows Flag Key you could activate the infection. It could be anything along that line.

 

[Borg 386]

Good point Layback. This is why when I make system images, I keep the last 4 of them on file so that if I do inadvertently make a backup with a virus, I can go back even farther.

When was this system image made? Was it made before or after the infection?

Being that the only restore point you have is Feb, it's a good chance your restore points are infected.

 

[masplin]

Unfortunately I didnt write down the files Windows Defender found. Would they be logged somewhere if I restart it?

The image is July 9th so fairly recent in that there wont be many changes, but before the infection which was 2 days ago. However I only take a system image of my C drive that is on an SSD and contains just OS and programs. I moved the user files to a seperate HD in a "U" partition partly becuase of space and partly I was advised by this forum it was good practice. The "U" drive gets backed up daily with windows backup to another HD. I saw some of the virus files had paths on this U drive so wondering if just restoring my C drive with the image is going to be sufficient?

I'm not sure if I delete my wife's the user account and recreate it could I then restore her user files from the day before infection?

Thanks Mike

 

[masplin]

Hmm oddly I can now access files on 2 of the other 4 pcs so maybe this isn't an issue caused by the virus. I'm not quite clear where the Diagnostic policy server comes into it...is it just for diagnosis when it doesn't work?

sounds liek the advice is to do the systme image restore anyway to be on the safe side.

 

[Jacee]

Open an elevated command prompt, then type or copy/paste:

net localgroup Administrators /add networkservice
press enter
then type:
net localgroup Administrators /add localservice
press enter
then type:
exit

press enter and restart your computer

Open services and make sure the service is started.

 

[shawn77]

please download Downloading Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please copy and paste the log to your reply.

 

[Borg 386]

It might be wise to re-run Windows Defender Offline, just to verify that nothings left on your system. If it finds anything, write the name down.

WDO is good at getting a lot of things, however it can not remove certain items, including some rootkits. If you've been infected by the Sirefef rootkit, MS is recommending a clean install as this alters some of the OS files & leaves them in a irreparable state.

 

[masplin]

Think i was getting my knickers in a twist with network access as sorted out by rebooting the other machine. So currently it al lseems happy. I'll rerun WDO and assume if there are any outstanding issues it will at least find them even if it cant remove them?

 

[masplin]

Slightly related. My wife was running MSE. I have Kapersky as had a 3 year licence which is just coming to expiry. i was going to let it expiry and just run MSE unless Kapersky is any better at stopping this sort of thing? I was under the impression MSE was as good as any of the paid solutions.