Virus Disabled System Restore & Windows Security

[Doug R]

Hello All,
Some months back I was infected by some virus but running Malwarebytes
and other anti virus programs cleaned it up......or so I thought. I
just realized that it disabled System Restore and Windows Security
Service Center. When I try to turn on Security Center I get an error
message saying it can't be started and when I go to system restore I
get a "System Restore has been turned off by system admin". I can't
use System Restore at all now. I run Windows 7 Home Premium 64 bit and
System Restore is a tool that I need. Does anyone have any ideas how I
can get these features working again.
Thank you.

 

[ASCII]

Some months back I was infected by some virus but running Malwarebytes
and other anti virus programs cleaned it up

MBAM isn't known to be antiviral, won't even detect; IroK, Toady, Krilie,
Weed, Rustybug, all written and distributed by someone claiming to be a
'malware researcher' for the company. At least until the super secret
circumstances of his separation transpired.

 

[David H. Lipman]

From: "Doug R" <[email protected]>

| Hello All,
| Some months back I was infected by some virus but running Malwarebytes
| and other anti virus programs cleaned it up......or so I thought. I
| just realized that it disabled System Restore and Windows Security
| Service Center. When I try to turn on Security Center I get an error
| message saying it can't be started and when I go to system restore I
| get a "System Restore has been turned off by system admin". I can't
| use System Restore at all now. I run Windows 7 Home Premium 64 bit and
| System Restore is a tool that I need. Does anyone have any ideas how I
| can get these features working again.
| Thank you.

Malware wants to stay on the PC as long as it can. It will perform measures of "self
preservation" such that it makes it harder to remove.

The NT Based OS has "policies" that can be used in an environemnt to set restrictions on
the users as needed by the administrator. The Policies can be set on a Active Directoty
Domain and are called Group Policies. The Policies that are set on the PC are known as
Local Policies. The malicious authors have learned to incoporate these administrative
local policies into their malware as maesures of self preservation. Usually MBAM will
remove thse Policies. The message "System Restore has been turned off by system admin" is
indicative of such a local policy.

There are two possibilities, you are still infected or MBAM missed resetting the
assocaited policies.

You said you used MBAM "Some months back". Have you updated it to v1.46 and run an scan
since you found thsese problems ?

Note: There is no need to Multi-Post those that read alt.comp.virus also read
alt.comp.anti-virus . The objective is to Cross-Post to both groups. That is put BOTH
alt.comp.virus & alt.comp.anti-virus on the line (and any other related groups) for what
news groups you want to post to.

 

[ASCII]

Malware wants to stay on the PC as long as it can. It will perform measures of "self
preservation" such that it makes it harder to remove.

Harder but not impossible!

If you track the install with REVO uninstaller Pro
you can remove it more easily when you're done.
http://www.revouninstaller.com/

 

[FromTheRafters]

MBAM isn't known to be antiviral, won't even detect; IroK, Toady,
Krilie,
Weed, Rustybug, all written and distributed by someone claiming to be
a
'malware researcher' for the company. At least until the super secret
circumstances of his separation transpired.

It claims detection for *some* viruses and worms though.

 

[Doug R]

Thanks WolfK but I've tried all those options. Every place where it's
conceivable to turn on System Restore is grayed out and I get the
message "System Restore has been turned off by your administrato". Is
there anything I can do to turn it back on?

 

[Dustin Cook]

MBAM isn't known to be antiviral, won't even detect; IroK, Toady, Krilie,
Weed, Rustybug, all written and distributed by someone claiming to be a
'malware researcher' for the company. At least until the super secret
circumstances of his separation transpired.

Most infections these days aren't viral; but trojans... Malwarebytes deals
with that stuff just fine. It's never claimed to be antivirus; but
antimalware.

All of the claims, the viruses and the researcher for the company are true.
The reasons I am no longer with them will remain between myself and them. I
don't believe that has any relevancy here; except to say, since I did go my
own way, it stands to reason, that I did work for them.. Doh! (homer
simpson style).

 

[David H. Lipman]

From: "FromTheRafters" <[email protected]>


| It claims detection for *some* viruses and worms though.


Yes but will not "clean" a virus infected file.

 

[FromTheRafters]

Hello All,
Some months back I was infected by some virus but running Malwarebytes
and other anti virus programs cleaned it up......or so I thought. I
just realized that it disabled System Restore and Windows Security
Service Center. When I try to turn on Security Center I get an error
message saying it can't be started and when I go to system restore I
get a "System Restore has been turned off by system admin". I can't
use System Restore at all now. I run Windows 7 Home Premium 64 bit and
System Restore is a tool that I need. Does anyone have any ideas how I
can get these features working again.
Thank you.

No configuration hints (including registry hacks) are going to help you
until the malware is removed or disabled. If MBAM indeed 'cleaned it up'
I suspect it may have a misidentification issue. Have you tried
SUPERAntiSpyware?

 

[Doug R]

What I found was that the virus had added a line to the registry
turning Restore off. I deleted that one line and all is good again.
Thanks for replying!

 

[David H. Lipman]

From: "Doug R" <[email protected]>

| What I found was that the virus had added a line to the registry
| turning Restore off. I deleted that one line and all is good again.
| Thanks for replying!

If you read my post, that was a "local policy".

 

[FromTheRafters]

From: "FromTheRafters" <[email protected]>



| It claims detection for *some* viruses and worms though.


Yes but will not "clean" a virus infected file.

Does it detect virally infected files? What I mean is, I'm sure it can
detect blended threats by their *other* vector's wormlike artifacts
(dropped copies of themselves for instance) but can it detect a single
file infected by Virut for instance (which is listed as a detectable
malware)?

 

[FromTheRafters]

Funny that MBAM didn't do that for you. Sometimes code in a new version
of a malware can be close enough to code in a previous version that a
detector misidentifies version 'b' as version 'a' and the resulting
cleaning becomes incomplete. I don't suppose you have the original
malware quarantined somewhere?

What I found was that the virus had added a line to the registry
turning Restore off. I deleted that one line and all is good again.
Thanks for replying!

[...]

 

[David H. Lipman]

| Does it detect virally infected files? What I mean is, I'm sure it can
| detect blended threats by their *other* vector's wormlike artifacts
| (dropped copies of themselves for instance) but can it detect a single
| file infected by Virut for instance (which is listed as a detectable
| malware)?

It may detect a file that is infected with Parite or Virut but can not remove the Parite
or Virut virus from the file that had been infected.

IFF detected, file would be deleted thus iMBAM does not really target such infectors and
leaves them to traditional anti virus applicatiosn that will.

 

[David H. Lipman]

From: "FromTheRafters" <[email protected]>

| Funny that MBAM didn't do that for you. Sometimes code in a new version
| of a malware can be close enough to code in a previous version that a
| detector misidentifies version 'b' as version 'a' and the resulting
| cleaning becomes incomplete. I don't suppose you have the original
| malware quarantined somewhere?

He never answer my question.

"You said you used MBAM "Some months back". Have you updated it to v1.46 and run an scan
since you found these problems ?"

 

[FromTheRafters]

| Does it detect virally infected files? What I mean is, I'm sure it
can
| detect blended threats by their *other* vector's wormlike artifacts
| (dropped copies of themselves for instance) but can it detect a
single
| file infected by Virut for instance (which is listed as a detectable
| malware)?

It may detect a file that is infected with Parite or Virut but can not
remove the Parite
or Virut virus from the file that had been infected.

IFF detected, file would be deleted thus iMBAM does not really target
such infectors and
leaves them to traditional anti virus applicatiosn that will.

Thanks for the information.

 

[David H. Lipman]

From: "FromTheRafters" <[email protected]>



| Thanks for the information.


YW

Think of MBAM as a supplement not as a replacement for traditional anti virus
applications.

 

[FromTheRafters]

From: "FromTheRafters" <[email protected]>

| Funny that MBAM didn't do that for you. Sometimes code in a new
version
| of a malware can be close enough to code in a previous version that
a
| detector misidentifies version 'b' as version 'a' and the resulting
| cleaning becomes incomplete. I don't suppose you have the original
| malware quarantined somewhere?

He never answer my question.

"You said you used MBAM "Some months back". Have you updated it to
v1.46 and run an scan
since you found these problems ?"

Don't you just hate that? D

He's edited the registry and moved on...

 

[David H. Lipman]

From: "FromTheRafters" <[email protected]>


| Don't you just hate that? D

| He's edited the registry and moved on...

{ sigh }

Yes.

 

[~BD~]

| He's edited the registry and moved on...


Surely that's the *only* way to 'fix' things if malware has caused a
registry alteration?