I was infected. I think I have fixed the problem but I want to investigate how it happened. I want to make a copy of my log history that cannot be overwritten or purged. How can I do it?

There isn’t any direct way to export your Norton history in its entirety.

Here are some things that you can review which might help via inspecting Windows:

AI Overview

To find the approximate date a Windows computer was infected, you can use the Command Prompt to check system file dates or scan for recently modified files in the registry. A reliable method is checking for suspicious activity via netstat or analyzing the Windows Security Logs. [1, 2]

Key Methods for Finding Infection Times

• Check File Creation Dates: Malware often creates files in C:\Windows or AppData at the time of infection. Sort folders by “Date Created” to look for anomalies.
• Analyze Windows Logs: Use the “Event Viewer” to check for unexpected login times, service changes, or Windows Defender detection logs.
• Use systeminfo: Type systeminfo in Command Prompt to see when critical system components were last modified, which may align with the infection date.
• Third-Party Logs: If you use security tools like Malwarebytes or AdwCleaner, check their logs for the first recorded detection of a threat.
• Inspect Startup Items: Use msconfig to identify when suspicious, unknown programs were added to your startup list. [1, 2, 3, 4, 5]

This video explains how to find the Windows installation date, which can help in diagnosing when an issue might have started:

How to Find Your Windows Installation Date: Easy Methods
TECHiFY
YouTube• Apr 9, 2025
](https://www.google.com/url?sa=i&source=web&rct=j&url=https://www.youtube.com/watch?v%3DrPLV18YvxEo%26t%3D66&ved=2ahUKEwj34eeJgqaUAxULkYkEHQdLCx8Q__QQegQIBBAF&opi=89978449&cd&psig=AOvVaw3kBukvcilHJG8lUC66R0OS&ust=1778203417989000)

Steps for Technical Inspection

1. Run Command Prompt as Admin: Press Win + Q, type “CMD”, and select Run as Administrator.
2. Run netstat: Type netstat -ano to see active network connections. If a suspicious process is listed, identify its PID and check its creation date in Task Manager.
3. Review Registry Run Keys: Check HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to identify when suspicious programs were set to run automatically.
4. System File Checker: Run sfc /scannow to find corrupted files, then check the logs for when the corruption occurred. [1, 2, 3, 4, 5]

Additional suggestions to help with the search:

AI Overview

To determine the infection date on Windows, use built-in tools like Windows Security Protection History, Event Viewer, and Reliability Monitor to identify when files were first created or errors started. Third-party tools like Malwarebytes and forensic tools (e.g., Belkasoft X) can also pinpoint malicious file timestamps and system changes. [1, 2, 3, 4, 5]

Built-in Windows Tools

• Windows Security Protection History: Access via Virus & threat protection > Protection history to see when threats were detected or blocked.
• Reliability Monitor: Type “reliability” in the search bar. Look for spikes in application failures or unexpected shutdowns that correlate with the suspected infection time.
• Event Viewer (Event ID 7045/4688): Search system logs for new, unexpected services (7045) or processes (4688) installed around the time of infection.
• File System Timestamps: Use File Explorer to check the “Date Created” or “Date Modified” of suspicious files. Note: Advanced malware may spoof these dates.
• NTFS $FILE_NAME Attribute: Using tools like The Sleuth Kit, you can examine the $FILE_NAME attribute, which is harder for malware to tamper with compared to standard MAC times.
• Windows Defender Offline: Run this scan to detect and identify threats that are harder to find while Windows is running. [1, 2, 3, 4, 5, 6]

Forensic and Third-Party Tools

• Belkasoft X: Used to parse Windows event logs and locate specific artifacts related to a cyberattack.
• Malwarebytes / EDR Software: Run a comprehensive scan with Malwarebytes, CrowdStrike Falcon, or Sophos Intercept X to find the infection vector and time.
• Wireshark: Analyze network traffic to detect unauthorized connections, which can help date the infection. [1, 2]

Key Indicators to Look For

• Suspicious Executables: Look for files created in C:\ProgramData, C:\Users\Username\AppData, or C:\Windows\Temp.
• Registry Changes: Monitor Run keys for new startup items.
• Unexpected Service Installation: Check for new services installed recently. [1, 2, 3, 4, 5]

SA

Have you tried using the snipping tool in Windows?

You would have to snip and save and then keep scrolling down and snipping for as much as you need.

Not ideal but it might work.