Jump to content

FOR PIETERC Permissions and Windows Defender


Go to solution Solved by Maurice Naggar,

Recommended Posts

@PieterC           

 Hi,     :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
Please only just attach   all report files, etc  that I ask for as we go along.
Please know I help here as a volunteer.  and that I am not on 24 x 7.
 

Do be aware that Windows update failures are not necessarily due to malware.   This is just one starter procedure.   We will be needing to do multiple exchanges on this case.

I would also like to have the following  2 reports, please.

[    1   ]

Download   Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/


and Save to your Desktop.
Right-Click on fss.exe and select Run As Admisnitrator.
 
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services

 


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Attach the report  file      FSS.txt into your reply. 

 

[      2      ]

Please download MiniToolBox save it to your desktop and run it. 

Reply YES when prompted by Windows to Allow the program to run.
Reply YES when prompted by the tool to proceed.

Checkmark the following check-boxes:
 

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log

 

Click Go and post the result ( MTB.txt ). A copy of Result.txt will be saved in the same directory the tool is run. 
Note: When using Reset FF Proxy Settings option Firefox should be closed. 

[     3      ]

SecurityCheck by glax24    

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.
Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
and save the tool on the desktop.

If Windows's  SmartScreen block that with a message-window, then
Click on the MORE INFO spot and over-ride that and allow it to proceed.
This tool is safe.   Smartscreen is overly sensitive.
Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt
 

We will do more later.

  • Thanks 1
Link to post
Share on other sites

Personally, I wished you would not have installed AVG antivirus.   First because AVG adds more addons & of late, makes for more friction.

The MS Windows Defender can be put back in good shape if you decide to uninstall AVG.   I look forward to your decision & action on that aspect  ( uninstalling AVG).

.

I am going to highlight significant sections from the SecurityCheck tool report.

The elevation prompt for administrators disabled
The elevation prompt for users disabled
^It is recommended to enable (default): Win+R typing

UserAccountControlSettings 

and Enter^

 

I need for you to Enable that capability so that you can run a proper run for the System File Checker tool.

Other note, from SecurityCheck tool

PrivaZer v.4.0.7.0 Warning! Suspected demo version of anti-spyware, driver updater or optimizer.

If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering.

  • Like 1
Link to post
Share on other sites

Good morning.    Thank you for the status update.   I am enclosing a very special custom script.   The main goal here is to get the MS Windows 10 Windows Defender back in place as a service & to attempt to run a quick scan in batch mode.  It will also run the System File Checker tool & the MS Windows DISM tool to check the system.

Just be sure to close all open apps, documents, work files, etc  before starting this next run.

This custom script is for  PieterC  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

I am sending a    custom Fix script which is going to be used by the FRST64  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRST64 .exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Fixlist.txt

  • Thanks 1
Link to post
Share on other sites

Thank you for that report.   You did well.   The check with the Windows System File Checker tool found no problem.  The checks with the Windows DISM tool are good.

What is not clear is the state of the Windows Defender.   I'd like some fresh reports please.

Using File Explorer, go to the Downloads folder.   Find the file FRST64.exe

Do a right-click on it with the mouse & select  RENAME   and renamed it to

FRSTENGLISH.exe

and tap Enter-key  to apply the name change.   This will help me so that important notations are in English for my benefit.

 

Right-click on FRSTENGLISH iand select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.


_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._
Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is checked    -        listed under Optional scan on the FRST screen
and click the box "90 day files "
Press Scan button and wait.


The tool will produce three logfiles on your desktop: _FRST.txt_ , _Addition.txt
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

[     2      ]

Find the FSS.exe   that you saved from before.

Right-Click on fss.exe and select Run As Admisnitrator.
 
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services

 


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Attach the report  file      FSS.txt into your reply. 

 

  • Thanks 1
Link to post
Share on other sites

Thank you for those reports.   I have here a new custom Fixlist

So, first, I want you to find the prior saved file named Ficxlist.txt  that is on the Downloads folder.

Next, do this next custom run

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH .exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

 

Then when the system is settled back in, I would like you to try 2 things.

1.   Do a new Microsoft Windows Update run

2.   Do a scan with Microsoft Windows Defender

Fixlist.txt

  • Like 1
Link to post
Share on other sites

Good morning.   Regret to read some of this.   However, I would encourage you to keep up your patience and have faith in your helper.   This situation is one that can be overcome.

As the saying goes, hang on.     

It seems to me, that Microsoft Windows Update is listing and offering 4 hardware driver updates.  I suggest you accept those & proceed to run the update with them.

Can you please do a new run with Windows Update  & accept & apply the 4 items,  apply them and then do a Windows Restart.

On screen captures, since they are apparently in Dutch  I am going to need extra measures to get other means to translate out to English.

On the very first screen message-capture,  just when did that message appear?   I mean, from what does that belong ?

I take it that the lines say this "Unexpected error. it appears that a problem has occurred. Please try again later"

Let me know about those 2 things.

.

What we may try doing is to get the Windows normal "Administrator"  account enabled & have you set a new password for it   & then possibly Logoff & log back in with it   and then try some other adjustments.   Lets be sure that we do not mention out in the open any value of any password.

The current login-account you are using is one that has administrator rights,  and we will not be diminishing it or making changes to it.

My guess is that perhaps it is not having success with some aspects of registry updates.

.

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )
On that command prompt,  Copy & Paste this command

net user administrator /active:yes

and tap Enter key.   Watch  and document the result of this.   Hopefully this will succeed.  If so, the next thing we want to do is assign a new passwrod for this min administrator account.  Again do not mention that value in your replies.   Just only if it is a success.

Copy & Paste this command   to start to change the password

net user administrator *

and press Enter key.    Then    You will get a password prompt. Type the desired password and confirm the same.

Let me know how all this goes.   Have faith and patience.    Please also run a new fresh report with the FRSTENGLISH   report tool

.

Right-click on FRSTENGLISH iand select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.


_Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._
Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is checked    -        listed under Optional scan on the FRST screen
and click the box "90 day files "
Press Scan button and wait.


The tool will produce three logfiles on your desktop: _FRST.txt_ , _Addition.txt
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

  • Thanks 1
Link to post
Share on other sites

Good Morning Maurice,

However for me it's dinnertime ;)

 

Re: driver updates: installed
Re: Dutch: Your Dutch is better than my English because your translation is correct (viva Google?)
    the first screen capture is the result of:
    - go to Settings/Windows Security/Open Windows-Security/Virus and threat/New start

I have only the free Malwarebytes version
 

FRST.txt Addition.txt

Link to post
Share on other sites

Very good.  I see that the main system "administrator" account is enabled.   Now a small bit of preparation.

Look on your drive C

I want you to create a new folder with a name like FRST-tool

Then into that folder, copy into it these files

FRSTENGLISH.exe

fss.exe

FIXLIST.txt

Now do a Windows RESTART   to get int a whole new session, and this time,  I need for you to be sure to login with the account Administrator.

Please be sure to do that.     we want to stay with and keep logged in with "Administrator" 

.

Then we should be able to do a new custom run, like this.

Start the Windows File Explorer and then, to the  FRST-tool    folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity  

 

NOTE, we want to stay with and keep logged in with "Administrator"      ( until we close the case or I otherwise  give other advice, later).

Take your time.   No rush.   I would like you to go careful,  have confidence.    We can do other things as needed.

 

  • Like 1
Link to post
Share on other sites

The folder FRST-tool is made and filled as per order.

The restart as Administrator resulted in a black screen with a very short notice that looked like:

"Your administrator has configured diagnostic mode as obligatory" (in Dutch of course)

The exact text was too swiftly gone to reproduce, but the words "diagnostic mode" and "obligatory"are certain.

I waited 10 minutes, but nothing further happened except a small message stating that I should use Windows Defender (yea!)

 

Link to post
Share on other sites

Sorry to hear that.   That message is entirely unexpected.   It may be some sort of leftover from AVG / AVast

Go ahead and power off the machine,   wait about 30 seconds.  Power mchine back ON

and then login with your regular windows-login

Then lets run this tool from Malwarebytes

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
Your continued patience is appreciated.   I will have you follow up with more scans in the next rounds.

  • Thanks 1
Link to post
Share on other sites

Additional important note:   when you get the chance, there are 2 files that should be deleted.  They had been identified by Windows Defender as trojans

D:\DOWNLOADS\StartIsBack ++ 2.9.2\StartIsBack ++ 2.9.2\SiBActivatorX.exe

D:\DOWNLOADS\Malwarebytes PREMIUM 4.1.2.73\LicenseMalwareBytes.exe

  • Like 1
Link to post
Share on other sites

Ok.   That is still a good thing, that result.

Lets do this next

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

  •  
  • Save the file first,
  • Close any running programs that you started on your own ( if any).
  • Please disconnect any USB or external drives from the computer before you run this scan!

 

Double-click  RogueKillerx64.exe to run the program.

Follow the prompts. If a browser window opens, close the window.

 

In the HOME tab, click Scan button

Next, on the Quick scan pane, click om the Start button to proceed.

.

Upon completion, a browser window may open. Close this window.

 Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.

Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.

Please attach the file in your next reply.

  • Thanks 1
Link to post
Share on other sites

Thanks.   That too is a good thing.

I would like you to do a manual run with the Microsoft Software Removal tool latest version ( its updated each month  as part of the regular MS Windows Update cycle ).

This tool is a limited one.  It targets some specific "common" malicious threats.  It is a tool run typically once a month when your Windows does a Windows Update check. 
I would just like a one time on demand run. 
Point your browser to this MS website link    https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx 

Look to see it matches your language & your version of Windows in terms of 64-bit or 32-bit 

Download and save the tool.   Then go to the folder where saved  ( should be the Downloads folder).   
Double click the tool   and allow it to Run.   It should not take more than 12 - 15 minutes. 

You could if you want run a FULL scan   but that will take a longer run time.
We will do more later.

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.