Jump to content

FOR PIETERC Permissions and Windows Defender


Go to solution Solved by Maurice Naggar,

Recommended Posts

Thanks for the OTL reports.    Thanks very much.

Yes, yea verily,  the key is not there,  after many attempts to put it in there   (  in my past custom script runs).

There is something here that seems a bit goofy.

Have much patience till my next reply.

  • Thanks 1
Link to post
Share on other sites
  • Replies 108
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

@PieterC             Hi,      My name is Maurice. I will be helping and guiding you, going forward on this case. Let me know what first name you prefer to go by. Please follow my directi

Good afternoon.   I hope you are doing well. I have a new script here.    Please delete the prior file fixlist.txt   on the folder   FRST-tool Save as is  the new attached file fixlist.txt 

Also the results of the WMIC commands WMIC command results.txt

Posted Images

Again,  Thank you so much for the OTL reports.   I have a small run for you to do.  This goal here is to make a few tweaks in registry related to system policies , some relating to admin  & some to turn on Windows User Account Control.

To that end,  I am attaching one zip file.   Save it to the desktop first.  Then Extract the content to the Desktop.

You ought to then have a reg file named Polsys.reg

Double-click on Polsys.reg   and let it proceed & let it merge.    Please advise about the run.

We will do more later.

polsys.zip

  • Like 1
Link to post
Share on other sites

After completing the preceding procedure  ( with the polsys    from the preceding post of mine )  Here is the next one.

Just please be sure to do the prior one.

.

You may want to print out or copy these instructions to Notepad for offline reference!
These steps are for the originator only PieterC. If you are a casual viewer, do NOT try this on your system!
If you are not the Original Poster and have a similar problem, do NOT post here; start your own topic
 
Download the attached file OTLFIX.txt and SAVE to your DESKTOP

Start NOTEPAD
Start NOTEPAD. Check and make sure "word wrap" is off.
From Notepad main menu bar, Select F (format) and make sure Word Wrap is NOT checked.
IF it -is- check-marked, click that one time so that it is un-checked.

Open the OTLFIX.txt that you saved

Copy ALL the lines to the clipboard by clicking once at the top & then pressing CTRL +A keys to select  ALL of them and

pressing CTRL + C  keys

 

now, right-click on the file OTL.exe  &  and choose Run As Administrator  to start it.
Right click in the white-box   (under the aqua-blue bar) and choose Paste.
[  where it says Custom scans / fixes  near the bottom ]
 
Using your mouse, click on the red-lettered button  Run Fix .[ near top left of screen ]
 
Once you see a message box "Fix complete! Click OK to open the fix log."
Click the OK button

The log will open in Notepad (your default text editor).

Save the log. Attach that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present. You can put the log into a ZIP file   and attach that with your reply.

OTLFIX.txt

  • Thanks 1
Link to post
Share on other sites

Good morning.   I do not see any attachment in last reply.   You may have to put the file into a ZIP file   & then attach that.

Then, elaborate on just what ""unable to set some values"" .

I am happy to read that the polsys run did merge.   I do need to review this last log.

.

Here is the other parts I would suggest to do now.   The goal at hand t this time is just to see about Windows Defender.

First,  do one Windows RESTART   from the Start menu.

and then do as much as you can, as far as you can, of what follows.   ( if needed use the visual cues to turn on Windows Defender  )

 

Do a manual Check for Update for Windows Defender by using the Windows Settings menu.

From the Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

image.png.53b8290f51fb52ad1f67f2be5d1a7198.png

 

Next, In Windows Security section:  Click on the grey button Open Windows Security

 

image.thumb.png.770ff10e37da546f33963da571bd3378.png

.

Now, click on the shield Virus and threat protection

By the way, when you see a green check-mark on your display, it means a good status  and that  protection is on.

 

 

 

image.thumb.png.d3c40d161bda6630f463e83ce53f9782.png

 On the next display,  look at all the options.   Look down the list and see "Check for Updates" which I have highlighted with a blue icon.

You can click on that to have the system check for updates for Windows Defender.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.  ( You can do Quick, Full, or Custom).

 

image.thumb.png.1bfbd5b3023eeabe0dbea2025a5fa556.png

 

Link to post
Share on other sites

Here the log file again in RAR file.

My remark concerning "unable to set some values" comes from the log file.

The last instructions resulted i the screens that I enclose.

Open "Windows Security" led to OpenWindowsSecurity.jpg

"Nu opnieuw opstarten" (New start now) led to StartNow.jpg

So no changes there, I'm afraid

Still like this job? ;) 

OpenWindowsSecurity.jpg

StartNow.jpg

09282020_102438.rar

Link to post
Share on other sites

I wanted to take a moment & ask about something I noticed,  that logical drives  S  T  U  V  W  X  Z    were mentioned as being drives .

Question:   Is this machine on a organization or business network ?

Link to post
Share on other sites

Hello.

I would like for you to download and save one cleanup tool.   And then following that, do two things while in SAFE mode of Windows.

Study this article  or perhaps see about printing it )    for use below
https://support.microsoft.com/nl-nl/help/12376/windows-10-start-your-pc-in-safe-mode


Recalling that this machine had had in the past Avast antivirus, I feel firmly we have been dealing with some sort of residual effect.
I very much would like for you to run the tool to do a cleanup of any traces of Avast.
Get / save the AVAST removal tool saving it to DESKTOP    ( just do not run it yet   }

https://support.avast.com/en-us/article/Uninstall-Antivirus-Utility/

 

Next
Start PC in safe mode in Windows 10  from Settings    ( Dutch  language )
https://support.microsoft.com/nl-nl/help/12376/windows-10-start-your-pc-in-safe-mode

 

See about using the top method  by clicking / expanding the section on this article marked Alles verbergen.
Then once in Windows Safe mode
Locate the Avast uninstall utility on the DESKTOP    and then run the tool.

Next, again, Restart Windows back into Safe mode   ( just like the time above)
Look on the Desktop for the reg file  WinDefend.reg
Double-click on WinDefend.reg   and allow it to Merge   / monitor the process
 
 

Link to post
Share on other sites

In Safe Mode, after executing your suggestions, Windefend.reg did merge successfully!

As I do not know if you plan furher actions first, I have NOT tried to get Defender working yet.

What's next?

Link to post
Share on other sites

That is a good sign.    ☺️     😸   We want the Windows  system back in normal mode.

Then I would like you to run a few commands that I had mentioned previously.

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )


It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
On that command prompt,  Copy & Paste this command

WMIC SERVICE WHERE Name="windefend" CALL ChangeStartMode "automatic"

press Enter-key on keyboard   and watch & write down the result

 

Next    Copy   & Paste this command

WMIC SERVICE WHERE Name="windefend" CALL startservice

press Enter-key on keyboard   and watch & write down the result

 

When these succeed,  you ought to be able to go into Windows >>  Settings >>  Update & Security >>  Windows Security >>

Virus and Threat protection

then click on Quick scan button

Link to post
Share on other sites

Yeah!, Quick scan worked, however when I try to open Windows Security to activate Defender I get this screen.

Translation: Virus- and Threat security

Automatic sampling is off. Your device is vulnerable.

 

Result of scan: 0 threats found

Inschakelen.jpg

Link to post
Share on other sites

Maurice, or should I say: MASTER Naggar: I think you nailed it.

Defender is back and functioning.

Only the icon in the hidden pictograms box does not appear.

Already very happy! Thank you.

Link to post
Share on other sites

Checked the firewall: this message appears:

"Microsoft Defender Firewall uses configuration that can make your device unsafe."

Clicked "Instellingen herstellen" (repair settings): nothing happened.

Is this next problem?

 

Firewall.jpg

Link to post
Share on other sites

The Security / threat protection GUI  area that you were in should have the mechanism to turn on what you need.

Also, you can checkout this article at Tenforums

How to Restore Default Windows Defender Firewall Settings in Windows 10

https://www.tenforums.com/tutorials/70749-restore-default-windows-defender-firewall-settings-windows-10-a.html

 

By the way, the earlier image of the Windows Defender status displays appeared quite normal.   I mean the one 2 posts earlier than here.

.

One other thing you may consider is a tweaking-tool from Microsoft called Configure Defender

https://www.bleepingcomputer.com/news/microsoft/windows-10-defenders-hidden-features-revealed-by-this-free-tool/

I would suggest you only select the Default  selection button.

Quote

"ConfigureDefender utility is a small GUI application to view and configure important Defender settings on Windows 10. It uses PowerShell cmdlets, with a few exceptions to change the Windows Defender settings," ConfigureDefender's GitHub page explains.

 

Link to post
Share on other sites

Hi Maurice,

There is still something wrong. I tried all the options from tenforums.com. The resulting screen are enclosed.

ConfigureDefender is run with the default button, but to no avail.

 

 

Option2Result.jpg

Option1A_Result.jpg

Option1B_Result.jpg

Option4Result.jpg

Link to post
Share on other sites

Your already have  the FSS.exe   report tool.   Lets get a fresh report.   Later on, we can do some other steps.

Right-Click on fss.exe and select Run As Admisnitrator.
 
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services

 


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Attach the report  file      FSS.txt into your reply. 

Link to post
Share on other sites

I'm going to guide you one service at a time.
mpssvc is the service for the Windows Defender Firewall. its startup type is supposed to be automatic
 

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )


It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
On that command prompt,  Copy & Paste this command

WMIC SERVICE WHERE Name="mpssvc" CALL ChangeStartMode "automatic"

press Enter-key on keyboard   and watch & let me know if it succeeds

 

Next    Copy   & Paste this command

WMIC SERVICE WHERE Name="mpssvc" CALL startservice

press Enter-key on keyboard   and watch & let me know if it succeeds

 

Next    Copy   & Paste this command

sc queryex mpssvc

press Enter-key on keyboard   On that, I just only need to know if it is shown as " running "

Link to post
Share on other sites

Hello Pieter.

mpsdrv is Windows Defender Firewall Authorization Driver service  & it is one of the services that is needed for the other service mpssvc

This next link listed below is to a registry file  that I need for you to SAVE as is to the Desktop

RIGHT click the link with your mouse-pointer and select SAVE ...as....     & guide the folder for saving to DESKTOP     ( do not double click / do not 'run' the file / nor open  )

https://download.bleepingcomputer.com/win-services/win-10/mpsdrv.reg


Next
Start PC in safe mode in Windows 10  from Settings    ( Dutch  language )
https://support.microsoft.com/nl-nl/help/12376/windows-10-start-your-pc-in-safe-mode

 
Look on the Desktop for the reg file  WinDefend.reg
Double-click on mpsdrv.reg   and allow it to Merge   / monitor the process

When that is done,  please RESTART Windows  back into normal mode.   After that is done,  and it is settled in,  the system Security should be much better.

Just a reminder, that all this is entirely outside of the realm and scope of the Malwarebytes application.
All of this situation is all about having had a 3rd party antivirus  & its after-effects.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.