Woke up to find Windows Defender was deleted

[Chaldera]

So as a preface, I'm not great with computers, but I will try to provide as much info as I can.

I found about this forum thanks to the top answer of this thread on the Microsoft Community forums.

As the title says, my Windows Defender has gone missing and I suspect it's because of something I've downloaded previously (I did pirate some games which I have since uninstalled because I'm now terrified they've messed up my laptop). I want to get it back, but as per the advice from that other forum, I want to make sure that I've fully flushed my system of any virus/trojans etc before I do that. My logs from MalwareBytes and FRST as per the "I'm infected" thread on this forum are on this post, please let me know if there's anything else you need me to run so that we can get this fixed.

malwarebytes.txt Addition.txt FRST.txt

[Maurice Naggar]

Hi,     
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.
Thanks for the reports.  Just be aware, we will be doing several passes  ( rounds).   Patience is a virtue.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 
Please see about doing a FULL scan.

  
Let me know the result of this.
The log is named MSERT.log  
the log will be at  C:\Windows\debug\msert.log
Please attach that log with your reply.
 

[Chaldera]

Hi Maurice,

Thank you for the warm welcome and the assistance with this. My name's David 🙂.

I'm just running the Microsoft Safety Scanner now; as soon as it finishes and the log is generated, I'll post another reply with the log and the result of the scan.

[Chaldera]

Okay, the scan completed and it says it removed one bit of malware called "VirTool:Win32/DefenderTamperingRestore", which I assume from the name was part of the issue with Defender being deleted.

msert.log

[Maurice Naggar]

Thanks for the report from the Microsoft Safety Scanner.

The reason that Windows Defender is not available is because you have installed antivirus programs from other vendors.  When you do that, part of their job is to disable ( turn off) Windows Defender.  That is expected and normal procedure.

Now then, it happens that on this machine, there is one or 2 too-many antivirus programs.

You have a full set from Zone-Alarm , and also, Avast Free Antivirus , and also  McAfee Personal Security .

You need to decide which to keep  and which to Uninstall.  If you only want the Microsoft Defender antivirus then you need to uninstall all 3 others.

[Chaldera]

Sorry about the delay Maurice, I've been spending a fair bit of time trying to remove Zone-Alarm; I'd installed it several months back and thought it had been removed when I uninstalled it via Add&Remove Programs about 2 months ago, but I've just had to go into Safe Mode to manually remove it.

I've uninstalled what remained of McAfee (which I'd uninstalled shortly after I got this laptop, but McAfee is harder to remove than I thought) and Avast as well.

Incidentally, I only installed Avast this morning after I found out that Windows Defender was (and unfortunately still is) missing.

[Chaldera]

So from what you saw from the logs, am I safe to do a Repair Upgrade to get Windows Defender back?

[Maurice Naggar]

You have to Uninstall all those programs I listed.  And you need to do a follow-up and also run the special removal / cleanup tools for each.

( and no, you do not run a "repair" to get Windows Defender turned back  on.  Lets leave that part for much later).

Get and Save first , each of these cleanup tools, and then run one by one each of them.  When all done, do a Windows Restart.

For Avast cleanup   https://support.avast.com/en-us/article/Uninstall-Antivirus-Utility/

For Mcafee look on this page and click on Method 2  under Solution   to get and then run MCPR

https://bit.ly/2IXWTc5

.

For ZoneAlarm cleanup  ( use tool from MajorGeeks )   https://www.majorgeeks.com/files/details/zone_alarm_uninstall.html

 

Restart Windows when all done.   and then let me know when done.

 

[Chaldera]

I've run all three and restarted Windows (restarted after each one just in case).

[Maurice Naggar]

OK, good thing.  Now, some special commands to get Windows Defender re-enabled.

Open an elevated command prompt window i.e. run Command Prompt as an administrator .
It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )
One at a time, Copy each line and Paste on to the Command window  and then tap Enter-key after each.
 

WMIC SERVICE WHERE Name="windefend" CALL ChangeStartMode "Automatic"

 

WMIC SERVICE WHERE Name="windefend" CALL startservice

Make a note of what each result is.  When all done close the Command-window.   Let me know how this goes.

Once this is all done, you should be able to run a manual can of Microsoft Defender Antivirus.   Just be sure to run a Check for Updates on it first.

 I would suggest that you do a manual Quick Scan with the Windows Defender Antivirus.

https://support.microsoft.com/en-us/help/4012987/windows-10-virus-threat-protection-windows-security

[Chaldera]

 

Both responses were ERROR.

[Maurice Naggar]

Lets take a time out & run one report tool.

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.
• This tool is safe.   Smartscreen is overly sensitive.
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

[Chaldera]

It's run, and it says ZoneAlarm is still there but disabled (even though it should have been completely removed). I've checked my Program Files and I can't find either ZoneAlarm or Checkpoint.

SecurityCheck.txt

[Maurice Naggar]

PS  You know that you were in POWERSHELL   and not in a Command prompt like what we needed for those commands.

Please do not ( for this purpose / for what I listed before) make use of Powershell.

Instead do this

On the Windows taskbar ,  on the Windows search box,  type in

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.

Once there, do the 2 command lines I listed before.   Thank you.

[Chaldera]

I'm not sure how I confused POWERSHELL and Command prompt, sorry about that.

But yeah, I got a similar response to both commands; No Instance(s) Available.

[Maurice Naggar]

I am attaching with this reply a custom fix script to cleanup any leftover traces of Avast & ZoneAlarm & its Checkpoint $ also to see about setting Windows Defender to on & to rebuild the Winsock.

The system will be rebooted after the script has run.

.

This custom script is for  Chaldera  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRST64   tool   which you have on your Downloads folder.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Start the Windows Explorer and then, to the Downloads   folder.

RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Sincerely.

Fixlist.txt

[Chaldera]

And done. The tool ran faster than I expected, and it asked me to restart.

Unfortunately, Windows Defender still isn't fixed, which makes me think that it really has been deleted or uninstalled by the virus I had.

On the plus side, the laptop seems to load ever so slightly faster.

Thank you for the assistance you've provided already, and if you can think of anything else I would be happy to try 🙂

Fixlog.txt

[Maurice Naggar]

Hi.  Thank you for the report.  Here's the next set of things we need to do in order to get the Windows Defender service back as a service.

Take your time doing this.

This next link listed below is to a registry file  that we need for you to SAVE as is to the Desktop

RIGHT click the link with your mouse-pointer and select SAVE ...as....     & guide the folder for saving to DESKTOP     ( do not double click / do not 'run' the file / nor open  )

https://download.bleepingcomputer.com/win-services/win-10/WinDefend.reg

 

Once it is saved, then we are needing to merge the file onto the system, as follows

With you mouse,  do a RIGHT-click on the file  windefend.reg     and select Merge

Let it do that  & insure it finishes ok. 

[   2     NEXT  ]
Do a Windows RESTART   and then wait for it to settle back in.

[  3     NEXT ]

Open an elevated command prompt window i.e. run Command Prompt as an administrator .
It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
To Get the elevated command prompt, 

On the Windows taskbar ,  on the Windows search box,  type in

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.

Copy & Paste this whole line as-is  onto the Command-prompt

WMIC SERVICE WHERE Name="windefend" set startmode="auto"

press Enter-key on keyboard   and watch & write down the result

 

Next    Copy   & Paste this command

net start windefend

press Enter-key on keyboard   and watch & write down the result

 

[Chaldera]

Hi Maurice,

So I'm experiencing an issue with the first step; I've saved the windefend.reg file to my desktop, but when I right-click and press Merge, it asks me if I want to let Registry Editor continue (which I assume is just the PC ensuring I want to do that). I click Yes, and then it comes up with a warning about adding information. I click Yes to continue, and it then says it can't be added due to an error in accessing the registry.

I'm sorry about all the trouble I'm causing with this, I clearly should have paid a lot more attention in IT class.

[Maurice Naggar]

Preliminary but important point:  If you get prompted "Are you sure" another time..... be sure you answer Yes.

Let us try the import of that reg file by another method.

Press & hold the Windows-logo-key on the keyboard & tap the R key so that you get the RUN box-dialog.  In the Run box type

REGEDIT

 and press Enter-key

 

You will get a first message prompting you about this "Do you want to allow...."   .....Reply by clicking the button YES

 

from main menu, select File

then select IMPORT

navigate the dialog (click on DESKTOP icon on left to select it)

type in   

Quote

windefend.reg

in the Filename text-box and click Open button.   Follow all prompts with care.

Once the merge is complete, you will see a confirmation message.

Click OK when done.

Close/exit Regedit.    Keep me advised.   Sincerely.

[Chaldera]

Same message again, Maurice. It really doesn't want me to merge this file.

[Chaldera]

Okay, it let me merge the file when I went into Safe Mode.

I'm going to try the other steps from your previous post now, and I'll update with the results.

[Maurice Naggar]

OK,   Just be sure you want back and Restarted into normal ( regular) Windows mode.

[Chaldera]

Result for WMIC SERVICE WHERE Name="windefend" set startmode="auto" was:

Updating property(s) of '\\DESKTOP-PDP3S9S\ROOT\CIMV:Win32_Service.Name="WinDefend"'

Property(s) update successful.

 

Result for net start windefend was:

The requested service has already been started.

More help is available by typing NET HELPMSG 2182.

 

 

[Maurice Naggar]

OK !  Bravo !  well done.  The Microsoft Defender Antivirus service is running.  You do not need nor want to install any other antivirus from any outside party.

The Defender antivirus is a strong and capable one.  It will run periodic daily scan.  And you can run a manual Scan run on your own, as you wish.

Be sure you have Closed the Command-prompt-window.

Is there anything that you need at this time ?